We’re releasing Zebra 4.4.1 at this time. This launch accommodates a repair for a consensus-critical safety vulnerability, and we strongly encourage all node operators to improve instantly. You’ll be able to replace on to it you probably have not up to date for the final couple of releases.
Be aware that the 4.4.0 launch was simply three days in the past. In case you have already upgraded, sadly you will want to improve once more.
Safety Advisories
GHSA-pvmv-cwg8-v6c8: Zebra nonetheless accepts V5 SIGHASH_SINGLE with no corresponding output
Zebra didn’t implement a ZIP-244 consensus rule for V5 clear transactions: when an enter is signed with SIGHASH_SINGLE and there’s no clear output on the identical index as that enter, validation should fail. Zebra as a substitute requested the underlying sighash library to compute a digest, and that library produced a digest over an empty output set quite than failing. An attacker might craft a V5 transaction with extra clear inputs than outputs that Zebra accepts however zcashd rejects, making a consensus cut up between Zebra and zcashd nodes.
A earlier repair (GHSA-cwfq-rfcr-8hmp) addressed a intently associated case in the identical space of the code, however didn’t cowl this particular one.
Due to @sangsoo-osec, @zmanian, and @fivelittleducks for reporting the problem.
Upgrading
We strongly advocate all Zebra node operators improve to 4.4.1 as quickly as attainable, significantly as a result of consensus vulnerabilities described above. There aren’t any identified workarounds — upgrading is the one manner to make sure your node stays on the right chain and is protected in opposition to the problems listed on this launch. Yow will discover the discharge on GitHub.
Thank You to Our Contributors
This launch was made attainable by the work of @alchemydc, @arya2, @conradoplg, @daira, @gustavovalverde, @mpguerra, @oxarbitrage, @schell, and @upbqdn. Thanks in your continued contributions to Zebra.
Zebra is the Zcash Basis’s unbiased, Rust-based implementation of the Zcash protocol. Study extra at github.com/ZcashFoundation/zebra.
