From fe45483be36ebfea7e172a3ad949e8fe09a8fd95 Mon Sep 17 00:00:00 2001
From: Thane Thomson <connect@thanethomson.com>
Date: Wed, 14 Jun 2023 16:12:33 -0400
Subject: [PATCH] Release v0.37.2 (#972)

* changelog: Clean up and reorder

Signed-off-by: Thane Thomson <connect@thanethomson.com>

* changelog: Add severity to security fixes

Signed-off-by: Thane Thomson <connect@thanethomson.com>

* changelog: Add missing entries

Signed-off-by: Thane Thomson <connect@thanethomson.com>

* changelog: Release v0.37.2

Signed-off-by: Thane Thomson <connect@thanethomson.com>

* Rebuild changelog

Signed-off-by: Thane Thomson <connect@thanethomson.com>

* version: Bump to v0.37.2

Signed-off-by: Thane Thomson <connect@thanethomson.com>

* test/e2e: Use Debian Bullseye as base image

Golang recently started offering Debian Bookworm as the default distro
for `golang:1.20`, which provides a newer version of RocksDB than what
we support in cometbft-db.

For now this pins the image to Bullseye, which is the base image we have
been using for some time now.

Signed-off-by: Thane Thomson <connect@thanethomson.com>

---------

Signed-off-by: Thane Thomson <connect@thanethomson.com>
---
 .../771-kvindexer-parsing-big-ints.md         |  2 -
 .../bug-fixes/771-pubsub-parsing-big-ints.md  |  3 --
 .../865-fix-peerstate-marshaljson.md          |  2 -
 .../bug-fixes/890-mempool-fix-cache.md        |  1 -
 .../771-kvindexer-parsing-big-ints.md         |  4 ++
 .../bug-fixes/771-pubsub-parsing-big-ints.md  |  4 ++
 .../654-rpc-rm-response-data-logs.md          |  0
 .../security-fixes/787-rpc-client-pw.md       |  3 ++
 .../793-cli-debug-kill-unsafe-cast.md         |  2 +
 .../865-fix-peerstate-marshaljson.md          |  3 ++
 .../security-fixes/890-mempool-fix-cache.md   |  3 ++
 .changelog/v0.37.2/summary.md                 |  4 ++
 CHANGELOG.md                                  | 38 +++++++++++++++++++
 test/e2e/docker/Dockerfile                    |  2 +-
 version/version.go                            |  2 +-
 15 files changed, 63 insertions(+), 10 deletions(-)
 delete mode 100644 .changelog/unreleased/bug-fixes/771-kvindexer-parsing-big-ints.md
 delete mode 100644 .changelog/unreleased/bug-fixes/771-pubsub-parsing-big-ints.md
 delete mode 100644 .changelog/unreleased/bug-fixes/865-fix-peerstate-marshaljson.md
 delete mode 100644 .changelog/unreleased/bug-fixes/890-mempool-fix-cache.md
 create mode 100644 .changelog/v0.37.2/bug-fixes/771-kvindexer-parsing-big-ints.md
 create mode 100644 .changelog/v0.37.2/bug-fixes/771-pubsub-parsing-big-ints.md
 rename .changelog/{unreleased => v0.37.2}/improvements/654-rpc-rm-response-data-logs.md (100%)
 create mode 100644 .changelog/v0.37.2/security-fixes/787-rpc-client-pw.md
 create mode 100644 .changelog/v0.37.2/security-fixes/793-cli-debug-kill-unsafe-cast.md
 create mode 100644 .changelog/v0.37.2/security-fixes/865-fix-peerstate-marshaljson.md
 create mode 100644 .changelog/v0.37.2/security-fixes/890-mempool-fix-cache.md
 create mode 100644 .changelog/v0.37.2/summary.md

