Recently, a vulnerability surfaced in OpenSSL. Leveraging this particular vulnerability against a Chia node would allow a bad actor to force it offline.
To protect your systems and maintain the network’s security, we have released version 1.3.2, specifically focused on addressing these vulnerabilities.
We strongly recommend that all users running a node (which should be most of you) update to version 1.3.2. As a note, this update will require restarting your node.
FAQ
Why is the updated version being released today?
We were notified about the vulnerability when it was made public, but at that time, there was no mitigation available and an unknown ETA on the fix. We did miss the follow-up fix announcement and will be reviewing our internal processes to ensure our quick response in the future.
Is my data/computer/identity safe?
There is no identified vulnerability to these items at this time.
Is my XCH safe?
Yep! (Even if you do not make this update, your XCH should still be safe as well). Though if you are not on 1.3.1 already, moving to 1.3.2 will have some of the same balance display caveats in releases 1.X to 1.3.0, of which you'll need to be mindful.
What are the actual changes in version 1.3.2?
The version 1.3.2 update is focused specifically on addressing the OpenSSL vulnerability by using OpenSSL version 1.1.1n. All documentation for changes can be found in these release notes.
What will be done in the future to ensure something like this doesn’t happen again?
Vulnerabilities are found all the time in software, and the organizations who rely on those libraries always need to be diligent to roll those updates into their software once known fixes are available and stable. We will continue to monitor for and incorporate those changes when required.
Is it safe to remain in a pool?
This update, and the related vulnerability, should have no impact on your Pooling efforts.
Fixed
- Fixed OpenSSL vulnerability CVE-2022-0778 (Thank you for the nudge @skweee!!)