We are releasing Zebra 4.4.1 today. This release contains a fix for a consensus-critical security vulnerability, and we strongly encourage all node operators to upgrade immediately. You can update directly to it if you have not updated for the last couple of releases.
Note that the 4.4.0 release was just three days ago. If you have already upgraded, unfortunately you will need to upgrade again.
Security Advisories
GHSA-pvmv-cwg8-v6c8: Zebra still accepts V5 SIGHASH_SINGLE without a corresponding output
Zebra failed to enforce a ZIP-244 consensus rule for V5 transparent transactions: when an input is signed with SIGHASH_SINGLE and there is no transparent output at the same index as that input, validation must fail. Zebra instead asked the underlying sighash library to compute a digest, and that library produced a digest over an empty output set rather than failing. An attacker could craft a V5 transaction with more transparent inputs than outputs that Zebra accepts but zcashd rejects, creating a consensus split between Zebra and zcashd nodes.
A previous fix (GHSA-cwfq-rfcr-8hmp) addressed a closely related case in the same area of the code, but did not cover this specific one.
Thanks to @sangsoo-osec, @zmanian, and @fivelittleducks for reporting the issue.
Upgrading
We strongly recommend all Zebra node operators upgrade to 4.4.1 as soon as possible, particularly due to the consensus vulnerabilities described above. There are no known workarounds — upgrading is the only way to ensure your node remains on the correct chain and is protected against the issues listed in this release. You can find the release on GitHub.
Thank You to Our Contributors
This release was made possible by the work of @alchemydc, @arya2, @conradoplg, @daira, @gustavovalverde, @mpguerra, @oxarbitrage, @schell, and @upbqdn. Thank you for your continued contributions to Zebra.
Zebra is the Zcash Foundation’s independent, Rust-based implementation of the Zcash protocol. Learn more at github.com/ZcashFoundation/zebra.