From 93719c2eb34670b7ae541384ec1b86c08fb327de Mon Sep 17 00:00:00 2001 From: Tess Rinearson Date: Fri, 19 Feb 2021 14:51:22 +0100 Subject: [PATCH] changelog: update with changes from 0.34.7 (and failed 0.34.5, 0.34.6) (#6150) --- CHANGELOG.md | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9cd73ec9a..ed29c6486 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,46 @@ # Changelog +## v0.34.7 + +*February 18, 2021* + +This release fixes a downstream security issue which impacts Cosmos SDK +users who are: + +* Using Cosmos SDK v0.40.0 or later, AND +* Running validator nodes, AND +* Using the file-based `FilePV` implementation for their consensus keys + +Users who fulfill all the above criteria were susceptible to leaking +private key material in the logs. All other users are unaffected. + +The root cause was a discrepancy +between the Tendermint Core (untyped) logger and the Cosmos SDK (typed) logger: +Tendermint Core's logger automatically stringifies Go interfaces whenever possible; +however, the Cosmos SDK's logger uses reflection to log the fields within a Go interface. + +The introduction of the typed logger meant that previously un-logged fields within +interfaces are now sometimes logged, including the private key material inside the +`FilePV` struct. + +Tendermint Core v0.34.7 fixes this issue; however, we strongly recommend that all validators +use remote signer implementations instead of `FilePV` in production. + +Thank you to @joe-bowman for his assistance with this vulnerability and a particular +shout-out to @marbar3778 for diagnosing it quickly. + +Friendly reminder: We have a [bug bounty program](https://hackerone.com/tendermint). + +### BUG FIXES + +- [consensus] [\#6128](https://github.com/tendermint/tendermint/pull/6128) Remove privValidator from log call (@tessr) + +## v0.34.6 + +*February 18, 2021* + +_Tendermint Core v0.34.5 and v0.34.6 have been recalled due to release tooling problems._ + ## v0.34.4 *February 11, 2021*