diff --git a/.changelog/unreleased/bug-fixes/771-kvindexer-parsing-big-ints.md b/.changelog/unreleased/bug-fixes/771-kvindexer-parsing-big-ints.md
deleted file mode 100644
index 8114534c051..00000000000
--- a/.changelog/unreleased/bug-fixes/771-kvindexer-parsing-big-ints.md
+++ /dev/null
@@ -1,2 +0,0 @@
-- `[state/kvindex]` Querying event attributes that are bigger than int64 is now enabled. We are not supporting reading floats from the db into the indexer  nor parsing them into BigFloats to not introduce breaking changes in minor releases.
-  ([\#771](https://github.com/cometbft/cometbft/pull/771))
\ No newline at end of file
diff --git a/.changelog/unreleased/bug-fixes/771-pubsub-parsing-big-ints.md b/.changelog/unreleased/bug-fixes/771-pubsub-parsing-big-ints.md
deleted file mode 100644
index 749b30d5b50..00000000000
--- a/.changelog/unreleased/bug-fixes/771-pubsub-parsing-big-ints.md
+++ /dev/null
@@ -1,3 +0,0 @@
-- `[pubsub]` Pubsub queries are now able to parse big integers (larger than int64). Very big floats 
-   are also properly parsed into very big integers instead of being truncated to int64. 
-  ([\#771](https://github.com/cometbft/cometbft/pull/771))
\ No newline at end of file
diff --git a/.changelog/unreleased/bug-fixes/865-fix-peerstate-marshaljson.md b/.changelog/unreleased/bug-fixes/865-fix-peerstate-marshaljson.md
deleted file mode 100644
index 318bda315c5..00000000000
--- a/.changelog/unreleased/bug-fixes/865-fix-peerstate-marshaljson.md
+++ /dev/null
@@ -1,2 +0,0 @@
-- `[consensus]` Avoid recursive call after rename to (*PeerState).MarshalJSON
-  ([\#863](https://github.com/cometbft/cometbft/pull/863))
diff --git a/.changelog/unreleased/bug-fixes/890-mempool-fix-cache.md b/.changelog/unreleased/bug-fixes/890-mempool-fix-cache.md
deleted file mode 100644
index 34dae0463a7..00000000000
--- a/.changelog/unreleased/bug-fixes/890-mempool-fix-cache.md
+++ /dev/null
@@ -1 +0,0 @@
-- `[mempool/clist_mempool]` \#890 Prevent a transaction to appear twice in the mempool  (@otrack)
diff --git a/.changelog/v0.37.2/bug-fixes/771-kvindexer-parsing-big-ints.md b/.changelog/v0.37.2/bug-fixes/771-kvindexer-parsing-big-ints.md
new file mode 100644
index 00000000000..ba19adbc8ba
--- /dev/null
+++ b/.changelog/v0.37.2/bug-fixes/771-kvindexer-parsing-big-ints.md
@@ -0,0 +1,4 @@
+- `[state/kvindex]` Querying event attributes that are bigger than int64 is now
+  enabled. We are not supporting reading floats from the db into the indexer
+  nor parsing them into BigFloats to not introduce breaking changes in minor
+  releases. ([\#771](https://github.com/cometbft/cometbft/pull/771))
diff --git a/.changelog/v0.37.2/bug-fixes/771-pubsub-parsing-big-ints.md b/.changelog/v0.37.2/bug-fixes/771-pubsub-parsing-big-ints.md
new file mode 100644
index 00000000000..fc5f25a90ff
--- /dev/null
+++ b/.changelog/v0.37.2/bug-fixes/771-pubsub-parsing-big-ints.md
@@ -0,0 +1,4 @@
+- `[pubsub]` Pubsub queries are now able to parse big integers (larger than
+  int64). Very big floats are also properly parsed into very big integers
+  instead of being truncated to int64.
+  ([\#771](https://github.com/cometbft/cometbft/pull/771))
diff --git a/.changelog/unreleased/improvements/654-rpc-rm-response-data-logs.md b/.changelog/v0.37.2/improvements/654-rpc-rm-response-data-logs.md
similarity index 100%
rename from .changelog/unreleased/improvements/654-rpc-rm-response-data-logs.md
rename to .changelog/v0.37.2/improvements/654-rpc-rm-response-data-logs.md
diff --git a/.changelog/v0.37.2/security-fixes/787-rpc-client-pw.md b/.changelog/v0.37.2/security-fixes/787-rpc-client-pw.md
new file mode 100644
index 00000000000..209b799d9ad
--- /dev/null
+++ b/.changelog/v0.37.2/security-fixes/787-rpc-client-pw.md
@@ -0,0 +1,3 @@
+- `[rpc/jsonrpc/client]` **Low severity** - Prevent RPC
+  client credentials from being inadvertently dumped to logs
+  ([\#787](https://github.com/cometbft/cometbft/pull/787))
\ No newline at end of file
diff --git a/.changelog/v0.37.2/security-fixes/793-cli-debug-kill-unsafe-cast.md b/.changelog/v0.37.2/security-fixes/793-cli-debug-kill-unsafe-cast.md
new file mode 100644
index 00000000000..7482a5ae039
--- /dev/null
+++ b/.changelog/v0.37.2/security-fixes/793-cli-debug-kill-unsafe-cast.md
@@ -0,0 +1,2 @@
+- `[cmd/cometbft/commands/debug/kill]` **Low severity** - Fix unsafe int cast in
+  `debug kill` command ([\#793](https://github.com/cometbft/cometbft/pull/793))
\ No newline at end of file
diff --git a/.changelog/v0.37.2/security-fixes/865-fix-peerstate-marshaljson.md b/.changelog/v0.37.2/security-fixes/865-fix-peerstate-marshaljson.md
new file mode 100644
index 00000000000..fdd9172c209
--- /dev/null
+++ b/.changelog/v0.37.2/security-fixes/865-fix-peerstate-marshaljson.md
@@ -0,0 +1,3 @@
+- `[consensus]` **Low severity** - Avoid recursive call after rename to
+  `(*PeerState).MarshalJSON`
+  ([\#863](https://github.com/cometbft/cometbft/pull/863))
diff --git a/.changelog/v0.37.2/security-fixes/890-mempool-fix-cache.md b/.changelog/v0.37.2/security-fixes/890-mempool-fix-cache.md
new file mode 100644
index 00000000000..bad30efc7ab
--- /dev/null
+++ b/.changelog/v0.37.2/security-fixes/890-mempool-fix-cache.md
@@ -0,0 +1,3 @@
+- `[mempool/clist_mempool]` **Low severity** - Prevent a transaction from
+  appearing twice in the mempool
+  ([\#890](https://github.com/cometbft/cometbft/pull/890): @otrack)
diff --git a/.changelog/v0.37.2/summary.md b/.changelog/v0.37.2/summary.md
new file mode 100644
index 00000000000..7ecb2739409
--- /dev/null
+++ b/.changelog/v0.37.2/summary.md
@@ -0,0 +1,4 @@
+*June 14, 2023*
+
+Provides several minor bug fixes, as well as fixes for several low-severity
+security issues.
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 964b002f45f..e26955a191a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,43 @@
 # CHANGELOG
 
