|
|
|
@ -246,6 +246,29 @@ program](https://hackerone.com/tendermint). |
|
|
|
- [node] [\#3716](https://github.com/tendermint/tendermint/issues/3716) Fix a bug where `nil` is recorded as node's address |
|
|
|
- [node] [\#3741](https://github.com/tendermint/tendermint/issues/3741) Fix profiler blocking the entire node |
|
|
|
|
|
|
|
## v0.31.10 |
|
|
|
|
|
|
|
*October 8, 2019* |
|
|
|
|
|
|
|
The previous patch was insufficient because the attacker could still find a way |
|
|
|
to submit a `nil` pubkey by constructing a `PubKeyMultisigThreshold` pubkey |
|
|
|
with `nil` subpubkeys for example. |
|
|
|
|
|
|
|
This release provides multiple fixes, which include recovering from panics when |
|
|
|
accepting new peers and only allowing `ed25519` pubkeys. |
|
|
|
|
|
|
|
**All clients are recommended to upgrade** |
|
|
|
|
|
|
|
Special thanks to [fudongbai](https://hackerone.com/fudongbai) for pointing |
|
|
|
this out. |
|
|
|
|
|
|
|
Friendly reminder, we have a [bug bounty |
|
|
|
program](https://hackerone.com/tendermint). |
|
|
|
|
|
|
|
### SECURITY: |
|
|
|
|
|
|
|
- [p2p] [\#4030](https://github.com/tendermint/tendermint/issues/4030) Only allow ed25519 pubkeys when connecting |
|
|
|
|
|
|
|
## v0.31.9 |
|
|
|
|
|
|
|
*October 1, 2019* |
|
|
|
|
Anton Kaliaev
5 years ago