Radish alpha
r
radicle.xyz
Radicle website including documentation and guides
Radicle
Git (anonymous pull)
Log in to clone via SSH
Commits
post: Follow-up on Vulnerability Disclosure
Lorenz Leutgeb committed 1 month ago
commit 7452599346071850936519305fcc72a06e8bc1d4
parent 52c841e1f03ca4069042368f8cbe0deaab393592
3 files changed +42 -1
modified _posts/2026-03-18-radicle-1.7.0.md
@@ -29,7 +29,7 @@ curl -sSLf {{ site.url }}/install | sh -s -- --no-modify-path --version=1.7.0
## ⚠️ Security Fix



This release contains a security fix, and so it is **highly recommended that you update all of your nodes**.
- 
The information on the vulnerability will be disclosed on the 2026-03-23, with a full write-up at <https://radicle.xyz/2026/03/23/vulnerability-disclosure>.
+ 
The information on the vulnerability will be disclosed on the 2026-03-23, with a full write-up at <{{ site.url }}{% post_url 2026-03-23-vulnerability-disclosure %}>.



We have taken the time to scan all existing repositories on our public seeds, and have not detected any active exploitation of the vulnerability with malicious intent as of today, 2026-03-18.
added _posts/2026-03-23-vulnerability-disclosure.md
@@ -0,0 +1,40 @@
+ 
---
+ 
title: "Vulnerability Disclosure"
+ 
image: radicle-1.png
+ 
redirect_from: /2026/03/23/vulnerability-disclosure
+ 
---
+
+ 
As announced in the release notes for [Radicle 1.7.0]({% post_url 2026-03-18-radicle-1.7.0 %}),
+ 
that version contains a mitigation for a security vulnerability.
+ 
Due to backward compatibility issues, indirectly related to the mitigation,
+ 
we released [Radicle 1.7.1]({% post_url 2026-03-20-radicle-1.7.1 %}).
+ 
That release restores backward compatibility and also contains the mitigation.
+
+ 
With the knowledge of how 1.7.0 broke backwards compatibility, however, we decided to
+ 
take a slightly more general view on backwards compatibility in light of the security
+ 
vulnerability.
+
+ 
We are currently working on two features (see below) that will be released in version 1.8.0,
+ 
and decided to delay disclosure of the security vulnerability until that release is available,
+ 
at which point this page will be updated.
+
+ 
Radicle 1.8.0 will better protect users, and give them options to increase their level
+ 
of protection further via configuration.
+
+ 
## Downgrade Attack Protection
+
+ 
We are adding protections against downgrade attacks that rely on data that was received per-node,
+ 
rather than requiring all nodes to upgrade in order to stay compatible.
+
+ 
## Configuration of Protection Level
+
+ 
We are working on a configuration option that will allow node operators and users to
+ 
decide how backwards compatible their node should behave.
+ 
That is, a way for node operators to decide for themselves where they stand on an ordinal
+ 
scale that trades off maximal backwards compatiblity and minimal security one end and
+ 
minimal backwards compatibility and maximal security on the other.
+
+ 
---
+
+ 
We would like to thank you for your patience and your trust as we work on ensuring that the
+ 
Radicle network stays secure.
modified index.md
@@ -113,6 +113,7 @@ updated, join our community on 💬 [Zulip][zulip], or <a href="{{ site.feed.pat
  Subscribe <img src="/assets/images/rss.svg" alt="RSS logo" style="width:15px;"/>

</a>
+ 
- 23.03.2026 [Vulnerability Disclosure]({% post_url 2026-03-23-vulnerability-disclosure %}). 🔐

- 20.03.2026 [Radicle 1.7.1]({% post_url 2026-03-20-radicle-1.7.1 %}) released. 🛠️

- 18.03.2026 [Radicle 1.7.0]({% post_url 2026-03-18-radicle-1.7.0 %}) released. 🌤️

- 14.01.2026 [Radicle 1.6.0]({% post_url 2026-01-14-radicle-1.6.0 %}) released. ✨