|
|
|
@ -1,5 +1,28 @@ |
|
|
|
# Changelog |
|
|
|
|
|
|
|
## v0.31.10 |
|
|
|
|
|
|
|
*October 8, 2019* |
|
|
|
|
|
|
|
The previous patch was insufficient because the attacker could still find a way |
|
|
|
to submit a `nil` pubkey by constructing a `PubKeyMultisigThreshold` pubkey |
|
|
|
with `nil` subpubkeys for example. |
|
|
|
|
|
|
|
This release provides multiple fixes, which include recovering from panics when |
|
|
|
accepting new peers and only allowing `ed25519` pubkeys. |
|
|
|
|
|
|
|
**All clients are recommended to upgrade** |
|
|
|
|
|
|
|
Special thanks to [fudongbai](https://hackerone.com/fudongbai) for pointing |
|
|
|
this out. |
|
|
|
|
|
|
|
Friendly reminder, we have a [bug bounty |
|
|
|
program](https://hackerone.com/tendermint). |
|
|
|
|
|
|
|
### SECURITY: |
|
|
|
|
|
|
|
- [p2p] [\#4030](https://github.com/tendermint/tendermint/issues/4030) Only allow ed25519 pubkeys when connecting |
|
|
|
|
|
|
|
## v0.31.9 |
|
|
|
|
|
|
|
*September 30, 2019* |
|
|
|
@ -16,7 +39,7 @@ program](https://hackerone.com/tendermint). |
|
|
|
|
|
|
|
### SECURITY: |
|
|
|
|
|
|
|
- [p2p] [TODO](hxxp://githublink) Fix for panic on nil public key send to a peer |
|
|
|
- [p2p] [\#4030](https://github.com/tendermint/tendermint/issues/4030) Fix for panic on nil public key send to a peer |
|
|
|
|
|
|
|
### BUG FIXES: |
|
|
|
|
|
|
|
|
Anton Kaliaev
Jack Zampolin