From 1af0e839318f7d8ee7de08869458099e00525ff1 Mon Sep 17 00:00:00 2001 From: Zaki Manian Date: Thu, 26 Sep 2019 08:49:42 -0700 Subject: [PATCH 1/4] update version.go --- version/version.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version/version.go b/version/version.go index b342d6b2..b31eb889 100644 --- a/version/version.go +++ b/version/version.go @@ -20,7 +20,7 @@ const ( // Must be a string because scripts like dist.sh read this file. // XXX: Don't change the name of this variable or you will break // automation :) - TMCoreSemVer = "0.32.4" + TMCoreSemVer = "0.32.5" // ABCISemVer is the semantic version of the ABCI library ABCISemVer = "0.16.1" From 4c11bab23fb8838c6ba4fcc327235ca002dea345 Mon Sep 17 00:00:00 2001 From: Zaki Manian Date: Thu, 26 Sep 2019 09:08:42 -0700 Subject: [PATCH 2/4] Changelog update --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7aa703bb..7d96f956 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ # Changelog +## v0.32.5 + +### Security + +[p2p] [TODO](hxxp://githublink) Fix for panic on nil public key send to a peer. + + + ## v0.32.4 *September 19, 2019* From ba547cb7803100e5ec7b0498cf9392b3520fca29 Mon Sep 17 00:00:00 2001 From: Zaki Manian Date: Fri, 27 Sep 2019 18:31:27 -0700 Subject: [PATCH 3/4] Update CHANGELOG.md Co-Authored-By: Anton Kaliaev --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7d96f956..48ed6385 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ ### Security -[p2p] [TODO](hxxp://githublink) Fix for panic on nil public key send to a peer. +- [p2p] [TODO](hxxp://githublink) Fix for panic on nil public key send to a peer From 9dc1ca1537512aeb631d4d31db7bd445bb1c5260 Mon Sep 17 00:00:00 2001 From: Anton Kaliaev Date: Mon, 30 Sep 2019 13:43:50 -0700 Subject: [PATCH 4/4] update changelog --- CHANGELOG.md | 22 ++++++++++++++++------ CHANGELOG_PENDING.md | 2 +- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 48ed6385..c680928e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,12 +2,22 @@ ## v0.32.5 -### Security +*September 30, 2019* + +This release fixes a major security vulnerability found in the `p2p` package. +All clients are recommended to upgrade. See [TODO](hxxp://githublink) for +details. + +Special thanks to [fudongbai](https://hackerone.com/fudongbai) for discovering +and reporting this issue. + +Friendly reminder, we have a [bug bounty +program](https://hackerone.com/tendermint). + +### SECURITY: - [p2p] [TODO](hxxp://githublink) Fix for panic on nil public key send to a peer - - ## v0.32.4 *September 19, 2019* @@ -30,9 +40,9 @@ program](https://hackerone.com/tendermint). - [deps] [\#3951](https://github.com/tendermint/tendermint/pull/3951) bump github.com/stretchr/testify from 1.3.0 to 1.4.0 - [deps] [\#3945](https://github.com/tendermint/tendermint/pull/3945) bump github.com/gorilla/websocket from 1.2.0 to 1.4.1 - [deps] [\#3948](https://github.com/tendermint/tendermint/pull/3948) bump github.com/libp2p/go-buffer-pool from 0.0.1 to 0.0.2 -- [deps] [\#3943](https://github.com/tendermint/tendermint/pull/3943) bump github.com/fortytw2/leaktest from 1.2.0 to 1.3.0 -- [deps] [\#3939](https://github.com/tendermint/tendermint/pull/3939) bump github.com/rs/cors from 1.6.0 to 1.7.0 -- [deps] [\#3937](https://github.com/tendermint/tendermint/pull/3937) bump github.com/magiconair/properties from 1.8.0 to 1.8.1 +- [deps] [\#3943](https://github.com/tendermint/tendermint/pull/3943) bump github.com/fortytw2/leaktest from 1.2.0 to 1.3.0 +- [deps] [\#3939](https://github.com/tendermint/tendermint/pull/3939) bump github.com/rs/cors from 1.6.0 to 1.7.0 +- [deps] [\#3937](https://github.com/tendermint/tendermint/pull/3937) bump github.com/magiconair/properties from 1.8.0 to 1.8.1 - [deps] [\#3947](https://github.com/tendermint/tendermint/pull/3947) update gogo/protobuf version from v1.2.1 to v1.3.0 - [deps] [\#4001](https://github.com/tendermint/tendermint/pull/4001) bump github.com/tendermint/tm-db from 0.1.1 to 0.2.0 diff --git a/CHANGELOG_PENDING.md b/CHANGELOG_PENDING.md index eeafaf36..2bd7fd97 100644 --- a/CHANGELOG_PENDING.md +++ b/CHANGELOG_PENDING.md @@ -1,4 +1,4 @@ -## v0.32.5 +## v0.32.6 \*\*