September 16, 2024
This release bumps Go version to 1.22 and updates dependencies.
- updated pkg gonum.org/v1/gonum to latest version unaffected by CVE- 2024-24792, CVE-2023-29407, CVE-2023-29408, and CVE-2022-41727 (#4045)
- updated python module "requests" to latest version unaffected by CVE-2023-32681 and CVE-2024-35195 (#4053)
- updated cometbft-db to v0.9.5 (#4059)
September 3, 2024
This release includes a security fix for the light client and is recommended for all users.
[light]Cross-check proposer priorities in retrieved validator sets (#ASA-2024-009)
[tools]Remove tools package #3760
[types]Check that proposer is one of the validators inValidateBasic(#ASA-2024-009)
April 26, 2024
This release bumps Go version to 1.21.
- [
bits] preventBitArray.UnmarshalJSONfrom crashing on 0 bits (#2774)
- Bump cometbft-db version to v0.9.1, which brings support for RocksDB v8. (#2783)
- Bump Go version used to v1.21 since v1.20 has reached EOL (#2784)
March 12, 2024
This release fixes a security bug in the light client.
[evidence]WhenVerifyCommitLight&VerifyCommitLightTrustingare called as part of evidence verification, all signatures present in the evidence must be verified (#1749)
[types]ValidateValidator#AddressinValidateBasic(#1715)[abci]Increase ABCI socket message size limit to 2GB (#1730: @troykessler)[e2e]Add manifest optionload_max_txsto limit the number of transactions generated by theloadcommand. (#2094)[e2e]Log the number of transactions that were sent successfully or failed. (#2328)
November 27, 2023
Fixes a small bug in the mempool for an experimental feature.
[mempool]Avoid infinite wait in transaction sending routine when using experimental parameters to limiting transaction gossiping to peers (#1654)
November 17, 2023
This release contains, among other things, an opt-in, experimental feature to help reduce the bandwidth consumption associated with the mempool's transaction gossip.
- Bump Go version used to v1.20 since v1.19 has reached EOL (#1351)
[metrics]Add metric for mempool size in bytesSizeBytes. (#1512)
[node]Make handshake cancelable (cometbft/cometbft#857)[node]Close evidence.db OnStop (cometbft/cometbft#1210: @chillyvee)[mempool]Add experimental feature to limit the number of persistent peers and non-persistent peers to which the node gossip transactions (only for "v0" mempool). (#1558, (#1584)[config]Add mempool parametersexperimental_max_gossip_connections_to_persistent_peersandexperimental_max_gossip_connections_to_non_persistent_peersfor limiting the number of peers to which the node gossip transactions. (#1558) (#1584)
June 14, 2023
Provides several minor bug fixes, as well as fixes for several low-severity security issues.
[state/kvindex]Querying event attributes that are bigger than int64 is now enabled. (#771)[pubsub]Pubsub queries are now able to parse big integers (larger than int64). Very big floats are also properly parsed into very big integers instead of being truncated to int64. (#771)
[rpc]Remove response data from response failure logs in order to prevent large quantities of log data from being produced (#654)
[rpc/jsonrpc/client]Low severity - Prevent RPC client credentials from being inadvertently dumped to logs (#788)[cmd/cometbft/commands/debug/kill]Low severity - Fix unsafe int cast indebug killcommand (#794)[consensus]Low severity - Avoid recursive call after rename to(*PeerState).MarshalJSON(#863)[mempool/clist_mempool]Low severity - Prevent a transaction from appearing twice in the mempool (#890: @otrack)
April 26, 2023
This release fixes several bugs, and has had to introduce one small Go
API-breaking change in the crypto/merkle package in order to address what
could be a security issue for some users who directly and explicitly make use of
that code.
