Skip to content

@jchung00 jchung00 released this Feb 20, 2019

This release contains critical security fixes and fixes that affect the successful build of nodeos on fresh VMs

Changes
(EOSIO#6721) Fix boost 1.67 brew install
(EOSIO#6724 ) Set proper directory for baked in macOS LLVM_DIR
(EOSIO#6729) Add buildkite step to gather brew files for automatic update
(EOSIO#6742) added memo to base_tester::issue
(EOSIO#6759) add noninteractive option for build scripts - 1.6.x
(EOSIO#6771) Don't unlink what we install via brew - 1.6.x
(EOSIO#6777) Make sure python-devel is installed for amazon linux builds - 1.6.x
(EOSIO#6783) limit assert 1.6.x

Assets 2

@jchung00 jchung00 released this Feb 12, 2019

This release comprises critical security fixes

Changes
Consolidated Security Fixes
net_plugin security fixes
Additional checktime calls to limit cpu usage
Limit memory usage in producer_plugin

Assets 2

@jchung00 jchung00 released this Jan 16, 2019

This release comprises several additional features and fixes, in addition to the cumulative patches made against v1.5.

A blog post providing more information can be found here.

Important Notices
Synchronizing Sub-Module Changes
As part of this release, some of the URLs have changed for the submodules this git repository depends on. Users who are fetching updates into a pre-existing clone of the repository are strongly encouraged to execute git submodule sync to ensure that their workflow is not interrupted.

Users who clone a fresh copy of the repository do not need to perform this additional step.

Deprecation and Removal Notices
None

Changes
(EOSIO#6612) Restricting Processing Time for Scheduled Transactions
The patches will introduce a new configuration parameter max-scheduled-transaction-time-per-block-ms which defaults to 100 which determines the maximum wall-clock time a node will spend retiring scheduled transactions before processing user-signed transactions.

For more information about the motivation for this change refer to this blog post about CVE-2019-6199.

Various Performance Improvements
Several of the PRs in this release contribute to the overall goal of increasing the efficiency of the peer-to-peer networking layer and real-time transaction throughput. Internal benchmarks show considerable increases in token-transfers-per-second as a result. While this does not represent real-world usage, it does suggest that there will be noticeable improvements to transactions per second, reductions in the billable CPU time for transactions, and lower latency for block propagation.

(EOSIO#6496) NOTICE: State History Plugin Fix
This was included in Release v1.5.2 however, that release's proximity to this release candidate warrants re-mentioning the following:

Serialization for permission_object failed when both it and its parent were deleted. This happened in block 31700785 of the mainnet.

If you are running the state history plugin AND has proceeded past a block with this condition, then you'll need to restore from a snapshot made prior to that block to continue.

Other Changes
(EOSIO#6372) Net plugin cleanup
(EOSIO#6370) Fix requires in spec file to resolve dependency resolution issues with rpms
(EOSIO#6397) net_plugin reduce signed_block copies
(EOSIO#6398) Update buildkite pipeline to use new queues
(EOSIO#6400) Add community plugin links
(EOSIO#6401) Stop the unix_server from listening in shutdown stage as well.
(EOSIO#6436) Use 64-bit float printing of 128-bit floats on non x86_64
(EOSIO#6435) remove x86_64 arch dep specification on AMI2 build script
(EOSIO#6459) Allow disablement of net_plugin's listen socket
(EOSIO#6430) add a test that reduces the size of the producer set
(EOSIO#6426) Reflect Validation Script
(EOSIO#6470) Update the bios-boot-tutorial.py script and readme.md
(EOSIO#6485) Spelling correction
(EOSIO#6419) Update LICENSE path
(EOSIO#6498) Fix cluster writes for mongo DB
(EOSIO#6500) Fix return codes of build scripts so that buildkite can fail properly
(EOSIO#6490) Return 400 on get_block with nonexist block number
(EOSIO#6499) mongo_db_plugin action_trace indexes
(EOSIO#6471) Optimize transaction signature recovery
(EOSIO#6501) optimization when writing shared_blob data
(EOSIO#6494) packed_transaction enhancement
(EOSIO#6549) Consolidated Security Fixes for 1.6.0-rc2
(EOSIO#6555) update developer portal link
(EOSIO#6596) Use https url for wabt submodule
(EOSIO#6612) Build WABT with support for C++ exceptions.
(EOSIO#6600) Add libtinfo5 dependency to deb package.
Thanks!
Special thanks to the community contributors that submitted patches for this release:

@conr2d
@evsward
@necokeine
@iamveritas
@UMU618
Special thanks to PeckShield for their work related to CVE-2019-6199

Assets 2

@jchung00 jchung00 released this Dec 17, 2018

Mitigations
Use of Un-satisfied Authorizations in Self-addressed Actions and Transactions
This release contains subjective mitigations that will disallow any inline action or deferred transaction sent by a contract to itself that does not meet the following criteria:

