From 143b2b85c3546abf0d0b9c32a8ae1effdb59688e Mon Sep 17 00:00:00 2001 From: Anton Kaliaev Date: Tue, 8 Oct 2019 13:38:37 -0500 Subject: [PATCH] update changelog and bump version to v0.32.6 --- CHANGELOG.md | 23 +++++++++++++++++++++++ CHANGELOG_PENDING.md | 2 +- version/version.go | 2 +- 3 files changed, 25 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 971d5fa2c..e0033b6aa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,28 @@ # Changelog +## v0.32.6 + +*October XXX, 2019* + +The previous patch was insufficient because the attacker could still find a way +to submit a `nil` pubkey by constructing a `PubKeyMultisigThreshold` pubkey +with `nil` subpubkeys for example. + +This release provides multiple fixes, which include recovering from panics when +accepting new peers and only allowing `ed25519` pubkeys. + +**All clients are recommended to upgrade** + +Special thanks to [fudongbai](https://hackerone.com/fudongbai) for pointing +this out. + +Friendly reminder, we have a [bug bounty +program](https://hackerone.com/tendermint). + +### SECURITY: + +- [p2p] [\#4030](https://github.com/tendermint/tendermint/issues/4030) Only allow ed25519 pubkeys when connecting + ## v0.32.5 *October 1, 2019* diff --git a/CHANGELOG_PENDING.md b/CHANGELOG_PENDING.md index bf2cc5b3e..f4a10102f 100644 --- a/CHANGELOG_PENDING.md +++ b/CHANGELOG_PENDING.md @@ -1,4 +1,4 @@ -## v0.32.6 +## v0.32.7 \*\* diff --git a/version/version.go b/version/version.go index b31eb8895..42ec287ab 100644 --- a/version/version.go +++ b/version/version.go @@ -20,7 +20,7 @@ const ( // Must be a string because scripts like dist.sh read this file. // XXX: Don't change the name of this variable or you will break // automation :) - TMCoreSemVer = "0.32.5" + TMCoreSemVer = "0.32.6" // ABCISemVer is the semantic version of the ABCI library ABCISemVer = "0.16.1"