Recently, the Tendermint Core team became aware of a high-severity security vulnerability that impacts Tendermint Core v0.34.0 and later. A patch for the issue, which requires no breaking changes, will be released in version v0.34.3 of Tendermint Core, in version v0.40.1 of the Cosmos SDK, and in version 3.0.1 of Gaia at 16:00 UTC on Tuesday, January 19, 2021.
This vulnerability does not impact the current Cosmos Hub, although it is present in Gaia’s scheduled commit for the Stargate Hub Upgrade. Cosmos core developers encourage all Hub operators to choose Gaia v3.0.1 or later when upgrading for Stargate.
Patches for the Cosmos SDK and Gaia, v0.40.1 and v3.0.1, respectively, will be released shortly; the release process was delayed by the GitHub Actions outage earlier today.
The patches that resolve the issues comprising Security Advisory Mulberry have been released in v0.34.3 of Tendermint Core, in v0.40.1 of the Cosmos SDK, and in version 3.0.1 of Gaia. All releases are now available to the public. The Cosmos SDK and Gaia releases were delayed by 24 hours, but future security updates will be released on a tightened timeline.
A full timeline of the vulnerability disclosure and coordination activities that comprise this release should be available by Tuesday, January 26.
You can find source code and binaries available on the respective release pages:
When the new Stargate Hub Upgrade proposal goes live, it will include a commit hash that points to a fully-patched version of Gaia. Therefore, Cosmos Hub operators do not need to worry about Security Advisory Mulberry.