State syncing validator from malicious node may lead to a chain split #1468
Assignees
Labels
Comments
rootulp
added
the
T:dependencies
I'm going to try and merge v0.34.35 into v0.34.x-celestia. If that proves difficult, I'll cherry-pick the commits that resolve the security advisory. |
rootulp
pushed a commit
to rootulp/celestia-core
that referenced
this issue
Sep 20, 2024
Otherwise, the events from app's BeginBlock won't be fired. Closes celestiaorg#1468 Co-authored-by: forcodedancing <[email protected]> Co-authored-by: Andy Nogueira <[email protected]>
rootulp
added a commit
that referenced
this issue
Sep 30, 2024
Closes #1468 by pulling upstream [v0.34.35](https://github.com/cometbft/cometbft/releases/tag/v0.34.35) with these notable merge conflicts: - Our repo upgraded Go past what upstream has so I choose to retain the more recent Go version And these changes to make unit tests pass: 1. Refactor CI to run all tests in one execution. It takes the same time ([4 mins](https://github.com/celestiaorg/celestia-core/actions/runs/11038290102/job/30661243408?pr=1495)) as it [previously did](https://github.com/celestiaorg/celestia-core/actions/runs/10956425121). But now it's easier to reason about the flakes. 2. Included #1503 3. Included #1501 ## FLUPs 1. #1504 2. Opens #1502 and skips that test ## Testing I used go mod replace and verified that celestia-app can use this version of celestia-core. - [x] `single-node.sh` - [x] `mocha.sh` --------- Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Thane Thomson <[email protected]> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> Co-authored-by: Sergio Mena <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jasmina Malicevic <[email protected]> Co-authored-by: Lasaro <[email protected]> Co-authored-by: Thane Thomson <[email protected]> Co-authored-by: mmsqe <[email protected]> Co-authored-by: yihuang <[email protected]> Co-authored-by: Steven Ferrer <[email protected]> Co-authored-by: Chill Validation <[email protected]> Co-authored-by: Aliasgar Merchant <[email protected]> Co-authored-by: Philip Offtermatt <[email protected]> Co-authored-by: Daniel <[email protected]> Co-authored-by: Hernán Vanzetto <[email protected]> Co-authored-by: Adi Seredinschi <[email protected]> Co-authored-by: Ethan Buchman <[email protected]> Co-authored-by: Andy Nogueira <[email protected]> Co-authored-by: Anton Kaliaev <[email protected]> Co-authored-by: Troy Kessler <[email protected]> Co-authored-by: forcodedancing <[email protected]> Co-authored-by: Mikhail Zabaluev <[email protected]> Co-authored-by: Alexsandro <[email protected]> Co-authored-by: Alessandro <[email protected]> Co-authored-by: Jacob Gadikian <[email protected]>
rach-id
pushed a commit
that referenced
this issue
Nov 18, 2024
Closes #1468 by pulling upstream [v0.34.35](https://github.com/cometbft/cometbft/releases/tag/v0.34.35) with these notable merge conflicts: - Our repo upgraded Go past what upstream has so I choose to retain the more recent Go version And these changes to make unit tests pass: 1. Refactor CI to run all tests in one execution. It takes the same time ([4 mins](https://github.com/celestiaorg/celestia-core/actions/runs/11038290102/job/30661243408?pr=1495)) as it [previously did](https://github.com/celestiaorg/celestia-core/actions/runs/10956425121). But now it's easier to reason about the flakes. 2. Included #1503 3. Included #1501 ## FLUPs 1. #1504 2. Opens #1502 and skips that test ## Testing I used go mod replace and verified that celestia-app can use this version of celestia-core. - [x] `single-node.sh` - [x] `mocha.sh` --------- Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Thane Thomson <[email protected]> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> Co-authored-by: Sergio Mena <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jasmina Malicevic <[email protected]> Co-authored-by: Lasaro <[email protected]> Co-authored-by: Thane Thomson <[email protected]> Co-authored-by: mmsqe <[email protected]> Co-authored-by: yihuang <[email protected]> Co-authored-by: Steven Ferrer <[email protected]> Co-authored-by: Chill Validation <[email protected]> Co-authored-by: Aliasgar Merchant <[email protected]> Co-authored-by: Philip Offtermatt <[email protected]> Co-authored-by: Daniel <[email protected]> Co-authored-by: Hernán Vanzetto <[email protected]> Co-authored-by: Adi Seredinschi <[email protected]> Co-authored-by: Ethan Buchman <[email protected]> Co-authored-by: Andy Nogueira <[email protected]> Co-authored-by: Anton Kaliaev <[email protected]> Co-authored-by: Troy Kessler <[email protected]> Co-authored-by: forcodedancing <[email protected]> Co-authored-by: Mikhail Zabaluev <[email protected]> Co-authored-by: Alexsandro <[email protected]> Co-authored-by: Alessandro <[email protected]> Co-authored-by: Jacob Gadikian <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Context
GHSA-g5xx-c4hv-9ccc
Problem
There is a security vulnerability with state sync
Proposal
Pull upstream changes from https://github.com/cometbft/cometbft/releases/tag/v0.34.34
The text was updated successfully, but these errors were encountered: