Recently, a pair of security vulnerabilities was discovered in Tendermint Core 0.33. One of the vulnerabilities is a high-security issue. A patch for these issues, which requires no breaking changes, will be released in version 0.33.6 of Tendermint Core and in version 0.38.5 of the Cosmos SDK at 14:00 UTC on Thursday, July 2. Gaia is unaffected by this vulnerability.
If you are running software which depends on Tendermint Core 0.33 or Cosmos SDK 0.38, we encourage you to upgrade your software to the latest, most secure version as quickly as possible once this update becomes available.
The patches that resolve the issues comprising Advisory Syringa have been released in version 0.33.6 of Tendermint and in version 0.38.5 of the Cosmos SDK. All releases are now available to the public. A full timeline of the vulnerability disclosure and coordination activities that comprise this release should be available by Friday, July 10, 2020.
Tendermint 0.33.6 renames the VerifyCommitTrusting function to VerifyCommitLightTrusting. If you were relying on the light client, you may need to update your code. For more information, please see the changelog.
Additionally, a Common Vulnerabilities and Exposures (CVE) ID has been assigned: CVE-2020-15091. The list of CVEs is available at https://cve.mitre.org/cve/.
If you are running software which depends on Tendermint Core 0.33 or Cosmos SDK 0.38, we encourage you to upgrade your software to the latest, most secure version as quickly as possible.