We are releasing Zebra 4.5.1 today. This release contains a fix for a consensus-critical security vulnerability, and we strongly encourage all node operators to upgrade immediately.
Note that 4.5.0 was released yesterday, so if you have just updated, unfortunately you will need to update again.
Security Advisories
GHSA-2prc-cj5x-4443: P2SH Sigop Undercount Not Correctly Fixed (Critical)
The fix for GHSA-gf9r-m956-97qx was not correct; the sigop counting was fixed by switching to a pure C++ implementation which should match zcashd implementation. However the particular function used counted sigops in “legacy” mode, but for consensus, an accurate count is needed. Thus the possibility of a consensus divergence still existed.
We fixed this by reverting to the Rust implementation previously used, but fixed the original discrepancy that it had (it stopped counting sigops when it encountered a disabled opcode, but it should keep counting).
Thanks to @sangsoo-osec for reporting this issue.
Upgrading
We strongly recommend all Zebra node operators upgrade to 4.5.1 as soon as possible, due to the consensus vulnerability described above. There are no known workarounds — upgrading is the only way to ensure your node remains on the correct chain and is protected against the issues listed in this release. You can find the release on GitHub.
Acknowledgments
Thanks @sangsoo-osec for quickly identifying the issue.
Zebra is the Zcash Foundation’s independent, Rust-based implementation of the Zcash protocol. Learn more at github.com/ZcashFoundation/zebra.