Warning banner + blog post about compromised binaries

See merge request monero-project/monero-site!1154
This commit is contained in:
luigi1111 2019-11-19 19:35:47 +01:00
commit 512d225382
3 changed files with 25 additions and 0 deletions

7
_includes/warning.html Normal file
View File

@ -0,0 +1,7 @@
<div class="upgrade-container">
<input id="upgrade-toggle" type="checkbox">
<div class="upgrade-content">
<p><label class="upgrade-x" for="upgrade-toggle"></label><b>Warning:</b> The binaries listed on this page were compromised for a short time. Users are suggested to take action. Please <a href="{{ site.baseurl }}{% post_url 2019-11-19-warning-compromised-binaries %}"><u>click here</u></a> for details.</p>
</div>

View File

@ -4,6 +4,7 @@
{% include head.html %}
<body>
{% include warning.html %}
<div class="page-wrapper">
{% include header.html %}
{{content}}

View File

@ -0,0 +1,17 @@
---
layout: post
title: "Warning: The binaries of the CLI wallet were compromised for a short time"
summary: The binaries available on this website were compromised for a short time
tags: [announcements]
author: ErCiccione
---
Yesterday [a GitHub issue about mismatching hashes coming from this website](https://github.com/monero-project/monero/issues/6151) was opened. A quick investigation found that the binaries of the CLI wallet had been compromised and a malicious version was being served. The problem was immediately fixed, which means the compromised files were online for a very short amount of time. The binaries are now served from another, safe, source. [See the reddit post by core team member binaryfate](https://www.reddit.com/r/Monero/comments/dyfozs/security_warning_cli_binaries_available_on/).
It's strongly recommended to anyone who downloaded the CLI wallet from this website between Monday 18th 2:30 AM UTC and 4:30 PM UTC, to check the hashes of their binaries. If they don't match the official ones, delete the files and download them again. <b>Do not run the compromised binaries for any reason</b>.
We have two guides available to help users check the authenticity of their binaries: <a href="{{site.baseurl}}/resources/user-guides/verification-windows-beginner.html">Verify binaries on Windows (beginner)</a> and <a href="{{site.baseurl}}/resources/user-guides/verification-allos-advanced.html">Verify binaries on Linux, Mac, or Windows command line (advanced)</a>. Signed hashes can be found here: https://getmonero.org/downloads/hashes.txt.
The situation is being investigated and updates will be provided soon.
<i>The Monero community</i>