Recently, a high-severity security vulnerability that impacts all versions of Tendermint was reported to the Tendermint bug bounty program. A patch for the issue, which requires no breaking changes, will be released in versions 0.32.10 and 0.33.3 of Tendermint, in versions 0.37.9 and 0.38.3 of the Cosmos SDK, and in version 2.0.8 of Gaia at 14:00 UTC on Thursday, April 9. However, we will not be patching other, earlier versions of Tendermint, the Cosmos SDK, or Gaia.
The Tendermint Core team encourages all validators and service providers on Tendermint-powered networks to prepare to update their software to the latest, most secure version as quickly as possible as this update becomes available.
The patches that resolve the issues comprising Advisory Lavender have been released in versions 0.32.10 and 0.33.3 of Tendermint, in versions 0.37.9 and 0.38.3 of the Cosmos SDK, and in version 2.0.8 of Gaia. All releases are now available to the public. These releases should now be available to the public. A full timeline of the vulnerability disclosure and coordination activities that comprise this release should be available by Friday, April 17, 2020.
The Tendermint team encourages all validators and service providers on Tendermint-powered networks to update their software to the latest, most secure version available as quickly as possible.
And–one more quick update with a few questions we’ve received. (Thank you @alessio for fielding these earlier!)
Q: Currently, Cosmoshub-3 runs on gaia v2.0.3 which uses Tendermint v0.32.7 and Cosmos SDK v0.37.4.
Will the releasing version for the patch use the same versions?
A: The upgrade is released in version 0.32.10 of Tendermint. A new Cosmos-SDK 0.37.9 and Gaia 2.0.8 were released as well.
Q: Can you upgrade directly from lower versions (e.g. v2.0.3) or do we first need to upgrade to v2.0.7?
Answer: Patch releases are backward compatible, so upgrading from 2.0.x to any 2.0.y with y>x should be smooth and riskless.
All In Bits Inc. is providing a backport of the fix for CVE-2020-5303 targeting the Tendermint 0.31.x release series. This fix has been published in version 0.31.12 of Tendermint Core.
This release is in response to developers who have been working hard building their blockchains on 0.31.x and do not have the resources to upgrade their Tendermint Core dependency to either 0.32.x or 0.33.x within 24 hours.
All In Bits Inc commits to supporting this release of Tendermint Core 0.31.12. If you are building on Tendermint 0.31.x release series, it is highly recommended to update your software to the latest, most secure version available of Tendermint as quickly as possible since no further security patches will be provided.