build(deps): bump github.com/tendermint/tendermint from 0.34.3 to 0.3…

…4.7 (#367) Bumps [github.com/tendermint/tendermint](https://github.com/tendermint/tendermint) from 0.34.3 to 0.34.7. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tendermint/tendermint/releases">github.com/tendermint/tendermint's releases</a>.</em></p> <blockquote> <h2>0.34.7 (WARNING: BETA SOFTWARE)</h2> <p><a href="https://github.com/tendermint/tendermint/blob/v0.34.7/CHANGELOG.md#v0.34.7">https://github.com/tendermint/tendermint/blob/v0.34.7/CHANGELOG.md#v0.34.7</a></p> <h2>0.34.4 (WARNING: BETA SOFTWARE)</h2> <p><a href="https://github.com/tendermint/tendermint/blob/v0.34.4/CHANGELOG.md#v0.34.4">https://github.com/tendermint/tendermint/blob/v0.34.4/CHANGELOG.md#v0.34.4</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/tendermint/tendermint/blob/v0.34.7/CHANGELOG.md">github.com/tendermint/tendermint's changelog</a>.</em></p> <blockquote> <h2>v0.34.7</h2> <p><em>February 18, 2021</em></p> <p>This release fixes a downstream security issue which impacts Cosmos SDK users who are:</p> <ul> <li>Using Cosmos SDK v0.40.0 or later, AND</li> <li>Running validator nodes, AND</li> <li>Using the file-based <code>FilePV</code> implementation for their consensus keys</li> </ul> <p>Users who fulfill all the above criteria were susceptible to leaking private key material in the logs. All other users are unaffected.</p> <p>The root cause was a discrepancy between the Tendermint Core (untyped) logger and the Cosmos SDK (typed) logger: Tendermint Core's logger automatically stringifies Go interfaces whenever possible; however, the Cosmos SDK's logger uses reflection to log the fields within a Go interface.</p> <p>The introduction of the typed logger meant that previously un-logged fields within interfaces are now sometimes logged, including the private key material inside the <code>FilePV</code> struct.</p> <p>Tendermint Core v0.34.7 fixes this issue; however, we strongly recommend that all validators use remote signer implementations instead of <code>FilePV</code> in production.</p> <p>Thank you to <a href="https://github.com/joe-bowman"><code>@joe-bowman</code></a> for his assistance with this vulnerability and a particular shout-out to <a href="https://github.com/marbar3778"><code>@marbar3778</code></a> for diagnosing it quickly.</p> <p>Friendly reminder: We have a <a href="https://hackerone.com/tendermint">bug bounty program</a>.</p> <h3>BUG FIXES</h3> <ul> <li>[consensus] <a href="https://github-redirect.dependabot.com/tendermint/tendermint/pull/6128">#6128</a> Remove privValidator from log call (<a href="https://github.com/tessr"><code>@tessr</code></a>)</li> </ul> <h2>v0.34.6</h2> <p><em>February 18, 2021</em></p> <p><em>Tendermint Core v0.34.5 and v0.34.6 have been recalled due to build tooling problems.</em></p> <h2>v0.34.4</h2> <p><em>February 11, 2021</em></p> <p>This release includes a fix for a memory leak in the evidence reactor (see <a href="https://github-redirect.dependabot.com/tendermint/tendermint/issues/6068">#6068</a>, below). All Tendermint clients are recommended to upgrade. Thank you to our friends at Crypto.com for the initial report of this memory leak!</p> <p>Special thanks to other external contributors on this release: <a href="https://github.com/yayajacky"><code>@yayajacky</code></a>, <a href="https://github.com/odidev"><code>@odidev</code></a>, <a href="https://github.com/laniehei"><code>@laniehei</code></a>, and <a href="https://github.com/c29r3"><code>@c29r3</code></a>!