We’re releasing Zebra 4.4.1 right this moment. This launch incorporates a repair for a consensus-critical safety vulnerability, and we strongly encourage all node operators to improve instantly. You’ll be able to replace on to it if in case you have not up to date for the final couple of releases.
Notice that the 4.4.0 launch was simply three days in the past. When you have already upgraded, sadly you will want to improve once more.
Safety Advisories
GHSA-pvmv-cwg8-v6c8: Zebra nonetheless accepts V5 SIGHASH_SINGLE with no corresponding output
Zebra did not implement a ZIP-244 consensus rule for V5 clear transactions: when an enter is signed with SIGHASH_SINGLE and there’s no clear output on the identical index as that enter, validation should fail. Zebra as an alternative requested the underlying sighash library to compute a digest, and that library produced a digest over an empty output set moderately than failing. An attacker might craft a V5 transaction with extra clear inputs than outputs that Zebra accepts however zcashd rejects, making a consensus cut up between Zebra and zcashd nodes.
A earlier repair (GHSA-cwfq-rfcr-8hmp) addressed a intently associated case in the identical space of the code, however didn’t cowl this particular one.
Because of @sangsoo-osec, @zmanian, and @fivelittleducks for reporting the difficulty.
Upgrading
We strongly suggest all Zebra node operators improve to 4.4.1 as quickly as doable, significantly as a result of consensus vulnerabilities described above. There are not any identified workarounds — upgrading is the one means to make sure your node stays on the right chain and is protected towards the problems listed on this launch. You could find the discharge on GitHub.
Thank You to Our Contributors
This launch was made doable by the work of @alchemydc, @arya2, @conradoplg, @daira, @gustavovalverde, @mpguerra, @oxarbitrage, @schell, and @upbqdn. Thanks to your continued contributions to Zebra.
Zebra is the Zcash Basis’s impartial, Rust-based implementation of the Zcash protocol. Study extra at github.com/ZcashFoundation/zebra.
