chore: v0.38.17 release (tendermint#4909)

melekes · web-flow · commit d03254d3599b · 2025-02-03T09:47:53.000+04:00
diff --git a/.changelog/v0.38.17/bug-fixes/2025-001-malicious-peer-can-make-node-stuck-in-blocksync.md b/.changelog/v0.38.17/bug-fixes/2025-001-malicious-peer-can-make-node-stuck-in-blocksync.md
diff --git a/.changelog/v0.38.17/bug-fixes/2025-002-block-part-validation.md b/.changelog/v0.38.17/bug-fixes/2025-002-block-part-validation.md
diff --git a/.changelog/v0.38.17/dependencies/4891-update-go.md b/.changelog/v0.38.17/dependencies/4891-update-go.md
@@ -0,0 +1,2 @@
+- `[go/runtime]` Bump minimum Go version to 1.22.11
+  ([\#4891](https://github.com/cometbft/cometbft/pull/4891))
diff --git a/.changelog/v0.38.17/summary.md b/.changelog/v0.38.17/summary.md
@@ -0,0 +1,4 @@
+*February 3, 2025*
+
+This release fixes two security issues (ASA-2025-001, ASA-2025-002). Users are
+encouraged to upgrade as soon as possible.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,24 @@
 # CHANGELOG
 
+## v0.38.17
+
+*February 3, 2025*
+
+This release fixes two security issues (ASA-2025-001, ASA-2025-002). Users are
+encouraged to upgrade as soon as possible.
+
+### BUG FIXES
+
+- `[blocksync]` Ban peer if it reports height lower than what was previously reported
+  ([ASA-2025-001](https://github.com/cometbft/cometbft/security/advisories/GHSA-22qq-3xwm-r5x4))
+- `[types]` Check that `Part.Index` equals `Part.Proof.Index`
+  ([ASA-2025-001](https://github.com/cometbft/cometbft/security/advisories/GHSA-r3r4-g7hq-pq4f))
+
+### DEPENDENCIES
+
+- `[go/runtime]` Bump minimum Go version to 1.22.11
+  ([\#4891](https://github.com/cometbft/cometbft/pull/4891))
+
 ## v0.38.16
 
 *December 20 2024*
@@ -14,8 +33,6 @@ As a consequence of this incorrect behavior a node would be marked as BAD.
 - `[mocks]` Mockery `v2.49.0` broke the mocks. We had to add a `.mockery.yaml` to
 properly handle this change.
   ([\#4521](https://github.com/cometbft/cometbft/pull/4521))
-- `[p2p/pex`]: do not send PEX request in fast dial mode
-  ([\#4649](https://github.com/cometbft/cometbft/pull/4649))
 
 ## v0.38.15
 
@@ -864,3 +881,4 @@ Friendly reminder, we have a [bug bounty program](https://hackerone.com/cosmos).
 ## Previous changes
 
 For changes released before the creation of CometBFT, please refer to the Tendermint Core [CHANGELOG.md](https://github.com/tendermint/tendermint/blob/a9feb1c023e172b542c972605311af83b777855b/CHANGELOG.md).
+
diff --git a/version/version.go b/version/version.go
@@ -3,7 +3,7 @@ package version
 const (
 	// TMVersionDefault is the used as the fallback version of CometBFT
 	// when not using git describe. It is formatted with semantic versioning.
-	TMCoreSemVer = "0.38.16"
+	TMCoreSemVer = "0.38.17"
 	// ABCISemVer is the semantic version of the ABCI protocol
 	ABCISemVer  = "2.0.0"
 	ABCIVersion = ABCISemVer

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+- `[go/runtime]` Bump minimum Go version to 1.22.11
	`2`	`+ ([\#4891](https://github.com/cometbft/cometbft/pull/4891))`