Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yOXJ2LTltaDgtcHhmNM4AA5Cj
Nervos CKB BlockTimeTooNew should not be considered as invalid block
Impact
Currently, when a node receives a block in future according to its local wall clock, it will mark the block as invalid and ban the peer.
If the header's timestamp is more than 15 seconds ahead of our current time. In that case, the header may become valid in the future, and we don't want to disconnect a peer merely for serving us one too-far-ahead block header, to prevent an attacker from splitting the network by mining a block right at the 15 seconds boundary.
Patches
Upgrade to v0.33.1 or above.
Workarounds
Don't ban peer serving too-far-ahead block header.
Permalink: https://github.com/advisories/GHSA-r9rv-9mh8-pxf4JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yOXJ2LTltaDgtcHhmNM4AA5Cj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 10 months ago
Updated: 10 months ago
Identifiers: GHSA-r9rv-9mh8-pxf4
References:
- https://github.com/nervosnetwork/ckb/security/advisories/GHSA-r9rv-9mh8-pxf4
- https://github.com/nervosnetwork/ckb/commit/760d447c8b600df0539debe80b1625836fc72819
- https://github.com/advisories/GHSA-r9rv-9mh8-pxf4
Blast Radius: 1.0
Affected Packages
cargo:ckb
Dependent packages: 0Dependent repositories: 0
Downloads: 62,973 total
Affected Version Ranges: <= 0.33.0
Fixed in: 0.33.1
All affected versions: 0.1.0
All unaffected versions: 0.37.0, 0.38.0, 0.39.0, 0.39.1, 0.40.0, 0.42.0, 0.43.0, 0.43.2, 0.100.0, 0.101.0, 0.101.1, 0.101.2, 0.101.3, 0.101.4, 0.101.5, 0.101.6, 0.101.7, 0.101.8, 0.102.0, 0.103.0, 0.104.0, 0.104.1, 0.105.0, 0.105.1, 0.106.0, 0.107.0, 0.108.0, 0.108.1, 0.109.0, 0.110.0, 0.110.1, 0.110.2, 0.111.0, 0.112.0, 0.112.1, 0.113.0, 0.113.1, 0.114.0, 0.115.0, 0.116.0, 0.116.1, 0.117.0, 0.118.0, 0.119.0