Notable changes
===============
This hotfix remediates memory exhaustion vulnerabilities that zcashd inherited
as a fork of bitcoind. These bugs could allow an attacker to use peer-to-peer
messages to fill the memory of a node, resulting in a crash.
-----BEGIN PGP SIGNATURE-----
iQGzBAABCgAdFiEEX8Nd8pnYcf0pobEL9FXpuSAjoYsFAmP1CD8ACgkQ9FXpuSAj
oYvGXQwAqaa1l5qC3VY/60jkH4xmWoSUEzeCOPUG7lYJrIEyzgXj8Ko0Cjr308jm
ISXDDTOxKb2hfnCbeqbZqRyFbzGzG5L6AkjHAvmQMiZwx2JlbH2k+jd5fggOZSMv
shL5KbxWN2YRftc8r+fDraJMbGULbKBWQooKaFyQmupT+bVsRf1Nh+lFIVG4FUwA
oWZot36wB6Y99Y57wlyN2m22+j1glyk5mKv2ttXYbdwSRTFB5W5L1US6Z8uxXQPb
Qa7sVO90QtzkHr+GPtMiTn513VuLFr+KArGn+qidU/PvblJI/vXuBf54g7JZw4Ot
gkKziatgaN3pO30I4rTij78LCgKJZ/WImLE7nwTl/bG2Ki1WfyolNLjS+1pXpcPL
xlXso5ioKlSIGhnlPouXwoxlaqTpDwRKLp0azNJl5hG/tXEHupToK2M61woi9LlP
4RB+a75OptFi9NMp/Sx0T8zNRn7OB8iP+3BgRP0+mzcLC1AHfjJk/IRo9CQh5jRZ
MMe98OrC
=6QYn
-----END PGP SIGNATURE-----
Merge tag 'v5.3.3' into hotfix-v5.4.2
zcashd release v5.3.3
Notable changes
===============
This hotfix remediates memory exhaustion vulnerabilities that zcashd inherited
as a fork of bitcoind. These bugs could allow an attacker to use peer-to-peer
messages to fill the memory of a node, resulting in a crash.
We need to load these early so that it's possible for other
initialization steps to respect them. However, we were loading them
slightly too early, before the config file had been read, which meant
that only CLI arguments were being used.
We now load the `-allowdeprecated` settings just after the config file
is parsed and the chain parameters are prepared; neither of these are
features we would ever consider deprecating (at least while `zcashd`
exists in its Bitcoin Core-derived form).
Closeszcash/zcash#6420.
These features were deprecated at least 3 minor releases ago. I found
one mistake which was that `z_validateaddress` had not been placed
behind the `addrtype` deprecated feature; this has been fixed.
The RPC method handler is left in as a tombstone, to redirect callers to
the replacement method (as this is an upstream Bitcoin Core RPC method
that users may expect to be present).
We've decided to remove the option to allow all deprecated features,
because this has the effect that, if a user enables this flag, they
won't get the warning (and hence may forget to take action) at the time
that a feature is moved from the default-allowed set to the
default-denied set.
Co-authored-by: str4d <thestr4d@gmail.com>
This adds an `-allowdeprecated` CLI parameter whose value is a flag
indicating a deprecated feature that should be explicitly enabled.
Multiple instances of this argument may be provided. In the case that
this parameter is not provided, all currently deprecated RPC methods
that are not slated for removal in the next release remain available.
A user may disable all deprecated features entirely by providing the
string "none" as the argument to this parameter, or enable all
deprecated features, including those slated for removal, by providing
the string "all" as the argument to this parameter. In the case that
"all" or "none" is specified, multiple invocations of `-allowdeprecated`
are not permitted.
To explicitly enable only a specific set of deprecated features, use
`-allowdeprecated=<flag1> -allowdeprecated=<flagN> ...` when starting
zcashd. The following flags are recognized:
- "all" - enables all deprecated features.
- "none" - disables all deprecated features.
- "legacy_privacy" - enables the use of the deprecated "legacy" privacy
policy for z_sendmany. This causes the default behavior to conform to
the `FullPrivacy` directive in all cases instead of just for
transactions involving unified addresses.
- "getnewaddress" - enables the `getnewaddress` RPC method.
- "z_getnewaddress" - enables the `z_getnewaddress` RPC method.
- "zcrawreceive" - enables the `zcrawreceive` RPC method.
- "zcrawjoinsplit" - enables the `zcrawjoinsplit` RPC method.
- "zcrawkeygen" - enables the `zcrawkeygen` RPC method.
- "addrtype" - when this option is set, the deprecated `type` attribute
is returned in addition to `pool` or `address_type` (which contain the
same information) in the results of RPC methods that return address metadata.