Critical Golang Security Update For Celo Node Operators
This notice is for anyone running a celo-blockchain full node on Mainnet. If you are not running a node, then there is no action required at this moment.
Background:
A Golang security update (versions 1.15.5 and 1.14.12) was recently released by Google which fixes CVE-2020-28362. This Golang vulnerability is more severe than expected and, if exploited, could lead to a Denial of Service attack that would prevent your node from operating
This relates to a vulnerability Geth has fixed in its 1.9.24 release. This Ethereum blog post has more information.
Action Required:
For Validators:
Due to the severity of this vulnerability, we strongly suggest upgrading as soon as possible, without a key rotation, and accepting a small amount of downtime in order to minimize the window in which you are vulnerable to DoS. Failing to patch may result in significant downtime for your validator.
Please upgrade both your proxy and validator nodes to version 1.1.1. If you are running more than one validator, please upgrade your nodes in stages, so as not to take all of them down at the same time.
Note that this upgrade doesn’t include Churrito hard fork. Instructions for upgrading a validator node are found here. If building from source use git commit a6f3ed05cc7d9b5617a0dd8d25a011470b3f019e in the celo-blockchain repository with Go v.1.14.12.
Updated docker images can be found here:
- geth: us.gcr.io/celo-org/geth:1.1.1
- geth-all: us.gcr.io/celo-org/geth-all:1.1.1
For Node Operators:
It is requested that all full node operators upgrade their celo-blockchain node to version 1.1.1.
If you are running the Celo node using Docker, upgrade using the following steps:
- Stop your current node by running the following commands:
docker stop -t 60 celo-fullnode
docker rm celo-fullnode
- Pull the new image:
export CELO_IMAGE=us.gcr.io/celo-org/geth:63ece0c2482b596eac8ad9bc9d3af64e1af99a5a
docker pull $CELO_IMAGE
- If you’d like to pull by digest (Alternative Option)
docker pull us.gcr.io/celo-org/geth@sha256:a02fddc6eefa4eff07618dd677e6501b2821d4f6d018dcd2e7bc5049922d255b
- Restart your node:
docker run --name celo-fullnode -d --restart unless-stopped -p 127.0.0.1:8545:8545 -p 127.0.0.1:8546:8546 -p 30303:30303 -p 30303:30303/udp -v $PWD:/root/.celo $CELO_IMAGE --verbosity 3 --syncmode full --rpc --rpcaddr 0.0.0.0 --rpcapi eth,net,web3,debug,admin,personal --light.serve 90 --light.maxpeers 1000 --maxpeers 1100 --etherbase $CELO_ACCOUNT_ADDRESS --datadir /root/.celo --nousb
- See full details on how to upgrade a node here: https://docs.celo.org/validator-guide/node-upgrades#upgrading-a-non-validating-node
If you are building from source, use git commit a6f3ed05cc7d9b5617a0dd8d25a011470b3f019e in the celo-blockchain repository with Go v.1.14.12.
Failing to upgrade may result in significant downtime of any service that you are operating that depends on the Celo network.