[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

How install fresh electrum


#1

Hello, i want install last electrum version, because

Warning: Versions of Electrum older than 3.3.3 are vulnerable to a phishing attack, where malicious servers are able to display a message asking users to download a fake version of Electrum. Do not download software updates from another source than electrum.org. In order to reach users of vulnerable versions, we have started to use the same vulnerability, and to direct them to electrum.org.

But with following this instruction https://www.whonix.org/wiki/electrum possible install only 3.1.3 version.
If following official instruction

Install dependencies:
sudo apt-get install python3-setuptools python3-pyqt5 python3-pip
Install Electrum:
sudo python3 -m pip install https://download.electrum.org/3.3.3/Electrum-3.3.3.tar.gz#egg=electrum[fast]

as i understand, it’s not secure.

So what i can do?


#2

Simple:

If you get this message that asks you to download a new/updated version of Electrum… Dont do it!

Only use Apt to download/update your software.

Avoid 3rd party package managers.

Always verify signatures.

Note: The latest version of electrum found in the Debian (unstable) repositories is electrum 3.2.3-1 .

https://packages.debian.org/sid/utils/electrum


#3

Hello. i see it on official electrum.org site (you can check).
the previous versions have vulnerability.

How i can install 3.2.3-1? When i make as in wiki instruction, he find only 3.1.3 version. Can you write how install 3.2.3-1?
But anyway, can i install from official site electrum?


#4

Correct. This is a vulnerability to fishing attacks.

malicious servers are able to display a message asking users to download a fake version of Electrum.

This vulnerability can be mitigated by downloading/updating electrum using Debian’s official package manager APT. Use nothing else.

This can be done by installing electrum from Debian unstable (sid). This version still has the same vulnerability. Make sure you read all warnings before installing from Debian unstable. (Installing from Debian stable is preferred)

https://whonix.org/wiki/Install_Software#Install_from_Debian_Unstable

You can if you want. Keep in mind, Install Software#Best_Practices still applies here.


#5

How did I understand, there is no correct decision to be updated on the latest version which does not have vulnerability? It is necessary to wait for updating in a repository? If I ignore vulnerability and to use the current version whether it poses some threat?


#6

Not possible to update to electrum 3.3.3 in Whonix using APT.

This question was already answered.

If you use APT (in Whonix) to install electrum

https://www.whonix.org/wiki/Electrum

And update electrum using APT (in Whonix)

sudo apt-get update && sudo apt-get dist-upgrade

This vulnerability will not affect you i.e. vulnerability is mitigated.

Please read up on what a fishing attack it. I think this will make a little more sense


#7

“How i can install 3.2.3-1?”

0brand:
“This can be done by installing electrum from Debian unstable (sid). This version --still has the same vulnerability–.”

0brand:
“–This vulnerability can be mitigated-- by downloading/updating electrum using Debian’s official package manager APT . Use nothing else.”


#8
  1. I understand what is phishing attack, i.e. vulnerability can be used, only if I download, but nevertheless, I specified whether there is no danger on by it
  2. how did I understand, I can download only version 3.2.3-1 from debian a repository, however, the problem is fixed only in 3.3.3 versions therefore whether it makes sense? Also, I as understand, the version from an unstable repository whether it will affect other problems?

But I also not completely understood

If i try install from https://www.whonix.org/wiki/Electrum this instruction, i can install only 3.1.3-1

electrum is already the newest version (3.1.3-1).
So what i must do for update from APT on new version?


#9

https://www.whonix.org/wiki/Install_Software#Install_from_Debian_Unstable

Danger? If you download the malicious (steel all your data, bitcoin and everything else on your system) file from the attacker? YES

If you use APT (i.e. don’t download the malicious, steel all your data, and bitcoin ‘file’ from attacker) then this vulnerability will not effect you.

The latest version of electrum available from Debian repositories (APT) is 3.2.3-1. So no version available from Debian repositories that has the fix. That was the point i was trying to make.

In other words, Not possible to update to 3.3.3 using APT.


Can't install latest Electrum version