NEM Beta 0.6.91

NEM Beta 0.6.91

##Changes:

This is a security release, that fixes a problem found by an independent security researcher in nis. Reward is on the way.

We’ll reveal the details, once most of the nodes will be updated

This upgrade is mandatory.


If you’re using the installer, make sure to stop running NCC and NIS before running the installer!

NEM requires Java 8
Remember the installer requires 64-bit Java
You can download Java from official page: http://java.com/en/download/manual.jsp12

You can get the packages at https://nem.io/install.html

1 Like

updated:grin:

Whilst upgrading NIS it is probably a good idea to upgrade Java and OS as well, quite a few vulnerabilities disclosed in the last few weeks and months.

For Debian apt-get update && apt-get upgrade should do the trick

just to clarify: to update supernode i need to replace only 4 .jar files in package/nis directory?
Or better whole package directory?

NCC 0.6.91 gives stable version as 0.0.0.
Is this related to this json error?

the 4 jar files and, in case you have the peers-config_mainnet.json file in the nis folder (for whatever reasons), replace that file too since the ip addresses of Alice2, Alice3 and Alice4 changed.

‘12’ is attached at the end of the URL. If you do not remove this ‘12’, you can not go to the normal page even if you click it.

This update also apply to NCC? if yes, we expect a fix to Nanowallet, mobile wallet are also needed?

It seems that this time is an urgent security update, so it seems to be only NIS.
However, there is an update of price change soon, so NIS, NanoWallet, mobile wallet should be all upgraded.

Is the hash published on the blockchain really a sha256 as the header of the payload indicates?

curl -L -s http://bigalice3.nem.ninja:7890/transaction/get?hash=$(curl -L -s  http://bob.nem.ninja/nis-ncc-0.6.91.tgz.sig | grep txId | sed -e 's/txId: //')
{"meta":{"innerHash":{},"id":884431,"hash":{"data":"d162f6921faf566baa6bada85a8effa7a0de0598f4aed0c720192ba24e432c0b"},"height":1185191},"transaction":{"timeStamp":71772403,"amount":0,"signature":"ccb1a876bbc8e4ac2470af043b3a24a447e9b8e7b8fe317e265389bcfb114401a097132b9d9d2ac4b91a10efef2d7c33ddddaa7b3c7fcccb1b7aeaa80527d00d","fee":10000000,"recipient":"NCZSJHLTIMESERVBVKOW6US64YDZG2PFGQCSV23J","type":257,"deadline":71776003,"message":{"payload":"fe4e545903b9724a15f75c4f8fce078fb84fbcf535a5f9465f6b51667e505b9c42a876370a0000626f622e6e656d2e6e696e6a612f696e7374616c6c65722f6e69732d6e63632d302e362e39312e74677a","type":1},"version":1744830465,"signer":"826cedee421ff66e708858c17815fcd831a4bb68e3d8956299334e9e24380ba8"}}

The sha published is 151 characters long, which doesn’t look right for a sha256 which is 256bits long.
This currently blocks the upgrade of nem-docker.

hmm…so need to wait for @gimre to clarify. He will be available on monday.

Apparently the sha256 is followed by the download URL hexencode.

nem-docker has now been updated to this version. To update:

./stop.sh
git pull
./boot.sh

thx, rb2

yes, I remember someone (you?) mentioned it in other thread, but I couldn’t find it.
although apostille format does not defined it, I’ve added two 0 bytes after the hash, and that’s followed by URL without protocol part, so i.e.

fe - hex marker
4e5459 - apostille marker 'NTY' in hex
03 - hash specification, 3 == sha256
e958d17fd0705fa051924a81e8823e8f4689c76ccdd84ffcd4f836a997765373 - hash itself
0000 - two zero bytes
626f622e6e656d2e6e696e6a612f696e7374616c6c65722f6e69732d6e63632d302e362e39312e7a6970 - url

So, do I need to do anything to protect my nem is
MF I use NanoWallet??

This could achieve also the opposite, that people will update slow.

Wouldnt it be more trustworthy if you post the direct code fix.
Depends how fatal the exploit is… for example a exchange or payment processor could compile it by themself and still able use the old version. Otherwise just stop trading.

Decentralization should be slow, it would be not a good sign if 700 nodes switch instant to a new release(not vetted).

hello everybody, someone can tell with me how much NEM i earn per day if have 10000 NEM for harvesting? thank!

If you just use Nano Wallet the update is not relevant for you

did we ever release a version that has not been tested?

Even if you could proof all the test cases you did run. What does this has to do with the upgrading process itself?

Just imagine bitcoin core would say to upgrade to 15.0.0 with following context.

“We’ll reveal the details, once most of the nodes will be updated”

Most of the network would think they are out of their mind.

For example the Bitshares network didnt produce any new blocks since yesterday.

They released a statement with the fixed code and a timeline whats happening.

In my opinion this is a better process.