EOSIO 1.0.10 Release Notes

Description of the Issues

This release addresses these issues:

Relax Host header Validation

Changes in v1.0.9 introduced very strict HTTP Host: header validation. These rules have been relaxed in the following ways:

• when connecting by IP, if the IP[:PORT] in the Host: header matches the socket's local IP[:PORT] the Host: is considered valid.
  • this allows proper operation of 0.0.0.0 listening addresses
• when specifying a PORT via a well-known-port string, the resolved version of that port is also valid in the Host: header

Proper http-alias for Docker services

The typical use case for Docker was to access them based on their resolvable service names: nodeos:8000 for instance. Docker configs will now properly add those service names to the validating HTTP alias as well as other common host names like localhost

EOSIO 1.0.9 Release Notes

The release of v1.0.8 provides non-critical security updates.

Description of the Issues

This release addresses these issues:

Host Header Validation for HTTP endpoints

When making HTTP RPC calls clients are required, by the standard, to include an HTTP Host header. nodeos now validates that the contents of that header matches the expected value based on configuration. The expected Host header is the host:port combination from the configuration or command line. If the port is the default port for the scheme (eg 80 for HTTP and 443 for HTTPS) then it can be omitted. By default, the expected values are the exact values passed to http-server-address and https-server-address however, there are new options to assist deployments:

• http-alias can be specified multiple times to provide alternative hosts.
• http-validate-host can be set to true or false to indicate whether these extra validations should be enabled or disabled respective (default is true)

cleos has been updated to produce standard compliant Host: headers!

Users: If cleos is unable to communicate with an RPC node after the update please verify that the host:port match one of the configured addresses or aliases for the node you are connecting too

Node Operators: please ensure that your public facing URLs are listed as aliases after upgrading to avoid disruptions for your users

Mitigations

• None

EOSIO 1.0.8 Release Notes

The release of v1.0.8 provides non-critical security updates.

Introducing the EOSIO Contracts Repo

The design of the EOSIO blockchain calls for a number of smart contracts that are run at a privileged permission level in order to support functions such as block producer registration and voting, token staking for CPU and network bandwidth, RAM purchasing, token transfer, multi-sig, etc. This repository is now the home of those contracts and they will be deleted from the eos repo once tests are fully migrated to using the new repo.

Description of the Issues

This release addresses these issues:

eosiolib Fixes

• fixed bad return value for singleton::get_or_create (#4278). Thanks @laqiguy !

Minor Usability Improvements

• Better error messaging when attempting to create an account with a name that already exists (#4346). Thanks @noisy !
• Better error messaging when attempting to delete an authority which is linked to an action (#4378)
• Corrected error message when referencing a permission that does not exist (#4354)
• Relaxed ABI aware serialization timeouts for cleos (#4403)

Other Changes

• make install will now install various utility libraries which are helpful for contract developers to standard system paths (#4318)

Mitigations

• None

EOSIO 1.0.7 Release Notes

The release of v1.0.7 provides non-critical security updates.

Description of the Issues

This release addresses these issues:

System Contract Updates

• Round up fee on RAM sales to ensure a non-zero fee is always paid (#4293)
• Prevent name bids on invalid account names or on account names that do not require bids (#4294)
• Transfers are not allowed when self-delegating; fix bug where tokens could be pulled from the receivers unstaking balance (#4295)

Nodeos Updates

• Added additional calls to msync to better guarantee consistency on successful shutdown of nodeos, should address some cases where the chain log was left in a "dirty" state after shutting nodeos down in Docker (#4316)
• Allow abi_serializer max_serialization_time to be configurable, add option --abi-serializer-max-time-ms (#4339)
• Add additional validation to abi_serializer unpacking of arrays (#4339)
• Check that fetch_block_by_id() returned something valid before dereferencing (#4339)
• Added stricter local set size for functions (#4339)

Cleos Updates

• Add R1 public key option for cleos set account permission (#4242)

Mitigations

• None

EOSIO 1.0.6 Release Notes

The release of v1.0.6 provides critical security updates previously disclosed to existing EOSIO-based blockchain custodians.

Block.one would like to thank Andrei Nadejde for discovering and reporting the vulnerability, and the block producers of EOSIO-based blockchains for their prompt response and efforts to protect their respective blockchains.

Description of the Issues

This release addresses two issues:

• In nodeos: A deferred transaction, which is implicitly replaced with a newer deferred transaction that has the same sender_id, will not release the RAM used to store the replaced deferred transaction back to the user’s resource pool.
• In the system contract: The account billed for RAM to store the deferred refund transaction was improperly set to the receiver (the party who benefitted from the staked resources) instead of the from (party owed the refund).

The combination of these two issues allowed a malicious user to delegate some amount of resources to the victim account then repeatedly undelegate those resources in small increments resulting in exhaustion of the victims RAM resource pool.

Mitigations

• Nodes running v1.0.6 will subjectively reject transactions which attempt to schedule a deferred transaction which implicitly overwrites an in-flight deferred transaction.
  • Contracts that wish to use this functionality can safely execute the cancel_deferred intrinsic, even if no in-flight deferred transaction exists, before scheduling the new transaction to avoid this filter.
• The system contract has been updated to use the explicit cancel-then-schedule paradigm above so that the functionality of undelegatebw remains unchanged but is safe.
• The system contract has been updated to properly bill the party owed the refund for the temporary RAM usage involved in scheduling the deferred refund transaction.

