elective-stereophonic
elective-stereophonic
NRS v1.4.16 singapore
Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Nxt Client: Nxt 1.11.15

Pages: [1] 2  All

Author Topic: NRS v1.4.16  (Read 12127 times)

Jean-Luc

  • Core Dev
  • Hero Member
  • *****
  • Karma: +816/-81
  • Offline Offline
  • Posts: 1610
    • View Profile
NRS v1.4.16
« on: February 24, 2015, 11:27:35 pm »

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Release 1.4.16

https://bitbucket.org/JeanLucPicard/nxt/downloads/nxt-client-1.4.16.zip

sha256:

6ef76c029d96b9c689298ba1c43f561417779ac6796f94ebdff6b10a93ff871b  nxt-client-1.4.16.zip


Change log:

Updated jetty to version 9.2.9 due to a critical security bug:

http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html

There are no code changes, only the jetty libraries have been updated.
Delete the old lib folder before unpacking on top of a previous installation.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJU7QUHAAoJEFOhyXc7+e2AJOAQAKkL4InI3wutmR/bTbA/NV5q
ybbndGa8gXTls41bEtJtJjfTRT2xP4huucfN7Mb9S2wSj+HPpFZkoi2QHxCH8RfP
gmPqshneOO2IYgaDhZ/pG1asBysJReGHq2dW85DiOAG9xgDn+i1GHfjktykPi0Ez
JL87uJ4lU8gfXZmtv83Bucb2GP6Zoqu7T2X+rqLb6YRrECJAD6ppS+8tqbiLgSVT
dPS4rjV67ZF3ynTVoiLeAk6ZhKwZZocPg42pQpmM1G3Yr4/BWhLGlQfIaEiKE+r+
nP1UqOoxX7CzHohb6fcwi5RM6oxQoJPtyUi3majaRuADrcZSZ4sU3HhgzPtu9YAj
rodzcrTpYlDAK3uOKDUw+YZYMapoPsJhpAbZmIx9OU//zV/JyugE8PvZf9/JMb25
kkox+ipLDfmDH/R7TD6SnSESaWsCMUKQVXtOeiopBKypLOybEb2Z0WXx0vkPqJgv
80Hh/Z/mTGEui6k9ITK/5/Q0wewzYqsx6Nyv2CzcCpShokRHXdzKiz10LtKlQvjP
yxklaKhVpEMeReuiqw35QYWWRrkszD7gePgL0yjOjhhBcAxCc0dW5aNHswWX5TXy
p/kCIYWjoJ+k7IHNztcUwQnvkdQQckaP5Y/AHBbbBibN5MerMBpWU/7cPo0/YXPI
V6s1ePALTgzO3u4O3cUC
=dL3B
-----END PGP SIGNATURE-----
Logged
GPG key fingerprint: 263A 9EB0 29CF C77A 3D06  FD13 811D 6940 E1E4 240C
NXT-X4LF-9A4G-WN9Z-2R322

msin

  • Hero Member
  • *****
  • Karma: +138/-18
  • Offline Offline
  • Posts: 1288
    • View Profile
Re: NRS v1.4.16
« Reply #1 on: February 24, 2015, 11:36:38 pm »

Thanks JL.
Logged

TheCoinWizard

  • Hero Member
  • *****
  • Karma: +97/-55
  • Offline Offline
  • Posts: 614
  • Learn by questioning everything!
    • View Profile
Re: NRS v1.4.16
« Reply #2 on: February 25, 2015, 12:24:33 am »

Logged
Welcome to the After Nxt Calendar era...
Which started in the year 222 of the French Republic, Frost month, on the fifth day of the first week, better known as the 2456621th Julian day,
even better known as 24 November 2013 at 12:00:00 UTC.

EvilDave

  • Hero Member
  • *****
  • Karma: +341/-40
  • Offline Offline
  • Posts: 1789
    • View Profile
    • NXT Foundation
Re: NRS v1.4.16
« Reply #3 on: February 25, 2015, 01:29:44 am »

Updated NRS like a rat up a drainpipe....pay close attention to the words 'critical' , 'security' and 'bug', guys.
Thanks to J-L.... 8)
Logged
Nulli Dei, nulli Reges, solum NXT
NXT Donations: NXT-BNZB-9V8M-XRPW-3S3WD
We will ride eternal, shiny and chrome!

madmartyk

  • Jr. Member
  • **
  • Karma: +5/-1
  • Offline Offline
  • Posts: 61
    • View Profile
Re: NRS v1.4.16
« Reply #4 on: February 25, 2015, 02:19:29 am »

Thanks!!!
Logged
Support Crypto for Kids!!!  www.cryptoforkids.com

Jean-Luc

  • Core Dev
  • Hero Member
  • *****
  • Karma: +816/-81
  • Offline Offline
  • Posts: 1610
    • View Profile
Re: NRS v1.4.16
« Reply #5 on: February 25, 2015, 06:42:29 pm »

