This is an important security update. All users are strongly recommended to update as soon as possible.
Additional security vulnerabilities were found in log4j in the newly released 2.15.0 which details are not yet available for.
As a result we cannot yet confirm if Teku is vulnerable to them. This release of Teku upgrades to log4j 2.16.0 which is safe
against these new vulnerabilities and completely disables JDNI which is the underlying technology used in this category of attack.
As as result we strongly encourage all users to update as soon as possible to 21.12.2 even if you have previously updated to 21.12.1.
Downloads
- Available as
21.12.2on Dockerhub - Download the binary distribution:
Additions and Improvements
- Updated CLI options ensuring unmatched options aren't confused as parameters.
Bug Fixes
- Updated to log4j 2.16.0.
- Fix multiarch JDK17 variant docker image to bundle Java 17 instead of Java 16
Upcoming Breaking Changes
- Support for the Pyrmont testnet will be removed in an upcoming release. The Prater testnet should be used instead.
- The
/teku/v1/beacon/states/:state_idendpoint has been deprecated in favor of the standard API/eth/v1/debug/beacon/states/:state_idwhich now returns the state as SSZ when theAccept: application/octet-streamheader is specified on the request. - The
/eth/v1/debug/beacon/states/:state_idendpoint has been deprecated in favor of the v2 Altair endpoint/eth/v2/debug/beacon/states/:state_id - The
/eth/v1/beacon/blocks/:block_idendpoint has been deprecated in favor of the v2 Altair endpoint/eth/v2/beacon/blocks/:block_id - The
/eth/v1/validator/blocks/:slotendpoint has been deprecated in favor of the v2 Altair endpoint/eth/v2/validator/blocks/:slot - The commandline option
--validators-performance-tracking-enabledhas been deprecated in favour of--validators-performance-tracking-mode