Notable changes
===============
This hotfix remediates memory exhaustion vulnerabilities that zcashd inherited
as a fork of bitcoind. These bugs could allow an attacker to use peer-to-peer
messages to fill the memory of a node, resulting in a crash.
-----BEGIN PGP SIGNATURE-----
iQGzBAABCgAdFiEEX8Nd8pnYcf0pobEL9FXpuSAjoYsFAmP1DKQACgkQ9FXpuSAj
oYt2jQv+IurleLqEbtBW2ajDYDIkcMu+asEtHCk3B6GELykKaFMgHYTffFBmuyJ+
5GdoX685Rn6r8BxK6K1u129A9ztY7K0JpVeDA75tN5WLBj9twLdNaODfCLg5EjlZ
UtxTNnynQ0MX5Uv7pt1DAM+++OKYujUHypaajgZ9ttqpSHZl3Z2ye0/HFEc4023p
VH13CvU/3R4JLkFENi49rbS49LFfVuQrhAQoOPlCf3xoWbUYIdmWWZa/HOJV3g0e
3mqC+rhz97GVylLI4LJrm3v0tLeEUIuu+fdAziWfuWrBlB4jQ5p4L5trDHiQoqWB
5Qt5tjJKHHLnHHSyLcFFaes12tjPfrn9PBxYDPyfFAHIGf0WEiy36+6G5P7jpjYj
OXLAmBPBIRBgZf9LJIHrgvqQynfGe9vaWgCArWWgSC8wZ2hWlM7pZRhCe+uw35R1
e5AfZjvbXj6gR+1631Mhl84e6xkGXe24szzuZDrUCqLBJpTb1JNLRh1OtT8zDN0t
MfKtnE3W
=AXAQ
-----END PGP SIGNATURE-----
Merge tag 'v5.4.2' into hotfix-v5.4.2
zcashd release 5.4.2
Notable changes
===============
This hotfix remediates memory exhaustion vulnerabilities that zcashd inherited
as a fork of bitcoind. These bugs could allow an attacker to use peer-to-peer
messages to fill the memory of a node, resulting in a crash.
- We update Windows cross-compile builds to 15.0.7 because binaries are
provided for it, but not currently for any other platform we need.
- We update native x84_64 macOS builds to 15.0.4 because no 15.0.6
binaries are provided, and the 15.0.7 ones appear to be targeted at a
newer Darwin version.
- We keep FreeBSD on 14.0.6 because no Clang 15 binaries are provided,
and as FreeBSD is a Tier 3 platform it doesn't block us from upgrading
the remaining platforms.
When executing a Python script from within Python, rather than looking for
`python3` in /usr/local/bin and falling back to the script’s shebang line,
_always_ use the same Python that is executing the caller.
I don’t know why this script doesn’t just run `bitcoin_util_test.py`
directly (always using the shebang line), but I assume that is
intentional (but that should be documented). Otherwise, I’d prefer that
approach.
Have updatecheck look in $XDG_DATA_HOME/zcash/updatecheck/token for the GH
token. Having one in the repo will still take precedence (for pre-existing
users, as well as if you want to override the token used in a particular
case). The new location is standardized, exists at the user level (as the token
logically does), and means that you don't need to copy files around if you get a
new clone or worktree to do a release.
- make the token optional (just will hit a rate limit after a few runs of the
script)
- only load the token once, rather than once per request (this is necessary
after the above change, so you don't get the warning printed repeatedly)
- switch from BasicAuth to an Authorization header (this means we no longer need
the GitHub username, just the token)
- support a token file that doesn't contain a username (it will still parse old
versions of the file properly)
In practice we are using 14.0.0 in most cases, as the LLVM Project have
not published Ubuntu binaries for any point release after 14.0.0 (which
we are using here).