More about the jetty vulnerability:

http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html

If you run a node with the API open to the public, and also use it for sending transactions or forging, there is a risk that an attacker can retrieve your password that you submitted with a previous http request. Not sure if this also applies when only the peer port is open, as it is served by a different jetty servlet server, but if those leaking byte buffers are global, it would be possible and would be really bad.
The bug is present in jetty versions from 9.2.3 to 9.2.8, so all NRS 1.4.x versions before 1.4.16 are affected.
Logged
GPG key fingerprint: 263A 9EB0 29CF C77A 3D06  FD13 811D 6940 E1E4 240C
NXT-X4LF-9A4G-WN9Z-2R322

abctc

  • Hero Member
  • *****
  • Karma: +148/-13
  • Offline Offline
  • Posts: 1396
    • View Profile
Re: NRS v1.4.16
« Reply #6 on: February 25, 2015, 06:53:58 pm »

Thank you so much, Jean-Luc!
Logged
Welcome to the Nxt generation of crypto!   Magis quam Moneta (More than a Coin)
"Do not worry, it is an attack" (c) Jean-Luc

theironman

  • Sr. Member
  • ****
  • Karma: +29/-2
  • Offline Offline
  • Posts: 460
    • View Profile
    • NXTdrop
Re: NRS v1.4.16
« Reply #7 on: February 25, 2015, 08:11:31 pm »

Jean-Luc is awesome!
Logged
NXTdrop - World´s 1st decentralized oil painting available in Asset Exchange Id: 2751500054965016187

ps. https://nxtforum.org/trading-exchanges/selling-original-oil-paintings-for-nxt/

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: NRS v1.4.16
« Reply #8 on: February 25, 2015, 08:25:28 pm »

More about the jetty vulnerability:

http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html

If you run a node with the API open to the public, and also use it for sending transactions or forging, there is a risk that an attacker can retrieve your password that you submitted with a previous http request. Not sure if this also applies when only the peer port is open, as it is served by a different jetty servlet server, but if those leaking byte buffers are global, it would be possible and would be really bad.
The bug is present in jetty versions from 9.2.3 to 9.2.8, so all NRS 1.4.x versions before 1.4.16 are affected.

As far as I know, Nxt javascript client never sends the password to the server if it's not talking to a local host. That makes this bug less critical for almost all nxt users (for example SAE site should still be safe)


Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

Riker

  • Core Dev
  • Hero Member
  • *****
  • Karma: +439/-42
  • Offline Offline
  • Posts: 1790
    • View Profile
Re: NRS v1.4.16
« Reply #9 on: February 25, 2015, 09:01:56 pm »

More about the jetty vulnerability:

http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html

If you run a node with the API open to the public, and also use it for sending transactions or forging, there is a risk that an attacker can retrieve your password that you submitted with a previous http request. Not sure if this also applies when only the peer port is open, as it is served by a different jetty servlet server, but if those leaking byte buffers are global, it would be possible and would be really bad.
The bug is present in jetty versions from 9.2.3 to 9.2.8, so all NRS 1.4.x versions before 1.4.16 are affected.

As far as I know, Nxt javascript client never sends the password to the server if it's not talking to a local host. That makes this bug less critical for almost all nxt users (for example SAE site should still be safe)

It does when you start forging
Logged
NXT Core Dev
Account: NXT-HBFW-X8TE-WXPW-DZFAG
Public Key: D8311651 Key fingerprint: 0560 443B 035C EE08 0EC0  D2DD 275E 94A7 D831 1651

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: NRS v1.4.16
« Reply #10 on: February 25, 2015, 09:05:16 pm »

More about the jetty vulnerability:

http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html

If you run a node with the API open to the public, and also use it for sending transactions or forging, there is a risk that an attacker can retrieve your password that you submitted with a previous http request. Not sure if this also applies when only the peer port is open, as it is served by a different jetty servlet server, but if those leaking byte buffers are global, it would be possible and would be really bad.
The bug is present in jetty versions from 9.2.3 to 9.2.8, so all NRS 1.4.x versions before 1.4.16 are affected.

As far as I know, Nxt javascript client never sends the password to the server if it's not talking to a local host. That makes this bug less critical for almost all nxt users (for example SAE site should still be safe)

It does when you start forging

The client doesn't allow to forge if you are connected to public node. You can't forge when you are using SAE site
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

Cyberian Forest

  • Newbie
  • *
  • Karma: +0/-0
  • Offline Offline
  • Posts: 5
    • View Profile
Re: NRS v1.4.16
« Reply #11 on: February 25, 2015, 09:28:56 pm »


If you run a node with the API open to the public, and also use it for sending transactions or forging, there is a risk that an attacker can retrieve your password that you submitted with a previous http request. Not sure if this also applies when only the peer port is open, as it is served by a different jetty servlet server, but if those leaking byte buffers are global, it would be possible and would be really bad.
The bug is present in jetty versions from 9.2.3 to 9.2.8, so all NRS 1.4.x versions before 1.4.16 are affected.

