From 272a2a36732a7600f28d33fffa1c246c19ac2b41 Mon Sep 17 00:00:00 2001 From: Xe Iaso Date: Wed, 20 Aug 2025 16:14:44 +0000 Subject: [PATCH] docs: update CHANGELOG Signed-off-by: Xe Iaso --- .github/actions/spelling/expect.txt | 1 + docs/docs/CHANGELOG.md | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt index 76e2060a..7e0cb5f7 100644 --- a/.github/actions/spelling/expect.txt +++ b/.github/actions/spelling/expect.txt @@ -287,6 +287,7 @@ SVCNAME tagline tarballs tarrif +taviso tbn tbr techaro diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md index 7811bedd..ad1dcdcb 100644 --- a/docs/docs/CHANGELOG.md +++ b/docs/docs/CHANGELOG.md @@ -39,6 +39,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - The word "hack" has been removed from the translation strings for Anubis due to incidents involving people misunderstanding that word and sending particularly horrible things to the project lead over email. - Bump AI-robots.txt to version 1.39 +### Security-relevant changes + +#### Fix potential double-spend for challenges + +Anubis operates by issuing a challenge and having the client present a solution for that challenge. Challenges are identified by a unique UUID, which is tored in the database. + +The problem is that a challenge could potentially be used twice by a dedicated attacker making a targeted attack against Anubis. Challenge records did not have a "spent" or "used" field. In total, a dedicated attacker could solve a challenge once and reuse that solution across multiple sessions in order to mint additional tokens. + +This was fixed by adding a "spent" field to challenges in the data store. When a challenge is solved, that "spent" field gets set to `true`. If a future attempt to solve this challenge is observed, it gets rejected. + +With the advent of store based challenge issuance in [#749](https://github.com/TecharoHQ/anubis/pull/749), this means that these challenge IDs are [only good for 30 minutes](https://github.com/TecharoHQ/anubis/blob/e8dfff635015d6c906dddd49cb0eaf591326092a/lib/anubis.go#L130-L135d). Websites using the most recent version of Anubis have limited exposure to this problem. + +Websites using older versions of Anubis have a much more increased exposure to this problem and are encouraged to keep this software updated as often and as frequently as possible. + +Thanks to [@taviso](https://github.com/taviso) for reporting this issue. + ### Breaking changes - The "slow" frontend solver has been removed in order to reduce maintenance burden. Any existing uses of it will still work, but issue a warning upon startup asking administrators to upgrade to the "fast" frontend solver.