For Self-Addressed Deferred Transactions
Only allow authorizations that
are satisfiable by eosio.code
AND meet the minimum permission of the action as linked by the actor present in the authorization
For Self-Addressed Inline Actions Sent From Direct Actions
Only allow authorizations that
are satisfiable by eosio.code OR are present in the parent action
AND meet the minimum permission of the action as linked by the actor present in the authorization
For Self-Addressed Inline Actions Sent From Recipient Handlers
Only allow authorizations that
are satisfiable by eosio.code
AND meet the minimum permission of the action as linked by the actor present in the authorization
Inline actions and deferred transactions sent to any other contract are unaffected by this change and remain secure.

Contract authors are advised to audit their code for instances where self-addressed inline actions and deferred transactions with improper authorizations may have slipped through as those contracts will no longer function properly.

For more information see the official block.one blog post

DEPRECATION NOTICE
The propagation of authorizations present on the parent action for self-addressed inline actions sent from direct actions is DEPRECATED IMMEDIATELY and will be removed during the first protocol upgrade. At that time only properly formed authorizations satisfiable using the eosio.code pattern will be allowed for any inline action or deferred transaction.

Contract Developers should take immediate action to refactor their contracts to not rely on these propagated authorizations.

Assets 2

@jchung00 jchung00 released this Dec 5, 2018

Assets 2

@jchung00 jchung00 released this Nov 14, 2018

NOTICE: IF YOU ARE UPGRADING TO THIS RELEASE FROM VERSION 1.3.X OR EARLIER AND USE THE HISTORY_PLUGIN YOU WILL NEED TO REPLAY THE BLOCKCHAIN TO RECONSTRUCT THAT PLUGIN'S DATA

This release provides bug fixes.

Changes

(EOSIO#6220) Failed Deferred Transactions Were in History Plugin Results

Please note, the history_plugin was DEPRECATED in version 1.2.0 and is receiving this fix as part of the support for that lifecycle

The history_plugin sometimes included failed deferred transactions in its search results. Since it doesn't store receipt status, there wasn't a reliable way for users of the history API to know which actions were executed. See EOSIO#6214 for detailed discussion

Nodes which have use the history_plugin and are concerned that this class of transaction may cause misleading results are encouraged to regenerate that plugins database using --replay-blockchain

NB: This does not affect the state of the chain. These failed deferred transactions were merely being misreported through this plugin. Their side-effects were correctly removed from any intermediate state of the blockchain

Other Changes

(EOSIO#6219) Trusted producer should be configured via cfg and cli
(EOSIO#6222) print config.ini & data-dir nodeos is using at launch
(EOSIO#6253) restore eosio root ilog

Mitigations

As mentioned above, operators who are concerned with misrepresentation of deferred transactions in the history_plugin are encouraged to reconstruct that plugin's state using --replay-blockchain

Assets 2

@jchung00 jchung00 released this Nov 6, 2018

NOTICE: IF YOU ARE UPGRADING TO THIS RELEASE FROM VERSION 1.3.X OR EARLIER AND USE THE HISTORY_PLUGIN YOU WILL NEED TO REPLAY THE BLOCKCHAIN TO RECONSTRUCT THAT PLUGIN'S DATA

This release provides bug fixes.

Changes

(EOSIO#6100) Remove llvm@4 force link for Mac OS X builds
This removes brew --force link for the llvm@4 package, this force link had unfortunate side effects of overwriting the system clang++/clang with clang 4.0 and libc++ which was causing issues with binary builds.

Before running the fixed eosio_build.sh it is recommended to run brew remove llvm@4 to allow the script to do a fresh install or at the very least brew unlink llvm@4.

Other Changes

(EOSIO#6130) Fix for transaction_traces store in mongo_db_plugin.
(EOSIO#6133) Correct a bad tag in wrong first block log message.
(EOSIO#6164) Fix long startup delay when not loading snapshots.
(EOSIO#6178) Fix set_code and set_abi to report only json to stdout.
(EOSIO#6179) Fix incorrect ISO timestamps for scheduled transaction expiration in RPC

Assets 2
Pre-release
Pre-release

@jchung00 jchung00 released this Oct 24, 2018

Assets 2
Pre-release
Pre-release

@jchung00 jchung00 released this Oct 12, 2018

This release provides bug fixes.

Changes

Add missing tags to exception text for arg processing (EOSIO#5920)
Fix producer log format (EOSIO#5901)
Present a clearer message on bad_alloc & return consistent error code (EOSIO#5895)
Added ZMQ plugin to COMMUNITY.md (EOSIO#5892)

Assets 2
You can’t perform that action at this time.