Voting is open for replica security fixes - 148ca44e and de57fd51

We submitted proposals 123976 and 123977 for replica security fixes on top of rc--2023-07-26_23-01 (9c89622) and rc--2023-08-01_23-01 (f8f59f8).

The security fixes will be applied to all subnets and after that the changes from the security fixes will be shared publicly, in accordance with the Security Patch Policy and Procedure that was adopted in proposal 48792.

The community will be able to retroactively verify the binaries that were rolled out. The instructions for doing this are in the proposal summary.

1 Like

I’ve noticed that these binaries come with a different build script than usual, and I’m having trouble verifying them. On my VM, it complains that it has less than 16GB of RAM, possibly because only 13GB is actual physical memory and the rest is allocated to the page file. On WSL, it indicates that Ubuntu version 22.04 or higher is required, even though I’m using 22.04

the supplied script on each proposal

# From
sudo apt-get install -y curl && curl --proto '=https' --tlsv1.2 -sSLO && chmod +x && ./ -c 148ca44e09d675af151289801ec0337c751aa31b

needs to be updated. Looks like gitlab-ci/tools/ got renamed to gitlab-ci/tools/ a few hours ago

Also im getting a bunch of issues like not having ‘bc’ installed and now it just seems like there is a bug in the code from the commit from 2 hours ago.

I think this whole validation process needs a review

1 Like

Folks, this is a security release following Security Patch Policy and Procedure.

The actual fix commits will be published tomorrow and then you should be able to verify the binaries without errors.

I will also post a retrospective with details about the security issue.

The security patches are public now: rc–2023-07-26_23-01 and rc–2023-08-01_23-01

Verification of the replica binaries should work without errors now.

Details of the security issue:


The neuron has voted to Adopt these security updates. Our reviews can be found here for 123976 and here for 123977.

1 Like

I can understand the 30 minute window since this was security related but maybe CodeGov could get a heads up before submission to have at least 1 hour to build and verify before execution and not after.

Since it was a critical security issue, it was not possible to publish the code before the proposal execution. Otherwise, malicious actors might be able to come up with an exploit by inspecting the code and attack the mainnet before the fix is deployed.

The steps for releasing a critical security fix are described in Security Patch Policy and Procedure.