Merge pull request #43 from CosmWasm/fill-CWA-2024-005-CWA-2024-006

Fill CWA-2024-005 and CWA-2024-006
CosmWasm · Aug 21, 2024 · e75165a · e75165a
2 parents f3a18fe + 2b86c1b
commit e75165a
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 0 deletions.
diff --git a/CWAs/CWA-2024-005.md b/CWAs/CWA-2024-005.md
@@ -10,3 +10,34 @@ High (Critical + Likely)
 - wasmd < 0.46.0
 
 **Patched versions:** wasmd 0.53.0, 0.46.0
+
+## Description of the bug
+
+(Blank for now. We'll add more detail once chains had a chance to upgrade.)
+
+## Applying the patch
+
+The patch will be shipped in a wasmd release. You can update more or less as follows:
+
+1. Check the current wasmd version: `go list -m github.com/CosmWasm/wasmd`
+2. Bump the `github.com/CosmWasm/wasmd` dependency in your go.mod to 0.53.0 (Cosmos SDK 0.50 compatible) or 0.46.0 (Cosmos SDK 0.47 compatible) depending on which version you are on right now; `go mod tidy`; commit.
+3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, make sure that you use the same version as your wasmvm version.
+4. Check the updated wasmd version: `go list -m github.com/CosmWasm/wasmd` and ensure you see 0.53.0 or 0.46.0.
+5. Follow your regular practices to deploy chain upgrades.
+
+## Acknowledgement
+
+This issue was found by [unknown feature](https://github.com/unknownfeature) who reported it to the Cosmos Bug Bounty Program on
+HackerOne.
+
+If you believe you have found a bug in the Interchain Stack or would like to contribute to the
+program by reporting a bug, please see <https://hackerone.com/cosmos>.
+
+## Timeline
+
+- 2024-06-28: IBC Team receives a report through the Cosmos bug bounty program maintained by Amulet.
+- 2024-07-18: Confio receives information about the report from the IBC Team.
+- 2024-08-02: Confio developed the patch internally.
+- 2024-08-19: Patch release announced though notifications list.
+- 2024-08-20: Patch release announced on X: <https://x.com/CosmWasm/status/1825814580217381334>.
+- 2024-08-21: Patch released.
diff --git a/CWAs/CWA-2024-006.md b/CWAs/CWA-2024-006.md
@@ -9,3 +9,33 @@ Medium (Moderate + Likely)
 - wasmd 0.52.0
 
 **Patched versions:** wasmd 0.53.0
+
+## Description of the bug
+
+(Blank for now. We'll add more detail once chains had a chance to upgrade.)
+
+## Applying the patch
+
+The patch will be shipped in a wasmd release. You can update more or less as follows:
+
+1. Check the current wasmd version: `go list -m github.com/CosmWasm/wasmd`
+2. Bump the `github.com/CosmWasm/wasmd` dependency in your go.mod to 0.53.0; `go mod tidy`; commit.
+3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, make sure that you use the same version as your wasmvm version.
+4. Check the updated wasmd version: `go list -m github.com/CosmWasm/wasmd` and ensure you see 0.53.0.
+5. Follow your regular practices to deploy chain upgrades.
+
+## Acknowledgement
+
+This issue was found by [amimart](https://github.com/amimart) who reported it to the
+Cosmos Bug Bounty Program on HackerOne.
+
+If you believe you have found a bug in the Interchain Stack or would like to contribute to the
+program by reporting a bug, please see <https://hackerone.com/cosmos>.
+
+## Timeline
+
+- 2024-07-25: Confio receives a report through the Cosmos bug bounty program maintained by Amulet.
+- 2024-08-13: Confio developed the patch internally.
+- 2024-08-19: Patch release announced though notifications list.
+- 2024-08-20: Patch release announced on X: <https://x.com/CosmWasm/status/1825814580217381334>.
+- 2024-08-21: Patch released.