The patches that resolve the issues comprising Advisory Syringa have been released in version 0.33.6 of Tendermint and in version 0.38.5 of the Cosmos SDK. All releases are now available to the public. A full timeline of the vulnerability disclosure and coordination activities that comprise this release should be available by Friday, July 10, 2020.
Tendermint 0.33.6 is available at https://github.com/tendermint/tendermint/releases/tag/v0.33.6 and Cosmos SDK 0.38.5 is available at https://github.com/cosmos/cosmos-sdk/releases/tag/v0.38.5.
Tendermint 0.33.6 renames the VerifyCommitTrusting function to VerifyCommitLightTrusting. If you were relying on the light client, you may need to update your code. For more information, please see the changelog.
Additionally, a Common Vulnerabilities and Exposures (CVE) ID has been assigned: CVE-2020-15091. The list of CVEs is available at https://cve.mitre.org/cve/.
If you are running software which depends on Tendermint Core 0.33 or Cosmos SDK 0.38, we encourage you to upgrade your software to the latest, most secure version as quickly as possible.
This notice has been posted in accordance with our vulnerability disclosure policy. For future security alerts for Tendermint Core, you can also subscribe to our dedicated security mailing list.