We submitted proposals 123976 and 123977 for replica security fixes on top of rc--2023-07-26_23-01 (9c89622) and rc--2023-08-01_23-01 (f8f59f8).
The security fixes will be applied to all subnets and after that the changes from the security fixes will be shared publicly, in accordance with the Security Patch Policy and Procedure that was adopted in proposal 48792.
The community will be able to retroactively verify the binaries that were rolled out. The instructions for doing this are in the proposal summary.
I’ve noticed that these binaries come with a different build script than usual, and I’m having trouble verifying them. On my VM, it complains that it has less than 16GB of RAM, possibly because only 13GB is actual physical memory and the rest is allocated to the page file. On WSL, it indicates that Ubuntu version 22.04 or higher is required, even though I’m using 22.04
I can understand the 30 minute window since this was security related but maybe CodeGov could get a heads up before submission to have at least 1 hour to build and verify before execution and not after.
Since it was a critical security issue, it was not possible to publish the code before the proposal execution. Otherwise, malicious actors might be able to come up with an exploit by inspecting the code and attack the mainnet before the fix is deployed.