NEM Beta 0.6.91

gimre · July 7, 2017, 7:18am

NEM Beta 0.6.91

##Changes:

This is a security release, that fixes a problem found by an independent security researcher in nis. Reward is on the way.

We’ll reveal the details, once most of the nodes will be updated

This upgrade is mandatory.

If you’re using the installer, make sure to stop running NCC and NIS before running the installer!

NEM requires Java 8
Remember the installer requires 64-bit Java
You can download Java from official page: http://java.com/en/download/manual.jsp12

You can get the packages at https://nem.io/install.html

zhankaiwen · July 7, 2017, 9:29am

updated:grin:

KingCole · July 7, 2017, 9:29am

Whilst upgrading NIS it is probably a good idea to upgrade Java and OS as well, quite a few vulnerabilities disclosed in the last few weeks and months.

For Debian apt-get update && apt-get upgrade should do the trick

Dimas · July 7, 2017, 12:23pm

just to clarify: to update supernode i need to replace only 4 .jar files in package/nis directory?
Or better whole package directory?

mizunashi · July 7, 2017, 12:33pm

NCC 0.6.91 gives stable version as 0.0.0.
Is this related to this json error?

BloodyRookie · July 7, 2017, 12:40pm

the 4 jar files and, in case you have the peers-config_mainnet.json file in the nis folder (for whatever reasons), replace that file too since the ip addresses of Alice2, Alice3 and Alice4 changed.

mizunashi · July 7, 2017, 1:11pm

‘12’ is attached at the end of the URL. If you do not remove this ‘12’, you can not go to the normal page even if you click it.

jleony · July 8, 2017, 3:27am

This update also apply to NCC? if yes, we expect a fix to Nanowallet, mobile wallet are also needed?

mizunashi · July 8, 2017, 4:08am

It seems that this time is an urgent security update, so it seems to be only NIS.
However, there is an update of price change soon, so NIS, NanoWallet, mobile wallet should be all upgraded.

rb2 · July 8, 2017, 10:11am

Is the hash published on the blockchain really a sha256 as the header of the payload indicates?

curl -L -s http://bigalice3.nem.ninja:7890/transaction/get?hash=$(curl -L -s  http://bob.nem.ninja/nis-ncc-0.6.91.tgz.sig | grep txId | sed -e 's/txId: //')
{"meta":{"innerHash":{},"id":884431,"hash":{"data":"d162f6921faf566baa6bada85a8effa7a0de0598f4aed0c720192ba24e432c0b"},"height":1185191},"transaction":{"timeStamp":71772403,"amount":0,"signature":"ccb1a876bbc8e4ac2470af043b3a24a447e9b8e7b8fe317e265389bcfb114401a097132b9d9d2ac4b91a10efef2d7c33ddddaa7b3c7fcccb1b7aeaa80527d00d","fee":10000000,"recipient":"NCZSJHLTIMESERVBVKOW6US64YDZG2PFGQCSV23J","type":257,"deadline":71776003,"message":{"payload":"fe4e545903b9724a15f75c4f8fce078fb84fbcf535a5f9465f6b51667e505b9c42a876370a0000626f622e6e656d2e6e696e6a612f696e7374616c6c65722f6e69732d6e63632d302e362e39312e74677a","type":1},"version":1744830465,"signer":"826cedee421ff66e708858c17815fcd831a4bb68e3d8956299334e9e24380ba8"}}

The sha published is 151 characters long, which doesn’t look right for a sha256 which is 256bits long.
This currently blocks the upgrade of nem-docker.

BloodyRookie · July 8, 2017, 11:08am

hmm…so need to wait for @gimre to clarify. He will be available on monday.

rb2 · July 8, 2017, 11:52am

Apparently the sha256 is followed by the download URL hexencode.

nem-docker has now been updated to this version. To update:

./stop.sh
git pull
./boot.sh

BloodyRookie · July 8, 2017, 5:21pm

thx, rb2

gimre · July 10, 2017, 10:08am

yes, I remember someone (you?) mentioned it in other thread, but I couldn’t find it.
although apostille format does not defined it, I’ve added two 0 bytes after the hash, and that’s followed by URL without protocol part, so i.e.

fe - hex marker
4e5459 - apostille marker 'NTY' in hex
03 - hash specification, 3 == sha256
e958d17fd0705fa051924a81e8823e8f4689c76ccdd84ffcd4f836a997765373 - hash itself
0000 - two zero bytes
626f622e6e656d2e6e696e6a612f696e7374616c6c65722f6e69732d6e63632d302e362e39312e7a6970 - url

dniezby · July 10, 2017, 1:02pm

So, do I need to do anything to protect my nem is
MF I use NanoWallet??

crimii · July 10, 2017, 1:55pm

This could achieve also the opposite, that people will update slow.

Wouldnt it be more trustworthy if you post the direct code fix.
Depends how fatal the exploit is… for example a exchange or payment processor could compile it by themself and still able use the old version. Otherwise just stop trading.

Decentralization should be slow, it would be not a good sign if 700 nodes switch instant to a new release(not vetted).

Hoang_Xuan_Long · July 10, 2017, 1:53pm

hello everybody, someone can tell with me how much NEM i earn per day if have 10000 NEM for harvesting? thank!

BloodyRookie · July 10, 2017, 2:13pm

If you just use Nano Wallet the update is not relevant for you

gimre · July 11, 2017, 7:16am

did we ever release a version that has not been tested?

crimii · July 11, 2017, 9:37am

Even if you could proof all the test cases you did run. What does this has to do with the upgrading process itself?

Just imagine bitcoin core would say to upgrade to 15.0.0 with following context.

“We’ll reveal the details, once most of the nodes will be updated”

Most of the network would think they are out of their mind.

For example the Bitshares network didnt produce any new blocks since yesterday.

They released a statement with the fixed code and a timeline whats happening.

In my opinion this is a better process.