Recently, a high severity issue impacting all versions of Tendermint and version 0.34.9 of the CosmosSDK was reported through the Tendermint HackerOne bug bounty program. A patch for this issue that also includes a fix for a medium-severity security issue will be released within the next 24 hours in versions 0.31.11 and 0.32.7 of Tendermint, version 0.34.10 of the CosmosSDK, and version 2.0.3 of Gaia. The patch will be available at 6pm UTC on Tuesday, October 29th, 2019 and will require no breaking changes to the network.
The Tendermint team encourages all validators and service providers on Tendermint-powered networks to prepare to update their software to the latest, most secure version available as quickly as possible when this update becomes available.
3 Likes
A quick note on advisory distribution:
As part of the retrospectives for Security Advisory Magenta, we committed to setting up a more robust distribution method for all security advisories and not just those that require emergency action. At present, we are still working on a system that will allow for validators and organizations who depend on Tendermint and CosmosSDK code to safely, securely opt-in to notifications and to subscribe to an RSS feed to receive security updates. This means that because there is no emergency coordination required, we will not be activating the security distribution list that is reserved for emergency situations.
1 Like
The patches that resolve the issues comprising Advisory Periwinkle have been released in versions 0.31.11 and 0.32.7 of Tendermint, version 0.34.10 of the CosmosSDK and should now be available to the public. The latest release of Gaia, version 2.0.3 may take some additional time to propagate and should be available with a delay of no more than a few hour. A full timeline of the vulnerability disclosure and coordination activities that comprise this release will be available no later than Tuesday, November 5th, 2019.
The Tendermint team encourages all validators and service providers on Tendermint-powered networks to update their software to the latest, most secure version available as quickly as possible.