</p>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/tendermint/tendermint/commit/15eb2c22118fb3587e408cf6e7f5edbf5190d719"><code>15eb2c2</code></a> .goreleaser: remove arm64 build instructions and bump changelog again (<a href="https://github-redirect.dependabot.com/tendermint/tendermint/issues/6131">#6131</a>)</li> <li><a href="https://github.com/tendermint/tendermint/commit/e4d2893ff6a17d4f232967855a319de1fd7bd99b"><code>e4d2893</code></a> changelog: bump to v0.34.6</li> <li><a href="https://github.com/tendermint/tendermint/commit/afd07096a7a33ea88fbdb316f05c4d09cbcdf2d3"><code>afd0709</code></a> Revert "tooling: remove tools/Makefile (bp <a href="https://github-redirect.dependabot.com/tendermint/tendermint/issues/6102">#6102</a>) (<a href="https://github-redirect.dependabot.com/tendermint/tendermint/issues/6106">#6106</a>)"</li> <li><a href="https://github.com/tendermint/tendermint/commit/340071d81bb04a9129c58890c2c5e78bbe23d861"><code>340071d</code></a> changelog: update for 0.34.5 (<a href="https://github-redirect.dependabot.com/tendermint/tendermint/issues/6129">#6129</a>)</li> <li><a href="https://github.com/tendermint/tendermint/commit/53d40e1092007fbd4484ef9cc2509263bfc0a353"><code>53d40e1</code></a> consensus: remove privValidator from log call (<a href="https://github-redirect.dependabot.com/tendermint/tendermint/issues/6128">#6128</a>)</li> <li><a href="https://github.com/tendermint/tendermint/commit/bedb00d25229639793e86d741db4e2f6f576ab63"><code>bedb00d</code></a> consensus: Groom Logs (<a href="https://github-redirect.dependabot.com/tendermint/tendermint/issues/5917">#5917</a>)</li> <li><a href="https://github.com/tendermint/tendermint/commit/1030072dd022c2829ae6fbb3a58c15aabf733bd9"><code>1030072</code></a> changelog: update 0.34.3 changelog with details on security vuln (bp <a href="https://github-redirect.dependabot.com/tendermint/tendermint/issues/6108">#6108</a>) (...</li> <li><a href="https://github.com/tendermint/tendermint/commit/1b2174a0da832c6b31ae5a0fd61b0d1655888675"><code>1b2174a</code></a> tooling: remove tools/Makefile (bp <a href="https://github-redirect.dependabot.com/tendermint/tendermint/issues/6102">#6102</a>) (<a href="https://github-redirect.dependabot.com/tendermint/tendermint/issues/6106">#6106</a>)</li> <li><a href="https://github.com/tendermint/tendermint/commit/6bac9d9f435fa1e8c494dfcd77f762e2d3b2e420"><code>6bac9d9</code></a> makefile: remove call to tools (<a href="https://github-redirect.dependabot.com/tendermint/tendermint/issues/6104">#6104</a>)</li> <li><a href="https://github.com/tendermint/tendermint/commit/5efbbab7899041b2986504284e12a370a6ab99be"><code>5efbbab</code></a> changelog: improve with suggestions from <a href="https://github.com/melekes"><code>@melekes</code></a> (<a href="https://github-redirect.dependabot.com/tendermint/tendermint/issues/6097">#6097</a>)</li> <li>Additional commits viewable in <a href="https://github.com/tendermint/tendermint/compare/v0.34.3...v0.34.7">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/tendermint/tendermint&package-manager=go_modules&previous-version=0.34.3&new-version=0.34.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
cosmos · Feb 19, 2021 · d8930a1 · d8930a1
1 parent 7778b50
commit d8930a1
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 4 deletions.
