Skip to content

Merge release/v1.12.22 into master#696

Merged
diega merged 9 commits intomasterfrom
release/v1.12.22
Mar 28, 2026
Merged

Merge release/v1.12.22 into master#696
diega merged 9 commits intomasterfrom
release/v1.12.22

Conversation

@diega
Copy link
Copy Markdown
Member

@diega diega commented Mar 28, 2026

Summary

Merge Hermes (v1.12.22) release branch into master.

  • params: bump version to v1.12.23-unstable
  • params: update ETC DNS discovery to etcdisco.net
  • eth/protocols: pre-decode item count validation (CVE-2026-26313 mitigation)
  • crypto/secp256k1: fix coordinate check (CVE-2026-26315)
  • crypto: add IsOnCurve check (CVE-2025-24883)

Release: https://github.com/etclabscore/core-geth/releases/tag/v1.12.22

diega and others added 9 commits March 27, 2026 09:04
@diega
params: bump version from v1.12.21-stable to v1.12.22-unstable
17bc739
@fjl @diega
crypto: add IsOnCurve check (#31100)
ae6bad2
@diega @claude
crypto/secp256k1: add test for CVE-2026-26315 coordinate validation
46bba8d 
Test verifies that IsOnCurve rejects points with coordinates >= P.
Without the fix in the next commit, this test fails because coordinates
equivalent mod P (e.g. Gx+P) are incorrectly accepted as valid.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@fjl @diega
crypto/secp256k1: fix coordinate check
0ebf492
@diega @claude
eth/protocols: pre-decode item count validation (CVE-2026-26313 mitig…
7940b28 
…ation)

Add item count validation before full RLP message decoding in both eth
and snap protocol handlers. This prevents memory amplification attacks
where compact RLP-encoded items expand into large in-memory objects.

The check uses rlp.CountValues on the raw payload to count items
without allocating memory for decoded objects. Messages exceeding the
expected limits are rejected before any decoding occurs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@diega @claude
params: update ETC DNS discovery to etcdisco.net
68bc29b 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@diega
params: bump version from v1.12.22-unstable to v1.12.22-stable
729b580 
Signed-off-by: Diego López León <dieguitoll@gmail.com>
@diega
params: bump version from v1.12.22-stable to v1.12.23-unstable
c0896ce 
Signed-off-by: Diego López León <dieguitoll@gmail.com>
@diega
Merge remote-tracking branch 'origin/master' into release/v1.12.22
c4784df 
Signed-off-by: Diego López León <dieguitoll@gmail.com>

# Conflicts:
#	params/version.go
@diega diega merged commit 10f1ea7 into master Mar 28, 2026
1 check was pending
@diega diega deleted the release/v1.12.22 branch March 28, 2026 02:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@diega @fjl