[crypto/merkle]Do not allow verification of Merkle Proofs against empty trees (nilroot).Proof.ComputeRootHashnow panics when it encounters an error, butProof.Verifydoes not panic (#558)
[consensus]Unexpected error conditions inApplyBlockare non-recoverable, so ignoring the error and carrying on is a bug. We replaced areturnthat disregarded the error by apanic. (#496)[consensus]Rename(*PeerState).ToJSONtoMarshalJSONto fix a logging data race (#524)[light]Fixed an edge case where a light client would panic when attempting to query a node that (1) has started from a non-zero height and (2) does not yet have any data. The light client will now, correctly, not panic and keep the node in its list of providers in the same way it would if it queried a node starting from height zero that does not yet have data (#575)
[crypto/sr25519]Upgrade to [email protected] (#475)[jsonrpc/client]Improve the error message for client errors stemming from bad HTTP responses. (cometbft/cometbft#638)
Feb 27, 2023
This is the first official release of CometBFT - a fork of Tendermint Core. This particular release is intended to be compatible with the Tendermint Core v0.34 release series.
For details as to how to upgrade to CometBFT from Tendermint Core, please see our upgrading guidelines.
If you have any questions, comments, concerns or feedback on this release, we
would love to hear from you! Please contact us via GitHub
Discussions,
Discord (in the #cometbft channel) or
Telegram.
Special thanks to @wcsiu, @ze97286, @faddat and @JayT106 for their contributions to this release!
- Rename binary to
cometbftand Docker image tocometbft/cometbft(#152) - The
TMHOMEenvironment variable was renamed toCMTHOME, and all environment variables starting withTM_are instead prefixed withCMT_(#211) - Use Go 1.19 to build CometBFT, since Go 1.18 has reached end-of-life. (#360)
[consensus]Fixed a busy loop that happened when sending of a block part failed by sleeping in case of error. (#4)[state/kvindexer]Resolved crashes when event values contained slashes, introduced after adding event sequences. (#383: @jmalicevic)[consensus]Short-term fix for the case whenneedProofBlockcannot find previous block meta by defaulting to the creation of a new proof block. (#386: @adizere)- Special thanks to the Vega.xyz team, and in particular to Zohar (@ze97286), for reporting the problem and working with us to get to a fix.
[p2p]Correctly use non-blockingTrySendEnvelopemethod when attempting to send messages, as opposed to the blockingSendEnvelopemethod. It is unclear whether this has a meaningful impact on P2P performance, but this patch does correct the underlying behaviour to what it should be (tendermint/tendermint#9936)
- Replace tm-db with cometbft-db (#160)
- Bump tm-load-test to v1.3.0 to remove implicit dependency on Tendermint Core (#165)
[crypto]Update to use btcec v2 and the latest btcutil (tendermint/tendermint#9787: @wcsiu)
[rpc]Addmatch_eventquery parameter to indicate to the RPC that it should match events within attributes, not only within a height (tendermint/tendermint#9759)
[e2e]Add functionality for uncoordinated (minor) upgrades (#56)[tools/tm-signer-harness]Remove the folder as it is unused (#136)- Append the commit hash to the version of CometBFT being built (#204)
[mempool/v1]Suppress "rejected bad transaction" in priority mempool logs by reducing log level from info to debug (#314: @JayT106)[consensus]Addconsensus_block_gossip_parts_receivedandconsensus_step_duration_secondsmetrics in order to aid in investigating the impact of database compaction on consensus performance (tendermint/tendermint#9733)[state/kvindexer]Addmatch.eventkeyword to support condition evaluation based on the event the attributes belong to (tendermint/tendermint#9759)[p2p]Reduce log spam through reducing log level of "Dialing peer" and "Added peer" messages from info to debug (tendermint/tendermint#9764: @faddat)[consensus]Reduce bandwidth consumption of consensus votes by roughly 50% through fixing a small logic bug (tendermint/tendermint#9776)
CometBFT is a fork of Tendermint Core as of late December 2022.
Friendly reminder, we have a bug bounty program.
For changes released before the creation of CometBFT, please refer to the Tendermint Core CHANGELOG.md.