Summary
This is a security-focussed release to address a denial-of-service vulnerability in OpenSSL (CVE-2022-0778).
Lighthouse does not rely on OpenSSL for any of its P2P functionality, but does make use of OpenSSL TLS when making HTTPS connections. We recommend that users upgrade to this release from v2.1.4 if they are using HTTPS URLs in their configuration and are concerned about the denial-of-service risk, see below for details.
OpenSSL Vulnerability Detail
If configured, Lighthouse will use HTTPS to connect to URLs passed to --eth1-endpoints, --checkpoint-sync-url or --beacon-nodes (from the validator client). These URLs typically correspond to servers trusted by the user, but still pose a denial-of-service risk if the connection is intercepted by an intermediary (e.g. an ISP or public hotspot router). We believe that attacks are unlikely to occur in practice, and that their impact would be relatively minor — lighthouse would hang, but there would be no slashing risk nor risk of signing keys being compromised.
For more information please see:
- OpenSSL security advisory: https://www.openssl.org/news/secadv/20220315.txt
- Lighthouse fix: #3095
Backwards Compatibility
Other than the OpenSSL fix, this release is functionally equivalent to the previous release, and is 100% backward compatible.
Update Priority
This table provides priorities for which classes of users should update particular components.
| User Class | Beacon Node | Validator Client |
|---|---|---|
| Staking Users | Low priority | Low priority |
| Non-Staking Users | Low priority | --- |
See Update Priorities for more information about this table.
All Changes
- v2.1.5 (#3096)
- Update openssl for CVE-2022-0778 (#3095)
- Clarify proposers message is about current epoch (#3084)
- Add minimum supported Rust version (#3082)
Binaries
See pre-built binaries documentation.
The binaries are signed with Sigma Prime's PGP key: 15E66D941F697E28F49381F426416DC3F30674B0
| System | Architecture | Binary | PGP Signature |
|---|---|---|---|
| x86_64 | lighthouse-v2.1.5-x86_64-apple-darwin.tar.gz | PGP Signature | |
| x86_64 | lighthouse-v2.1.5-x86_64-apple-darwin-portable.tar.gz | PGP Signature | |
| x86_64 | lighthouse-v2.1.5-x86_64-unknown-linux-gnu.tar.gz | PGP Signature | |
| x86_64 | lighthouse-v2.1.5-x86_64-unknown-linux-gnu-portable.tar.gz | PGP Signature | |
| aarch64 | lighthouse-v2.1.5-aarch64-unknown-linux-gnu.tar.gz | PGP Signature | |
| aarch64 | lighthouse-v2.1.5-aarch64-unknown-linux-gnu-portable.tar.gz | PGP Signature | |
| x86_64 | lighthouse-v2.1.5-x86_64-windows.tar.gz | PGP Signature | |
| x86_64 | lighthouse-v2.1.5-x86_64-windows-portable.tar.gz | PGP Signature | |
| System | Option | - | Resource |
| Docker | v2.1.5 | sigp/lighthouse |