What happened

The version of OpenSSL used by Bitcoin Core software version 0.9.0 and earlier contains a bug that can reveal memory to a remote attacker. See http://heartbleed.com/ for details.

What you should do

Immediately upgrade to Bitcoin Core version 0.9.1 which is linked against OpenSSL version 1.0.1g. If you use the official binaries, you can verify the version of OpenSSL being used from the Bitcoin Core GUI's Debug window (accessed from the Help menu). If you compiled Bitcoin Core yourself or use the Ubuntu PPA, update your system's OpenSSL. Linux users should also upgrade their system's version of OpenSSL.


Android version 4.1.1 is vulnerable to Heartbleed. Try if you can upgrade to at least Android 4.1.2. If you are using Bitcoin Wallet on an Android phone, you should upgrade the app to at least version 3.45.

How serious is the risk

If you are using the Windows version of the Bitcoin Core GUI without a wallet passphrase, it is possible that your wallet could be compromised by clicking on a bitcoin: payment request link. If you are using bitcoind (on Linux, OSX, or Windows), have enabled the -rpcssl option, and allow RPC connections from the Internet, an attacker from a whitelisted (-allowip) IP address can very likely discover the rpcpassword and the last rpc request. It is possible (but unlikely) private keys could be sent to the attacker.

This notice last updated: Fri, 11 Apr 2014 12:19:23 -0400