diff --git a/go.mod b/go.mod
@@ -11,8 +11,8 @@ require (
 	github.com/grpc-ecosystem/grpc-gateway v1.16.0
 	github.com/pkg/errors v0.9.1
 	github.com/stretchr/testify v1.7.0
-	github.com/tendermint/tendermint v0.34.3
-	github.com/tendermint/tm-db v0.6.3
+	github.com/tendermint/tendermint v0.34.7
+	github.com/tendermint/tm-db v0.6.4
 	golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9
 	google.golang.org/genproto v0.0.0-20201119123407-9b1e624d6bc4
 	google.golang.org/grpc v1.35.0

diff --git a/go.sum b/go.sum
@@ -86,6 +86,7 @@ github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfc
 github.com/cosmos/go-bip39 v0.0.0-20180819234021-555e2067c45d/go.mod h1:tSxLoYXyBmiFeKpvmq4dzayMdCjCnu8uqmCysIGBT2Y=
 github.com/cosmos/iavl v0.15.0-rc3.0.20201009144442-230e9bdf52cd/go.mod h1:3xOIaNNX19p0QrX0VqWa6voPRoJRGGYtny+DH8NEPvE=
 github.com/cosmos/iavl v0.15.0-rc5/go.mod h1:WqoPL9yPTQ85QBMT45OOUzPxG/U/JcJoN7uMjgxke/I=
+github.com/cosmos/iavl v0.15.3/go.mod h1:OLjQiAQ4fGD2KDZooyJG9yz+p2ao2IAYSbke8mVvSA4=
 github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
@@ -395,6 +396,8 @@ github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb
 github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E=
 github.com/sasha-s/go-deadlock v0.2.0 h1:lMqc+fUb7RrFS3gQLtoQsJ7/6TV/pAIFvBsqX73DK8Y=
 github.com/sasha-s/go-deadlock v0.2.0/go.mod h1:StQn567HiB1fF2yJ44N9au7wOhrPS3iZqiDbRupzT10=
+github.com/sasha-s/go-deadlock v0.2.1-0.20190427202633-1595213edefa h1:0U2s5loxrTy6/VgfVoLuVLFJcURKLH49ie0zSch7gh4=
+github.com/sasha-s/go-deadlock v0.2.1-0.20190427202633-1595213edefa/go.mod h1:F73l+cr82YSh10GxyRI6qZiCgK64VaZjwesgfQ1/iLM=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
@@ -444,12 +447,15 @@ github.com/tendermint/tendermint v0.34.0-rc4 h1:fnPyDFz9QGAU6tjExoQ8ZY63eHkzdBg5
 github.com/tendermint/tendermint v0.34.0-rc4/go.mod h1:yotsojf2C1QBOw4dZrTcxbyxmPUrT4hNuOQWX9XUwB4=
 github.com/tendermint/tendermint v0.34.0-rc6 h1:SVuKGvvE22KxfuK8QUHctUrmOWJsncZSYXIYtcnoKN0=
 github.com/tendermint/tendermint v0.34.0-rc6/go.mod h1:ugzyZO5foutZImv0Iyx/gOFCX6mjJTgbLHTwi17VDVg=
-github.com/tendermint/tendermint v0.34.3 h1:9yEsf3WO5VAwPVwrmM+RffDMiijmNfWaBwNttHm0q5w=
-github.com/tendermint/tendermint v0.34.3/go.mod h1:h57vnXeOlrdvvNFCqPBSaOrpOivl+2swWEtlUAqStYE=
+github.com/tendermint/tendermint v0.34.0/go.mod h1:Aj3PIipBFSNO21r+Lq3TtzQ+uKESxkbA3yo/INM4QwQ=
+github.com/tendermint/tendermint v0.34.7 h1:lvBJFNqpDuEzKfLZKtUXOL5dMOpqHonHlO6LCujyl6E=
+github.com/tendermint/tendermint v0.34.7/go.mod h1:JVuu3V1ZexOaZG8VJMRl8lnfrGw6hEB2TVnoUwKRbss=
 github.com/tendermint/tm-db v0.6.2 h1:DOn8jwCdjJblrCFJbtonEIPD1IuJWpbRUUdR8GWE4RM=
 github.com/tendermint/tm-db v0.6.2/go.mod h1:GYtQ67SUvATOcoY8/+x6ylk8Qo02BQyLrAs+yAcLvGI=
 github.com/tendermint/tm-db v0.6.3 h1:ZkhQcKnB8/2jr5EaZwGndN4owkPsGezW2fSisS9zGbg=
 github.com/tendermint/tm-db v0.6.3/go.mod h1:lfA1dL9/Y/Y8wwyPp2NMLyn5P5Ptr/gvDFNWtrCWSf8=
+github.com/tendermint/tm-db v0.6.4 h1:3N2jlnYQkXNQclQwd/eKV/NzlqPlfK21cpRRIx80XXQ=
+github.com/tendermint/tm-db v0.6.4/go.mod h1:dptYhIpJ2M5kUuenLr+Yyf3zQOv1SgBZcl8/BmWlMBw=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=