7452599 post: Follow-up on Vulnerability Disclosure — radicle.xyz

radicle.xyz

rad:z371PVmDHdjJucejRoRYJcDEvD5pp

Radicle website including documentation and guides

post: Follow-up on Vulnerability Disclosure

Lorenz Leutgeb committed 1 month ago

commit 7452599346071850936519305fcc72a06e8bc1d4
parent 52c841e

3 files changed +42 -1

modified _posts/2026-03-18-radicle-1.7.0.md

@@ -29,7 +29,7 @@ curl -sSLf {{ site.url }}/install | sh -s -- --no-modify-path --version=1.7.0

 ## ⚠️ Security Fix
 This release contains a security fix, and so it is **highly recommended that you update all of your nodes**.
 The information on the vulnerability will be disclosed on the 2026-03-23, with a full write-up at <https://radicle.xyz/2026/03/23/vulnerability-disclosure>.
 The information on the vulnerability will be disclosed on the 2026-03-23, with a full write-up at <{{ site.url }}{% post_url 2026-03-23-vulnerability-disclosure %}>.
 We have taken the time to scan all existing repositories on our public seeds, and have not detected any active exploitation of the vulnerability with malicious intent as of today, 2026-03-18.

added _posts/2026-03-23-vulnerability-disclosure.md

@@ -0,0 +1,40 @@

 ---
 title: "Vulnerability Disclosure"
 image: radicle-1.png
 redirect_from: /2026/03/23/vulnerability-disclosure
 ---
 As announced in the release notes for [Radicle 1.7.0]({% post_url 2026-03-18-radicle-1.7.0 %}),
 that version contains a mitigation for a security vulnerability.
 Due to backward compatibility issues, indirectly related to the mitigation,
 we released [Radicle 1.7.1]({% post_url 2026-03-20-radicle-1.7.1 %}).
 That release restores backward compatibility and also contains the mitigation.
 With the knowledge of how 1.7.0 broke backwards compatibility, however, we decided to
 take a slightly more general view on backwards compatibility in light of the security
 vulnerability.
 We are currently working on two features (see below) that will be released in version 1.8.0,
 and decided to delay disclosure of the security vulnerability until that release is available,
 at which point this page will be updated.
 Radicle 1.8.0 will better protect users, and give them options to increase their level
 of protection further via configuration.
 ## Downgrade Attack Protection
 We are adding protections against downgrade attacks that rely on data that was received per-node,
 rather than requiring all nodes to upgrade in order to stay compatible.
 ## Configuration of Protection Level
 We are working on a configuration option that will allow node operators and users to
 decide how backwards compatible their node should behave.
 That is, a way for node operators to decide for themselves where they stand on an ordinal
 scale that trades off maximal backwards compatiblity and minimal security one end and
 minimal backwards compatibility and maximal security on the other.
 ---
 We would like to thank you for your patience and your trust as we work on ensuring that the
 Radicle network stays secure.

modified index.md

@@ -113,6 +113,7 @@ updated, join our community on 💬 [Zulip][zulip], or <a href="{{ site.feed.pat

   Subscribe <img src="/assets/images/rss.svg" alt="RSS logo" style="width:15px;"/>
 </a>
 - 23.03.2026 [Vulnerability Disclosure]({% post_url 2026-03-23-vulnerability-disclosure %}). 🔐
 - 20.03.2026 [Radicle 1.7.1]({% post_url 2026-03-20-radicle-1.7.1 %}) released. 🛠️
 - 18.03.2026 [Radicle 1.7.0]({% post_url 2026-03-18-radicle-1.7.0 %}) released. 🌤️
 - 14.01.2026 [Radicle 1.6.0]({% post_url 2026-01-14-radicle-1.6.0 %}) released. ✨