I'm not at my wallet machine to check the libraries, but, do you know if this vuln would affect NXT-clones HZ and BURST? I am not sure how similar the builds are to NRS but I would imagine pretty close to identical code wise.
Logged

Riker

  • Core Dev
  • Hero Member
  • *****
  • Karma: +439/-42
  • Offline Offline
  • Posts: 1790
    • View Profile
Re: NRS v1.4.16
« Reply #12 on: February 25, 2015, 09:31:07 pm »

The client doesn't allow to forge if you are connected to public node.

In fact, when you are connected to a remote node, the browser does not show your forging status but it does allow you to start forging by sending your passphrase to the server, give it a try.
You can also use the getForging API from the test page to convince yourself that forging actually started.
Logged
NXT Core Dev
Account: NXT-HBFW-X8TE-WXPW-DZFAG
Public Key: D8311651 Key fingerprint: 0560 443B 035C EE08 0EC0  D2DD 275E 94A7 D831 1651

Riker

  • Core Dev
  • Hero Member
  • *****
  • Karma: +439/-42
  • Offline Offline
  • Posts: 1790
    • View Profile
Re: NRS v1.4.16
« Reply #13 on: February 25, 2015, 09:35:48 pm »


If you run a node with the API open to the public, and also use it for sending transactions or forging, there is a risk that an attacker can retrieve your password that you submitted with a previous http request. Not sure if this also applies when only the peer port is open, as it is served by a different jetty servlet server, but if those leaking byte buffers are global, it would be possible and would be really bad.
The bug is present in jetty versions from 9.2.3 to 9.2.8, so all NRS 1.4.x versions before 1.4.16 are affected.

I'm not at my wallet machine to check the libraries, but, do you know if this vuln would affect NXT-clones HZ and BURST? I am not sure how similar the builds are to NRS but I would imagine pretty close to identical code wise.

It depends on which version of Jetty they are using, this vulnerability affects versions 9.2.3 to 9.2.8
Logged
NXT Core Dev
Account: NXT-HBFW-X8TE-WXPW-DZFAG
Public Key: D8311651 Key fingerprint: 0560 443B 035C EE08 0EC0  D2DD 275E 94A7 D831 1651

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: NRS v1.4.16
« Reply #14 on: February 25, 2015, 09:47:37 pm »


In fact, when you are connected to a remote node, the browser does not show your forging status but it does allow you to start forging by sending your passphrase to the server, give it a try.

SAE doesn't even show the a link that a user can click to forge. That is good enough to protect most users.  I doubt anyone is forging by sending passphrases to public nodes, which would be bad anyway as the public node can steal your password even if there is no bug.

I am sure it's good that this is fixed, but it isn't a critical for Nxt users.

« Last Edit: February 25, 2015, 10:02:26 pm by Eadeqa »
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

MrV777

  • Hero Member
  • *****
  • Karma: +115/-4
  • Offline Offline
  • Posts: 988
    • View Profile
Re: NRS v1.4.16
« Reply #15 on: February 26, 2015, 03:22:29 pm »

Delete the old lib folder before unpacking on top of a previous installation.

Will the update system for the MAC client automatically do this when it updates?

Thanks!
Logged
NXT: NXT-BK2J-ZMY4-93UY-8EM9V
NXT nodes: 209.222.98.250, 216.155.128.10

Ludom

  • Hero Member
  • *****
  • Karma: +197/-15
  • Offline Offline
  • Posts: 1733
    • View Profile
    • Plaisir & Valeur d'histoire
Re: NRS v1.4.16
« Reply #16 on: February 26, 2015, 05:35:55 pm »

Thanks !!!
Logged
Support us to publish "The first book about Nxt"

martismartis

  • Hero Member
  • *****
  • Karma: +73/-10
  • Offline Offline
  • Posts: 1237
    • View Profile
Re: NRS v1.4.16
« Reply #17 on: February 27, 2015, 10:59:33 am »

I exited NRS with ctrl^C, restarted PC, run NRS and got error:

