We’re releasing Zebra 4.5.1 at the moment. This launch accommodates a repair for a consensus-critical safety vulnerability, and we strongly encourage all node operators to improve instantly.
Be aware that 4.5.0 was launched yesterday, so when you have simply up to date, sadly you’ll need to replace once more.
Safety Advisories
GHSA-2prc-cj5x-4443: P2SH Sigop Undercount Not Accurately Fastened (Essential)
The repair for GHSA-gf9r-m956-97qx was not right; the sigop counting was fastened by switching to a pure C++ implementation which ought to match zcashd implementation. Nevertheless the actual operate used counted sigops in “legacy” mode, however for consensus, an correct rely is required. Thus the potential of a consensus divergence nonetheless existed.
We fastened this by reverting to the Rust implementation beforehand used, however fastened the unique discrepancy that it had (it stopped counting sigops when it encountered a disabled opcode, but it surely ought to maintain counting).
Due to @sangsoo-osec for reporting this situation.
Upgrading
We strongly advocate all Zebra node operators improve to 4.5.1 as quickly as potential, as a result of consensus vulnerability described above. There are not any recognized workarounds — upgrading is the one means to make sure your node stays on the proper chain and is protected in opposition to the problems listed on this launch. Yow will discover the discharge on GitHub.
Acknowledgments
Thanks @sangsoo-osec for shortly figuring out the problem.
Zebra is the Zcash Basis’s unbiased, Rust-based implementation of the Zcash protocol. Be taught extra at github.com/ZcashFoundation/zebra.