+## v0.37.2
+
+*June 14, 2023*
+
+Provides several minor bug fixes, as well as fixes for several low-severity
+security issues.
+
+### BUG FIXES
+
+- `[state/kvindex]` Querying event attributes that are bigger than int64 is now
+  enabled. We are not supporting reading floats from the db into the indexer
+  nor parsing them into BigFloats to not introduce breaking changes in minor
+  releases. ([\#771](https://github.com/cometbft/cometbft/pull/771))
+- `[pubsub]` Pubsub queries are now able to parse big integers (larger than
+  int64). Very big floats are also properly parsed into very big integers
+  instead of being truncated to int64.
+  ([\#771](https://github.com/cometbft/cometbft/pull/771))
+
+### IMPROVEMENTS
+
+- `[rpc]` Remove response data from response failure logs in order
+  to prevent large quantities of log data from being produced
+  ([\#654](https://github.com/cometbft/cometbft/issues/654))
+
+### SECURITY FIXES
+
+- `[rpc/jsonrpc/client]` **Low severity** - Prevent RPC
+  client credentials from being inadvertently dumped to logs
+  ([\#787](https://github.com/cometbft/cometbft/pull/787))
+- `[cmd/cometbft/commands/debug/kill]` **Low severity** - Fix unsafe int cast in
+  `debug kill` command ([\#793](https://github.com/cometbft/cometbft/pull/793))
+- `[consensus]` **Low severity** - Avoid recursive call after rename to
+  `(*PeerState).MarshalJSON`
+  ([\#863](https://github.com/cometbft/cometbft/pull/863))
+- `[mempool/clist_mempool]` **Low severity** - Prevent a transaction from
+  appearing twice in the mempool
+  ([\#890](https://github.com/cometbft/cometbft/pull/890): @otrack)
+
 ## v0.37.1
 
 *April 26, 2023*
diff --git a/test/e2e/docker/Dockerfile b/test/e2e/docker/Dockerfile
index cff113638f1..2ffe56d0b93 100644
--- a/test/e2e/docker/Dockerfile
+++ b/test/e2e/docker/Dockerfile
@@ -1,7 +1,7 @@
 # We need to build in a Linux environment to support C libraries, e.g. RocksDB.
 # We use Debian instead of Alpine, so that we can use binary database packages
 # instead of spending time compiling them.
-FROM golang:1.20
+FROM golang:1.20-bullseye
 
 RUN apt-get -qq update -y && apt-get -qq upgrade -y >/dev/null
 RUN apt-get -qq install -y libleveldb-dev librocksdb-dev >/dev/null
diff --git a/version/version.go b/version/version.go
index fc7b2096832..0c9057a7acc 100644
--- a/version/version.go
+++ b/version/version.go
@@ -5,7 +5,7 @@ const (
 	// The default version of TMCoreSemVer is the value used as the
 	// fallback version of CometBFT when not using git describe.
 	// It is formatted with semantic versioning.
-	TMCoreSemVer = "0.37.1"
+	TMCoreSemVer = "0.37.2"
 	// ABCISemVer is the semantic version of the ABCI protocol
 	ABCISemVer  = "1.0.0"
 	ABCIVersion = ABCISemVer