Merge pull request #57 from CosmWasm/update-009

Update CWA-2024-009
CosmWasm · Dec 10, 2024 · 7a4d760 · 7a4d760
2 parents 166a4c9 + aa51acf
commit 7a4d760
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 5 deletions.
diff --git a/CWAs/CWA-2024-009.md b/CWAs/CWA-2024-009.md
@@ -10,7 +10,7 @@ Low (Marginal + Likely)[^1]
 
 **Patched versions:**
 
-- wasmd 0.53.1
+- wasmd 0.53.2 (please note that wasmd 0.53.1 is broken and must not be used)
 
 ## Description of the bug
 
@@ -29,9 +29,9 @@ The patch will be shipped in a wasmd release. You will also have to update `libw
 If you already use the latest / close to latest wasmd, you can update more or less as follows:
 
 1. Check the current wasmd version: `go list -m github.com/CosmWasm/wasmd`
-2. Bump the `github.com/CosmWasm/wasmd` dependency in your go.mod to 0.53.1 (Cosmos SDK 0.50 compatible); `go mod tidy`; commit.
+2. Bump the `github.com/CosmWasm/wasmd` dependency in your go.mod to 0.53.2 (Cosmos SDK 0.50 compatible); `go mod tidy`; commit.
 3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, make sure that you use the same version as your wasmvm version.
-4. Check the updated wasmd version: `go list -m github.com/CosmWasm/wasmd` and ensure you see 0.53.1.
+4. Check the updated wasmd version: `go list -m github.com/CosmWasm/wasmd` and ensure you see 0.53.2.
 5. Follow your regular practices to deploy chain upgrades.
 
 To double check if the correct library version is loaded at runtime, use this query:
@@ -42,7 +42,7 @@ If you are instead using wasmvm 2.1.2, then upgrading to 2.1.4 includes the cons
 
 ### DIY Patch
 
-If you are unable to upgrade to the latest version, you can backport the wasmd patch to your version. The patch is available at [Wasmd 0.53.1](https://github.com/CosmWasm/wasmd/compare/v0.53.0...v0.53.1).
+If you are unable to upgrade to the latest version, you can backport the wasmd patch to your version. The patch is available at [Wasmd 0.53.2](https://github.com/CosmWasm/wasmd/compare/v0.53.0...v0.53.2).
 However, if you are on an older version of wasmd, you will also be using a different version of wasmvm. We provide the required patches for wasmvm in versions 2.1.4, 2.0.5, 1.5.6.
 To upgrade using this method:
 

diff --git a/CWAs/README.md b/CWAs/README.md
@@ -4,7 +4,7 @@
 
 | Severity[^1] | Scope[^2] | ID                                                                           | Aliases                                    |
 | ------------ | --------- | ---------------------------------------------------------------------------- | ------------------------------------------ |
-| Low          | VM        | [CWA-2024-009][CWA-2024-009]                                                 |
+| Low          | VM        | [CWA-2024-009][CWA-2024-009]                                                 | [GHSA-vmg2-r3xv-r3xf]                      |
 | Medium       | VM        | [CWA-2024-008: Panic in wasmvm can slow down block production][CWA-2024-008] | [GHSA-vmqh-5232-v43r]                      |
 | Medium       | VM        | [CWA-2024-007: Incorrect metering][CWA-2024-007]                             | [GHSA-2q97-m5rc-p3gp]                      |
 | Medium       | x/wasm    | [CWA-2024-006: Non-deterministic module_query_safe query][CWA-2024-006]      | [GHSA-fpgj-cr28-fvpx]                      |
@@ -34,6 +34,7 @@
 [GHSA-fpgj-cr28-fvpx]: https://github.com/advisories/GHSA-fpgj-cr28-fvpx
 [GHSA-2q97-m5rc-p3gp]: https://github.com/CosmWasm/wasmvm/security/advisories/GHSA-2q97-m5rc-p3gp
 [GHSA-vmqh-5232-v43r]: https://github.com/CosmWasm/wasmvm/security/advisories/GHSA-vmqh-5232-v43r
+[GHSA-vmg2-r3xv-r3xf]: https://github.com/CosmWasm/wasmd/security/advisories/GHSA-vmg2-r3xv-r3xf
 
 ## 2023