Bitcoin Core Version 0.11.1 Released
Bitcoin announced the release of Bitcoin Core version 0.11.1, a minor version update with most changes coming in the form of security fixes.
While it is always recommended for anyone using Bitcoin Core to upgrade to the nearest version as soon as possible, it is not the end of the world if for some reason you cannot upgrade. Bitcoin core is reverse compatible with versions .10.0 and later due to the introduction of headers-first synchronization and parallel block download.
These two features rework the way blocks are stored and indexed, which earlier versions simply cannot support. Upgrading is not that hard: simply close all running instances of Bitcoin Core, making sure it shuts down completely, and “then run the installer (on Windows) or just copy over /Applications/Bitcoin-Qt (on Mac) or bitcoind/bitcoin-qt (on Linux).” There are no known issues in downgrading from .11.x to .10.x, so if for whatever reason users feel the need to downgrade to an earlier versions, they should be able to do so smoothly.
The two main updates highlighted in this version are a fix for a UPNP vulnerability and a feature that will partially alleviate the transaction malleability exploit, which the Bitcoin network experienced recently.
The vulnerability in UPNP allowed attackers to remotely execute code via a specific XML response, after triggering the vulnerability via a server on a local network.
According to the vulnerability report, “An exploitable buffer overflow vulnerability exists in the XML parser functionality of the MiniUPnP library. A specially crafted XML response can lead to a buffer overflow on the stack resulting in remote code execution. An attacker can set up a server on the local network to trigger this vulnerability.”
Fortunately, all that was needed to patch this exploit was updating the bundled miniupnpc to version 1.9.20151008. The exploit only applied to distributed executives, so users building from source or using distribution-provided packages were not affected.
The second notable change in version 0.11.1 is that nodes must now require the canonical “low-s” encoding for ECDSA signatures when relaying or mining. If adopted by a majority of the users, this would completely get rid of the attacks we saw a couple weeks ago, where people would sometimes see two identical transactions, but only one would confirm. This would limit backwards-compatibility severely, however, so there is a tradeoff to be made.
“If widely deployed this change would eliminate the last remaining known vector for nuisance malleability on SIGHASH_ALL P2PKH transactions. On the down-side it will block most transactions made by sufficiently out of date software.”
Note that there are still malleability attacks Bitcoin must thwart, so the need for BIP62 or similar proposals still exists; 0.11.1 “only eliminates the cheap and irritating DOS attack.” The release can be downloaded from the official Bitcoin website. As well, a complete change log is linked here.