avalanchego icon indicating copy to clipboard operation
avalanchego copied to clipboard

Published 20 hours ago verified publisher icon ava-labs

Update blst to 0.3.12

Open vtamara opened this issue 1 year ago • 2 comments

Context and scope

Currently avalanchego uses the version 0.3.11 of the library blst to implement the cryptographic signature BLS12-381. The version 0.3.12 of blst improves security as described in its release notes https://github.com/supranational/blst/releases/tag/v0.3.12 and in particular includes the commits https://github.com/supranational/blst/commit/dae1f9416f157112be1dc46209a32ed5414fd525 and https://github.com/supranational/blst/commit/6cca12ac0c10ca8752d1788ee44891261c0f272a that

  1. Improve security of the library by moving constants to a read-only section (not allowing attackers to modify the constants after the program starts)
  2. Works with OpenBSD/adJ and advances #2782. Due to security policies of that OS the previous version 0.3.11 with avalanchego produced segmentation faults sporadically, see https://github.com/supranational/blst/issues/206 The issue was solved with the mentioned commits included in version 0.3.12.

Discussion and alternatives IMHO it is a good security practice to update version of libraries periodically.

Open questions

vtamara avatar Jun 04 '24 14:06 vtamara

This issue has become stale because it has been open 60 days with no activity. Adding the lifecycle/frozen label will cause this issue to ignore lifecycle events.

github-actions[bot] avatar Oct 06 '24 00:10 github-actions[bot]

I have been updating the corresponding PR #3080

vtamara avatar Oct 07 '24 10:10 vtamara

Closing because it was updated in go.mod

vtamara avatar Nov 20 '24 13:11 vtamara