github ZcashFoundation/zebra v4.4.0
Zebra 4.4.0
on GitHub

8 hours ago

This release includes several security and bug fixes. We recommend node operators update to 4.4.0.

Security

  • Fix sigops counting (GHSA-jv4h-j224-23cc).
  • Consensus-divergence defense-in-depth follow-up to GHSA-8m29-fpq5-89jj: the V5 sighash callback now substitutes a per-call CSPRNG-derived sighash when rejecting undefined ZIP 244 hash-type bytes, so any peer-supplied signature fails to verify and the block is rejected in agreement with zcashd (GHSA-gq4h-3grw-2rhv, #10524).
  • Allocation amplification in inbound network deserializers: validate coinbase Sapling spend count, coinbase data size, and Equihash solution size before allocating, and enforce the 160-entry cap in read_headers (GHSA-438q-jx8f-cccv, #10525, #10526, #10527, #10528).
  • Validate transparent input/output alignment before script verification, so malformed verifier requests return an error instead of panicking or verifying against a misaligned previous output (#10510).
  • RPC hardening (#10523):
    • Cookie file is now written with explicit 0600 permissions on Unix; symlinks at the cookie path are rejected (GHSA-jg86-rwhm-fhg4).
    • HTTP request bodies are bounded before allocation, with the limit derived from MAX_BLOCK_BYTES to accommodate submitblock (GHSA-8r29-5wjm-jgvx).
    • gRPC indexer streams use try_send to drop slow subscribers instead of backpressuring the server; the buffer was reduced from 4000 to 64. Well-behaved clients are unaffected (GHSA-826r-gfq8-x79q).
    • getrawtransaction reuses the caller-provided block hash and best-chain flag from the initial query, fixing a TOCTOU race against a third state lookup (GHSA-w23c-6rpp-ff87).
  • Disconnect peers that persistently return empty or bad FindBlocks / FindHeaders responses, freeing fanout slots for useful peers. Stall classification happens inside PeerSet::route_p2c, so coverage spans both request types without a separate per-IP guard.

Added

  • nTx (per-block transaction count) field in the verbose getblock RPC response (#10498).
  • Public benchmark dashboard at zebra.zfnd.org/dev/bench covering Groth16, Halo2, Sapling, RedPallas, block, and transaction benchmarks (#10444).

Changed

  • Refreshed the Sentry/OpenTelemetry observability stack (#10490): Sentry SDK upgraded to 0.47 (transport switched from reqwest to ureq); Sentry events now carry SENTRY_ENVIRONMENT, git.ref, git.sha, and CI context (CI_PR_NUMBER, CI_TEST_ID, GITHUB_*) when present; opentelemetry is now part of the default-release-binaries feature set, with export still gated on OTEL_EXPORTER_OTLP_ENDPOINT (or the tracing config); and zebrad::sentry is now crate-private.
  • Upgraded the librustzcash crate cohort (equihash 0.3, orchard 0.13, sapling-crypto 0.7, zcash_address 0.11, zcash_encoding 0.4, zcash_keys 0.13, zcash_primitives 0.27, zcash_proofs 0.27, zcash_protocol 0.8, zcash_transparent 0.7) to the 2026-04 release wave, which migrates off the yanked core2 crate to corez 0.1.1 and clears RUSTSEC-2026-0105 (#10522).
  • Bumped workspace MSRV from 1.85.0 to 1.85.1, required by the new librustzcash releases. Also bumped zebrad MSRV from 1.89 to 1.91, required by cargo-platform 0.3.3 (transitively via vergen-git2).

Fixed

  • getrawtransaction now reports correct confirmations (#10507).

Contributors

Thank you to everyone who contributed to this release, we couldn't make Zebra without you:
@alchemydc, @arya2, @daira, @dependabot[bot], @gustavovalverde, @oxarbitrage, @schell and @upbqdn

Check out latest releases or
releases around ZcashFoundation/zebra v4.4.0

Don't miss a new zebra release

NewReleases is sending notifications on new releases.

Get notifications