Code: [Select]
2015-02-27 12:54:07 INFO: nxt.peerServerDoSFilter.maxRequestMs = "300000"
2015-02-27 12:54:11 SEVERE: org.h2.jdbc.JdbcSQLException: IO Exception: "java.io.IOException: Input/output error"; "/home/martis/nxt/nxt_db/nxt.h2.db" [90031-176]
org.h2.jdbc.JdbcSQLException: IO Exception: "java.io.IOException: Input/output error"; "/home/martis/nxt/nxt_db/nxt.h2.db" [90031-176]
at org.h2.message.DbException.getJdbcSQLException(DbException.java:344)
at org.h2.message.DbException.get(DbException.java:167)
at org.h2.message.DbException.convertIOException(DbException.java:329)
at org.h2.store.FileStore.write(FileStore.java:332)
at org.h2.store.PageStore.writePage(PageStore.java:1369)
at org.h2.store.PageStore.free(PageStore.java:1260)
at org.h2.store.PageLog.recover(PageLog.java:406)
at org.h2.store.PageStore.recover(PageStore.java:1407)
at org.h2.store.PageStore.openExisting(PageStore.java:368)
at org.h2.store.PageStore.open(PageStore.java:289)
at org.h2.engine.Database.getPageStore(Database.java:2366)
at org.h2.engine.Database.open(Database.java:657)
at org.h2.engine.Database.openDatabase(Database.java:260)
at org.h2.engine.Database.<init>(Database.java:254)
at org.h2.engine.Engine.openSession(Engine.java:57)
at org.h2.engine.Engine.openSession(Engine.java:164)
at org.h2.engine.Engine.createSessionAndValidate(Engine.java:142)
at org.h2.engine.Engine.createSession(Engine.java:125)
at org.h2.engine.Engine.createSession(Engine.java:27)
at org.h2.engine.SessionRemote.connectEmbeddedOrServer(SessionRemote.java:331)
at org.h2.jdbc.JdbcConnection.<init>(JdbcConnection.java:107)
at org.h2.jdbc.JdbcConnection.<init>(JdbcConnection.java:91)
at org.h2.Driver.connect(Driver.java:74)
at org.h2.jdbcx.JdbcDataSource.getJdbcConnection(JdbcDataSource.java:191)
at org.h2.jdbcx.JdbcDataSource.getXAConnection(JdbcDataSource.java:354)
at org.h2.jdbcx.JdbcDataSource.getPooledConnection(JdbcDataSource.java:386)
at org.h2.jdbcx.JdbcConnectionPool.getConnectionNow(JdbcConnectionPool.java:228)
at org.h2.jdbcx.JdbcConnectionPool.getConnection(JdbcConnectionPool.java:200)
at nxt.db.BasicDb.shutdown(BasicDb.java:85)
at nxt.Db.shutdown(Db.java:33)
at nxt.Nxt.shutdown(Nxt.java:172)
at nxt.Nxt$1.run(Nxt.java:148)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Input/output error
at java.io.RandomAccessFile.writeBytes(Native Method)
at java.io.RandomAccessFile.write(RandomAccessFile.java:508)
at org.h2.store.fs.FileDisk.write(FilePathDisk.java:468)
at org.h2.store.fs.FileUtils.writeFully(FileUtils.java:361)
at org.h2.store.FileStore.write(FileStore.java:329)
... 29 more
2015-02-27 12:54:11 INFO: Nxt server 1.4.16 stopped.

Before restart everythin was OK. Client Supernet, Ubuntu 32 bit. I have this problem not the first time.
Logged

Riker

  • Core Dev
  • Hero Member
  • *****
  • Karma: +439/-42
  • Offline Offline
  • Posts: 1790
    • View Profile
Re: NRS v1.4.16
« Reply #18 on: February 27, 2015, 09:15:10 pm »

Before restart everythin was OK. Client Supernet, Ubuntu 32 bit. I have this problem not the first time.

From the stack trace it looks like a file system problem where information cannot be written to the database file.
Do you keep the database folder under the NXT folder or somewhere remotely ?
Your disk is full ?
Anything special about your environment ?

Logged
NXT Core Dev
Account: NXT-HBFW-X8TE-WXPW-DZFAG
Public Key: D8311651 Key fingerprint: 0560 443B 035C EE08 0EC0  D2DD 275E 94A7 D831 1651

martismartis

  • Hero Member
  • *****
  • Karma: +73/-10
  • Offline Offline
  • Posts: 1237
    • View Profile
Re: NRS v1.4.16
« Reply #19 on: February 27, 2015, 09:22:02 pm »

Before restart everythin was OK. Client Supernet, Ubuntu 32 bit. I have this problem not the first time.

From the stack trace it looks like a file system problem where information cannot be written to the database file.
Do you keep the database folder under the NXT folder or somewhere remotely ?
Your disk is full ?
Anything special about your environment ?

No, database is in NRS directory, standard.
Disk is not full, having installed NRS with up to date database, 3,5 GB free.
Nothing special.

Sometimes I shut down and then restart, and there is no problem. This error I got 2 times, had to download database from my other node in local network.
Logged
Pages: [1] 2  All
 

elective-stereophonic
elective-stereophonic
assembly
assembly