diff --git a/CHANGELOG.md b/CHANGELOG.md index e45aaa76f..6d34ae06e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -246,6 +246,29 @@ program](https://hackerone.com/tendermint). - [node] [\#3716](https://github.com/tendermint/tendermint/issues/3716) Fix a bug where `nil` is recorded as node's address - [node] [\#3741](https://github.com/tendermint/tendermint/issues/3741) Fix profiler blocking the entire node +## v0.31.10 + +*October 8, 2019* + +The previous patch was insufficient because the attacker could still find a way +to submit a `nil` pubkey by constructing a `PubKeyMultisigThreshold` pubkey +with `nil` subpubkeys for example. + +This release provides multiple fixes, which include recovering from panics when +accepting new peers and only allowing `ed25519` pubkeys. + +**All clients are recommended to upgrade** + +Special thanks to [fudongbai](https://hackerone.com/fudongbai) for pointing +this out. + +Friendly reminder, we have a [bug bounty +program](https://hackerone.com/tendermint). + +### SECURITY: + +- [p2p] [\#4030](https://github.com/tendermint/tendermint/issues/4030) Only allow ed25519 pubkeys when connecting + ## v0.31.9 *October 1, 2019*