Skip to content
This repository has been archived by the owner on Aug 2, 2022. It is now read-only.

EOSIO 1.0.9 Release Notes
Compare
Choose a tag to compare
@wanderingbort wanderingbort released this 11 Jul 03:34
· 12696 commits to master since this release
v1.0.9
ef654aa
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

The release of v1.0.8 provides non-critical security updates.

Description of the Issues

This release addresses these issues:

Host Header Validation for HTTP endpoints

When making HTTP RPC calls clients are required, by the standard, to include an HTTP Host header. nodeos now validates that the contents of that header matches the expected value based on configuration. The expected Host header is the host:port combination from the configuration or command line. If the port is the default port for the scheme (eg 80 for HTTP and 443 for HTTPS) then it can be omitted. By default, the expected values are the exact values passed to http-server-address and https-server-address however, there are new options to assist deployments:

  • http-alias can be specified multiple times to provide alternative hosts.
  • http-validate-host can be set to true or false to indicate whether these extra validations should be enabled or disabled respective (default is true)

cleos has been updated to produce standard compliant Host: headers!

Users: If cleos is unable to communicate with an RPC node after the update please verify that the host:port match one of the configured addresses or aliases for the node you are connecting too

Node Operators: please ensure that your public facing URLs are listed as aliases after upgrading to avoid disruptions for your users

Mitigations

  • None
Assets 2
Loading