Summary
This includes security fixes from upstream geth released in v1.16.8.
This is a security fix release and is recommended for all users. It resolves two p2p
vulnerabilities reported through the Ethereum Foundation bug bounty program.
Update Priority
This table provides priorities for which classes of users should update particular components.
| User Class | Priority |
|---|---|
| Payload Builders | Required |
| Non-Payload Builders | Required |
All Changes
- Merge branch 'dos-fixes' into release/1.16
- version: release go-ethereum v1.16.8 stable
- crypto/ecies: use aes blocksize
- core/txpool: drop peers on invalid KZG proofs
- version: begin v1.16.8 release cycle
- Merge branch 'master' into release/1.16
Binaries
| System | Architecture | Binary | PGP Signature | Notes |
|---|---|---|---|---|
| amd64 | bera-geth-linux-amd64-v1.011608.0-e8f8f968.tar.gz | Signature | Most Linux systems | |
| arm64 | bera-geth-linux-arm64-v1.011608.0-e8f8f968.tar.gz | Signature | 64-bit ARM systems | |
| amd64 | bera-geth-alltools-linux-amd64-v1.011608.0-e8f8f968.tar.gz | Signature | All tools bundle (amd64) | |
| arm64 | bera-geth-alltools-linux-arm64-v1.011608.0-e8f8f968.tar.gz | Signature | All tools bundle (arm64) | |
| System | Option | - | Resource | |
| Docker | ghcr.io/berachain/bera-geth |
Verifying Binary Signatures
All release binaries are signed with PGP. To verify:
- Download the public key
- Import the key:
gpg --import release.asc - Verify the signature:
gpg --verify <filename>.asc <filename>
Docker Images
Docker images are available at ghcr.io/berachain/bera-geth and are signed with Cosign using keyless signing from GitHub Actions OIDC.
To verify a specific release image (recommended: by digest):
cosign verify \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
--certificate-identity-regexp "^https://github.com/berachain/bera-geth/.github/workflows/docker.yml@.+" \
ghcr.io/berachain/bera-geth@$(docker buildx imagetools inspect ghcr.io/berachain/bera-geth:v1.011608.0 | awk '/^Digest:/ {print $2; exit}')To verify the latest unstable image instead (not recommended; tags can move):
cosign verify \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
--certificate-identity-regexp "^https://github.com/berachain/bera-geth/.github/workflows/docker.yml@.+" \
ghcr.io/berachain/bera-geth@$(docker buildx imagetools inspect ghcr.io/berachain/bera-geth:latest | awk '/^Digest:/ {print $2; exit}')Installation
The archives contain the geth binary and license file. Extract and run:
tar -xzf bera-geth-linux-amd64-v1.011608.0-e8f8f968.tar.gz
./gethThe alltools archives additionally contain:
abigen- Source code generator for Ethereum contractsevm- Developer utility for the Ethereum Virtual Machinerlpdump- Developer utility for RLP dataclef- Ethereum account management tool