Security hotfix: P2P crash-loop
This is an emergency patch addressing an active attack against Ethereum Classic bootnodes. Malicious P2P traffic was exploiting missing input validation in the ECIES handshake path, causing nodes to crash-loop on restart.
Fixes
Three cherry-picks from upstream go-ethereum:
- crypto/ecies: use AES blocksize — Corrects minimum ciphertext length validation to use the actual AES block size instead of a hardcoded value of 1.
- crypto/ecies: fix ECIES invalid-curve handling (#33669) — Validates that the remote public key lies on the expected curve before performing ECDH, preventing an invalid-curve oracle attack.
- p2p/rlpx: 2KB maximum size for handshake messages (#30029) — Rejects oversized handshake packets, preventing memory abuse during the RLPx handshake.
CI
- Pinned GitHub Actions runners to
ubuntu-22.04andwindows-2022to restore compatibility with deprecated/updated runner images.
Upgrade priority
Strongly recommended for bootnodes and any node directly reachable from the internet with a high volume of inbound P2P connections. Nodes behind firewalls or with restricted inbound access are less likely to be affected, but upgrading is still advised. This release contains no consensus changes — only P2P-layer hardening. It is a drop-in replacement for v1.12.20.