Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
build(deps): bump github.com/tendermint/tendermint from 0.34.3 to 0.3…
…4.7 (#367) Bumps [github.com/tendermint/tendermint](https://github.com/tendermint/tendermint) from 0.34.3 to 0.34.7. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tendermint/tendermint/releases">github.com/tendermint/tendermint's releases</a>.</em></p> <blockquote> <h2>0.34.7 (WARNING: BETA SOFTWARE)</h2> <p><a href="https://github.com/tendermint/tendermint/blob/v0.34.7/CHANGELOG.md#v0.34.7">https://github.com/tendermint/tendermint/blob/v0.34.7/CHANGELOG.md#v0.34.7</a></p> <h2>0.34.4 (WARNING: BETA SOFTWARE)</h2> <p><a href="https://github.com/tendermint/tendermint/blob/v0.34.4/CHANGELOG.md#v0.34.4">https://github.com/tendermint/tendermint/blob/v0.34.4/CHANGELOG.md#v0.34.4</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/tendermint/tendermint/blob/v0.34.7/CHANGELOG.md">github.com/tendermint/tendermint's changelog</a>.</em></p> <blockquote> <h2>v0.34.7</h2> <p><em>February 18, 2021</em></p> <p>This release fixes a downstream security issue which impacts Cosmos SDK users who are:</p> <ul> <li>Using Cosmos SDK v0.40.0 or later, AND</li> <li>Running validator nodes, AND</li> <li>Using the file-based <code>FilePV</code> implementation for their consensus keys</li> </ul> <p>Users who fulfill all the above criteria were susceptible to leaking private key material in the logs. All other users are unaffected.</p> <p>The root cause was a discrepancy between the Tendermint Core (untyped) logger and the Cosmos SDK (typed) logger: Tendermint Core's logger automatically stringifies Go interfaces whenever possible; however, the Cosmos SDK's logger uses reflection to log the fields within a Go interface.</p> <p>The introduction of the typed logger meant that previously un-logged fields within interfaces are now sometimes logged, including the private key material inside the <code>FilePV</code> struct.</p> <p>Tendermint Core v0.34.7 fixes this issue; however, we strongly recommend that all validators use remote signer implementations instead of <code>FilePV</code> in production.</p> <p>Thank you to <a href="https://github.com/joe-bowman"><code>@joe-bowman</code></a> for his assistance with this vulnerability and a particular shout-out to <a href="https://github.com/marbar3778"><code>@marbar3778</code></a> for diagnosing it quickly.</p> <p>Friendly reminder: We have a <a href="https://hackerone.com/tendermint">bug bounty program</a>.</p> <h3>BUG FIXES</h3> <ul> <li>[consensus] <a href="https://github-redirect.dependabot.com/tendermint/tendermint/pull/6128">#6128</a> Remove privValidator from log call (<a href="https://github.com/tessr"><code>@tessr</code></a>)</li> </ul> <h2>v0.34.6</h2> <p><em>February 18, 2021</em></p> <p><em>Tendermint Core v0.34.5 and v0.34.6 have been recalled due to build tooling problems.</em></p> <h2>v0.34.4</h2> <p><em>February 11, 2021</em></p> <p>This release includes a fix for a memory leak in the evidence reactor (see <a href="https://github-redirect.dependabot.com/tendermint/tendermint/issues/6068">#6068</a>, below). All Tendermint clients are recommended to upgrade. Thank you to our friends at Crypto.com for the initial report of this memory leak!</p> <p>Special thanks to other external contributors on this release: <a href="https://github.com/yayajacky"><code>@yayajacky</code></a>, <a href="https://github.com/odidev"><code>@odidev</code></a>, <a href="https://github.com/laniehei"><code>@laniehei</code></a>, and <a href="https://github.com/c29r3"><code>@c29r3</code></a>!</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/tendermint/tendermint/commit/15eb2c22118fb3587e408cf6e7f5edbf5190d719"><code>15eb2c2</code></a> .goreleaser: remove arm64 build instructions and bump changelog again (<a href="https://github-redirect.dependabot.com/tendermint/tendermint/issues/6131">#6131</a>)</li> <li><a href="https://github.com/tendermint/tendermint/commit/e4d2893ff6a17d4f232967855a319de1fd7bd99b"><code>e4d2893</code></a> changelog: bump to v0.34.6</li> <li><a href="https://github.com/tendermint/tendermint/commit/afd07096a7a33ea88fbdb316f05c4d09cbcdf2d3"><code>afd0709</code></a> Revert "tooling: remove tools/Makefile (bp <a href="https://github-redirect.dependabot.com/tendermint/tendermint/issues/6102">#6102</a>) (<a href="https://github-redirect.dependabot.com/tendermint/tendermint/issues/6106">#6106</a>)"</li> <li><a href="https://github.com/tendermint/tendermint/commit/340071d81bb04a9129c58890c2c5e78bbe23d861"><code>340071d</code></a> changelog: update for 0.34.5 (<a href="https://github-redirect.dependabot.com/tendermint/tendermint/issues/6129">#6129</a>)</li> <li><a href="https://github.com/tendermint/tendermint/commit/53d40e1092007fbd4484ef9cc2509263bfc0a353"><code>53d40e1</code></a> consensus: remove privValidator from log call (<a href="https://github-redirect.dependabot.com/tendermint/tendermint/issues/6128">#6128</a>)</li> <li><a href="https://github.com/tendermint/tendermint/commit/bedb00d25229639793e86d741db4e2f6f576ab63"><code>bedb00d</code></a> consensus: Groom Logs (<a href="https://github-redirect.dependabot.com/tendermint/tendermint/issues/5917">#5917</a>)</li> <li><a href="https://github.com/tendermint/tendermint/commit/1030072dd022c2829ae6fbb3a58c15aabf733bd9"><code>1030072</code></a> changelog: update 0.34.3 changelog with details on security vuln (bp <a href="https://github-redirect.dependabot.com/tendermint/tendermint/issues/6108">#6108</a>) (...</li> <li><a href="https://github.com/tendermint/tendermint/commit/1b2174a0da832c6b31ae5a0fd61b0d1655888675"><code>1b2174a</code></a> tooling: remove tools/Makefile (bp <a href="https://github-redirect.dependabot.com/tendermint/tendermint/issues/6102">#6102</a>) (<a href="https://github-redirect.dependabot.com/tendermint/tendermint/issues/6106">#6106</a>)</li> <li><a href="https://github.com/tendermint/tendermint/commit/6bac9d9f435fa1e8c494dfcd77f762e2d3b2e420"><code>6bac9d9</code></a> makefile: remove call to tools (<a href="https://github-redirect.dependabot.com/tendermint/tendermint/issues/6104">#6104</a>)</li> <li><a href="https://github.com/tendermint/tendermint/commit/5efbbab7899041b2986504284e12a370a6ab99be"><code>5efbbab</code></a> changelog: improve with suggestions from <a href="https://github.com/melekes"><code>@melekes</code></a> (<a href="https://github-redirect.dependabot.com/tendermint/tendermint/issues/6097">#6097</a>)</li> <li>Additional commits viewable in <a href="https://github.com/tendermint/tendermint/compare/v0.34.3...v0.34.7">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/tendermint/tendermint&package-manager=go_modules&previous-version=0.34.3&new-version=0.34.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
- Loading branch information