We’re releasing Zebra 4.4.1 at this time. This launch incorporates a repair for a consensus-critical safety vulnerability, and we strongly encourage all node operators to improve instantly. You’ll be able to replace on to it when you have not up to date for the final couple of releases.
Word that the 4.4.0 launch was simply three days in the past. When you have already upgraded, sadly you have to to improve once more.
Safety Advisories
GHSA-pvmv-cwg8-v6c8: Zebra nonetheless accepts V5 SIGHASH_SINGLE with out a corresponding output
Zebra did not implement a ZIP-244 consensus rule for V5 clear transactions: when an enter is signed with SIGHASH_SINGLE and there’s no clear output on the identical index as that enter, validation should fail. Zebra as an alternative requested the underlying sighash library to compute a digest, and that library produced a digest over an empty output set reasonably than failing. An attacker might craft a V5 transaction with extra clear inputs than outputs that Zebra accepts however zcashd rejects, making a consensus break up between Zebra and zcashd nodes.
A earlier repair (GHSA-cwfq-rfcr-8hmp) addressed a intently associated case in the identical space of the code, however didn’t cowl this particular one.
Because of @sangsoo-osec, @zmanian, and @fivelittleducks for reporting the problem.
Upgrading
We strongly suggest all Zebra node operators improve to 4.4.1 as quickly as attainable, notably as a result of consensus vulnerabilities described above. There aren’t any recognized workarounds — upgrading is the one manner to make sure your node stays on the right chain and is protected in opposition to the problems listed on this launch. Yow will discover the discharge on GitHub.
Thank You to Our Contributors
This launch was made attainable by the work of @alchemydc, @arya2, @conradoplg, @daira, @gustavovalverde, @mpguerra, @oxarbitrage, @schell, and @upbqdn. Thanks in your continued contributions to Zebra.
Zebra is the Zcash Basis’s unbiased, Rust-based implementation of the Zcash protocol. Be taught extra at github.com/ZcashFoundation/zebra.