Security update: Nu 2.0.3 and B&C Exchange 3.0.2

Nu 2.0.2 and B&C Exchange 3.0.1 introduced a new flaw. An attacker could make other nodes access invalid memory.

We made new releases to fix this issue. All nodes should upgrade as soon as possible. This release doesn’t change anything besides this security fix.

Nu 2.0.3:
https://bitbucket.org/JordanLeePeershares/nubit/downloads/nu-2.0.3-win-gitian.zip
https://bitbucket.org/JordanLeePeershares/nubit/downloads/nu-2.0.3-linux-gitian.zip
https://bitbucket.org/JordanLeePeershares/nubit/downloads/nu-2.0.3-osx.dmg
git: build from the 2.0.3-Stable-Release branch or the v2.0.3 tag.

B&C Exchange 3.0.2:
https://bitbucket.org/JordanLeePeershares/bcexchange/downloads/bcexchange-3.0.2-win-gitian.zip
https://bitbucket.org/JordanLeePeershares/bcexchange/downloads/bcexchange-3.0.2-linux-gitian.zip
https://bitbucket.org/JordanLeePeershares/bcexchange/downloads/BCExchange-3.0.2-osx.dmg
git: build from the 3.0-stable branch or the v3.0.2 tag.

sha256:

547fc816c06b596a449590f5307cf3b74f6fb47018f0c1cd56fce8891695ce7d  nu-2.0.3-linux-gitian.zip
854274d347aeab25dbc61fc68b2b48bb0a223dfc097ff46f90598954a0990999  nu-2.0.3-win-gitian.zip
753b8c536861ab8fd38aafa03fb4bab0d44aa1809db3e113627ea8eb6bb481cb  nu-2.0.3-osx.dmg
7991bcaf396bca73038af86bfc977555d13b4b7266ec2c460bbc832376425ec9  bcexchange-3.0.2-linux-gitian.zip
4da8ee72b2f9ade0543e0037bb8059cc0da2c63e904210beb8d5d28d34f6afbe  bcexchange-3.0.2-win-gitian.zip
a3d7abc8bcdd793e296f588eb05609d9dc3c013802a230d16d92f90c1c32ba90  BCExchange-3.0.2-osx.dmg
7 Likes

compiled and running it on Raspberry Pi from git directory

cd nubit/
git fetch origin
git checkout v2.0.3
cd src
sudo dd if=/dev/zero of=/swapfile bs=64M count=16
sudo mkswap /swapfile
sudo swapon /swapfile
make -f makefile.unix
sudo swapoff /swapfile
sudo rm /swapfile
strip nud
chmod 700 nud
mv nud ~/.nu/nud2.0.3
cd ~/.nu
ln -s nud2.0.3 nud

also updated raspberry pi build on https://github.com/desrever-nu/nu-raspberry-unofficial

Is this mandatory or no? I don’t see it on the download page of the website.

Yes it is. Users running the previous versions are vulnerable. I’m not sure how to put these new releases on the website.

Nu 2.0.3 for OS X has been uploaded.

https://bitbucket.org/JordanLeePeershares/nubit/downloads/nu-2.0.3-osx.dmg
753b8c536861ab8fd38aafa03fb4bab0d44aa1809db3e113627ea8eb6bb481cb nu-2.0.3-osx.dmg

I’ve also updated the links on Nubits.com to point to the 2.0.3 release version for all platforms.

B&C Exchange 3.0.2 for OS X has been uploaded

https://bitbucket.org/JordanLeePeershares/bcexchange/downloads/BCExchange-3.0.2-osx.dmg

a3d7abc8bcdd793e296f588eb05609d9dc3c013802a230d16d92f90c1c32ba90  BCExchange-3.0.2-osx.dmg

Please be aware that you will need to re-synch the network if you’ve previously run the 3.1.0-RC1 release candidate build on your Mac. Trying to run the application without clearing out the block index first will result in a fatal crash when starting 3.0.2 due to an indexing issue with the genesis block. There isn’t anything wrong with the genesis block, but it appears that there’s a subtle difference between how the index is generated within the 3.1 versions of B&C vs. how 3.0.x stores them.

Removing the block index data file fixed the problem for me, but as always, if you’re going to be messing with the files under the B&C Exchange data directory, always make a backup before proceeding. DO NOT remove your wallet*.dat files, there is no need to clear the whole data directory.

BCexchange.org has been updated with the new client downloads.

I want to upload binary file for raspberry pi2. Possible to go to homepage?

Already done:

Maybe also include bcexchanged ?

I am afraid it’s only “nud” not “bcexchanged”.

Strongly suggest to add Raspberry binary on homepage.

1 Like

And for the sake of wallet compatibility pretty please compiled with BerkeleyDB 4.8 :wink:

I would appreciate if someone else could maintain an unofficial bcexchanged.

Strongly suggest to add Raspberry binary on homepage.

We can’t because it’s untested software.

I actually never got the time to figure it. I remember we were discussing this some time ago … Apparently I am compiling with 5.1

$ cat /usr/lib/sasl2/berkeley_db.txt
5.1

I remember that uninstalling bdb wasn’t streightforward for someone so I was waiting for someone to figure out how to do the downgrade properly before corrupting that machine.

Is there a warning, because using 5.1 renders wallets incompatible with the official clients?

docs.nubits.com has an updated Raspberry Pi section explaining how to get 4.8 on a RaPi2.

I see. We should harmonise the tutorial a bit more. Now we are basically first telling “install libdb+±dev” , and then we say “don’t” . If you can, please edit the tutorial with just one version of dependencies instructions.

Both 4.8 and 5.1 are options and users might choose the one that suits them best.
I wouldn’t dare say that I can decide that for anybody without knowing the requirements.

With 4.8 the wallets stay compatible with the official releases.
With 5.1 users don’t need to worry about compiling their own libdb on RaPi2 (and using it for compiling nud or bcexchanged), because 5.1 is in the official repos.

any particular reason why official nud uses 4.8 ( cc @sigmike ) ?

Mostly because that’s what Bitcoin and Peercoin use and we didn’t change that. The fact the wallet files work on all versions is also interesting.

@mhps @masterOfDisaster
Can you edit a manual of how to mint BKS on Raspberry for those only reading B&C hompages? Then we can put in on B&C website.

It’s almost exactly like https://docs.nubits.com/nu-raspberry-minting/ – just change nu and nubit to bcexchange and nud to bcexchanged