[Pkg-bitcoin-devel] The 0.9.1 release and security update

[Scott Howard]

On Wed, Apr 9, 2014 at 12:18 PM, Micha Bailey <michabailey at gmail.com> wrote:
> There was precisely one code change between versions 0.9.0 and 0.9.1 of the
> package. That change was bumping the version number from 0 to 1. The change
> that fixed the security issue was simply upgrading OpenSSL in the release
> binaries, which are statically linked. Since the package here provides
> dynamically linked binaries, the problem is fixed by simply upgrading the
> system OpenSSL.

Thanks for the details. (I saw openssl was patched in Debian on
Monday, so Debian users were fixed even before bitcoin 0.9.1 was
released and before the media picked up the story.) Even though the
package doesn't change, it's important the version number gets bumped.
Otherwise users (and upstream developers) may be concerned that they
are not receiving the security fix and are vulnerable, even though
they are safe. We must do everything to be clear that users have trust
in the bitcoin nodes and network. That's why it's important to act
fast, even if it doesn't change anything, if a security release is
issued.

~Scott