EOSIO 1.0.5 Release Notes

Urgent release to address 16 June 2018 MainNet outage.

Allow block production to continue in the case where a deferred or delayed transaction has a hard failure (#4158).

EOSIO v1.0.4 Release Notes

EOSIO v1.0.4 Release Notes

Usability Updates

There were several improvements to error messages, help text, command line options, and outputs in this release. The --unlock-timeout option was removed due to some potential confusion (#4139). We added some additional security and warning messages (#4083) and the ability to squelch debugging output over http (#4103).

Previously, as a convenience for tutorials, there was a default key created by keosd meant only for developing and testing purposes. This was confusing some users who inappropriately used that key for their own transactions on the main-net. The system no longer generates a default key and a new feature has been added to the Wallet API plugin to remove an existing key from a wallet (#4107).

The Chain API plugin has been modified to now also provide unstaking information of accounts. This accompanies cleos usability improvements to the get account subcommand which now will display the core tokens an account is currently unstaking (#4063) as well as their liquid core token balance (#4082). The changes to the Chain API should not break older versions of clients like cleos and likely other existing wallets. Furthermore, v1.0.4 cleos should still be compatible with API nodes running on version v1.0.3.

System Contract
There were a couple of changes to the system contract. RAM fees are now rounded up, so effectively everyone pays a non-zero fee for buying RAM, no matter how small the purchase (#4051). And a bug which delayed the activation of name bidding has been fixed (#4106). These changes to the system contract are compatible with the existing table data so upgrading should be straightforward. We have included a step-by-step guide on our Wiki to help block producers with the process of upgrading the system contract.

New Blacklist Feature
There is a new subjective blacklist feature, key-blacklist, which allows producers to add public keys to their config.ini which are disallowed from being used in the authorities of account permissions. Any transaction that tries to add/modify a permission authority (for example through eosio::newaccount or eosio::updateauth) to contain a blacklisted public key is subjectively rejected by the producer (#4110).

Security Updates

We continue to update other areas based on reports through the bug bounty program.

Consensus Changes from v1.0.3

None

EOSIO 1.0.3 Release Notes

EOSIO v1.0.3 Release Notes

This release addresses two areas, usability and security.

Usability Updates

There was some confusion about how to get table entries by index using cleos get table, #3988 addresses this issue by interpreting the index as a number first.

Some users were having trouble building EOSIO that are addressed by #3992.

Improve abi-generator #3970:

• Remove namespace from the class declared in EOSIO_ABI macro. This prevents the generation of empty abi files when the class used in the macro is fully qualified.
• Detect //@abi action in class methods. This allows automatic abi generation on contracts not using the EOSIO_ABI macro.
• Remove deprecated index detection
• Add f64 (double) as a primitive type

Security Updates

Limit the nesting of block type structures (loop, block, if) to a depth of 1024 to prevent stack overflows in nodeos #4036.

Consensus Changes from v1.0.2

None

EOSIO 1.0.2 Release Notes

EOSIO v1.0.2 Release Notes

Today’s release is primarily to address two concerns, usability and security. We’ve been busy updating documentation, clarifying error messages, and adding help text where we can, based mostly on your GitHub reports. We’ve also included a few security patches based on reports that we’ve received through the bug bounty program. Keep reading for details.

Usability Updates

The past week has been focused on making usability and quality of life updates. We've been updating build scripts, correcting error messages, and making errors more descriptive. A selection of updates includes:
Add API to chain_plugin to get block header state of any reversible block
get meaningful error messages from websocketpp
Fix 15% percent message (changed error message in system contract)
Better Error Message when Authority is Insufficient

Security Updates

As you know, we recently announced our bug bounty program, and have now formally set the program up with HackerOne. We've had several researchers and groups submit various reports, which you've almost certainly already read about in the industry news sites. Of particular note are Guido Vranken and Yuki Chen of the Qihoo 360 Vulcan Team. Others have submitted reports and we continue to address them as fast as possible. As we get these into the product and released, we'll be doing a full, public disclosure through the HackerOne site.

We'd like to sincerely thank those of you that have taken the time to submit these reports. We're working to address them all in a timely manner.

Other Notable Updates

Updates to Whitelist/Blacklist
First up, we'd like to thank the EOS Canada team for brining this issue to our attention. Personally, I'd like thank @arhag for this detailed writeup of the solution so I don't have to. Thanks everyone!

Also, related to the Whitelist/Blacklist functionality, we've added a new option called "action-blacklist," which allows actions within a contract to be blacklisted.

Support for name bidding via cleos
Following from previous updates, the name auction bidding is now available through cleos.

Consensus Changes from v1.0.1

Three changes were made that could potentially prevent v1.0.2 nodes from accepting a v1.0.1 blockchain:

1. Restrict valid WASM contract code (PR #3949).
2. Billing deferred transaction sender for soft fails (PR #3961).
3. More precise resource billing calculations (PR #3951).

EOSIO 1.0.1

Changes from v1.0.0 to v1.0.1:

• Fixed a potential crash.

• A bug in the history_plugin prevented proper recording of action traces that should have matched the filter-on options utilizing the actor wildcard. This would have resulted in some action traces not appearing in the results of the cleos get actions command. This bug has been fixed with PR #3757.

• Changes in PR #3763 (originally brought to our attention with PR #3511) allow quotations to now be used in the arguments passed to the cleos.sh and nodeosd.sh scripts in the Docker folder.

• Other minor fixes to Docker files (see PR #3753 and PR #3764).