Release 3.2.0.0.2: critical security fix
3 views
Skip to first unread message
Jesse Wiley
Oct 7, 2025, 3:27:33 PMOct 7
to announce
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello,
**This release resolves a critical vulnerability and all node operators are strongly encouraged to upgrade**
Stacks core developers have released Stacks Core version 3.2.0.0.2, available here: https://github.com/stacks-network/stacks-core/releases/tag/3.2.0.0.2.
This release contains several bugfixes and improvements in the stacks-node and stacks-signer binaries, ensuring more consistent block production.
This release is compatible with chainstate directories from 3.x.x.x.x.
The version of stacks-signer compatible with this release is 3.2.0.0.2.0, available at: https://github.com/stacks-network/stacks-core/releases/tag/signer-3.2.0.0.2.0.
Note: `blockstack-cli` binary has been renamed to `stacks-cli` from this release forward.
### Added
- Renamed `clarity-serialization` to `clarity-types`.
- Add `stackerdb_timeout_secs` to miner config for limiting duration of StackerDB HTTP requests.
- When determining a global transaction replay set, the state evaluator now uses a longest-common-prefix algorithm to find a replay set in the case where a single replay set has less than 70% of signer weight.
- New endpoints /v3/tenures/blocks/, /v3/tenures/blocks/hash, /v3/tenures/blocks/height allowing retrieving the list of stacks blocks from a burn block
- New authenticated endpoint /v3/block/replay to replay the execution of any Nakamoto block in the chain (useful for validation, simulation, getting events...)
- Creates epoch 3.3 and costs-4 in preparation for a hardfork to activate Clarity 4
- Adds support for new Clarity 4 builtins (not activated until epoch 3.3):
- `contract-hash?`
- `current-contract`
- `block-time`
- `to-ascii?`
- Added `contract_cost_limit_percentage` to the miner config file — sets the percentage of a block’s execution cost at which, if a large non-boot contract call would cause a BlockTooBigError, the miner will stop adding further non-boot contract calls and only include STX transfers and boot contract calls for the remainder of the block.
- Added two-phase commit to signer block responses ensuring signers only issue a signature in a BlockResponse when a majority threshold number have pre-committed to sign a proposed Naka block
- When determining a global transaction replay set, the state evaluator now uses a longest-common-prefix algorithm to find a replay set in the case where a single replay set has less than 70% of signer weight.
### Changed
- Clarity errors pertaining to syntax binding errors have been made more
expressive (#6337)
- Removed affirmation maps logic throughout, upgrading chainstate DB schema to 11 and burnchain DB schema to 3 (#6314)
- Database schema updated to version 17
### Fixed
- When running `stacks-inspect decode-tx`, print the correct version of the address (mainnet or testnet) based on the transaction passed in
- When a contract deploy is analyzed, it will no longer throw a `CostError` when the contract contains an undefined top-level variable. Instead, it will throw a `UndefinedVariable` error.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Stacks Core:
Git commit hash: bd9ee6310516b31ef4ecce07e42e73ed0f774ada
SHA512SUMS:
82a5c4622e69fc053ca929d4bd9b96493d9e664df3b85e79b07cb27361df5d3b70d114f79a0256750c4f47995f7cb4a34920e4e6c03e7323a58bb22a77618bbf linux-glibc-arm64.zip
b5edb0b0b7e388ab329f71dfac36a19e12d223ded90c6397e6e6e56a62821e413165ad7a6e0339f91df63e4005e265da1b289c14e5dd1b87c89992fd5c5f04ad linux-glibc-x64.zip
81036d39e5a9a4babc90286eae28e65a6ce968b8b7ffd318acee921bc479e0bab1cec6488e048f2230d0a6c0880f6e8fae00b65d3c95988523242325e5084777 linux-musl-arm64.zip
2ed94fe972f3ee8fdd00b9d2674ba0ed056cde24aeaeeb84a2a6cfb0e72785edc0bf41826f79fd67c33c60c8c7fde724afd2528bedbef071e7c8e95ab948b1b0 linux-musl-x64.zip
3bca5d6c516680aae2c189310d20de4839ed8e82d9ccd9dc4bc3cd3e7defa091ace2526842823bab19568dfdb127c7b254bffd8f4fa876e74201a89f2fc3940d macos-arm64.zip
f6141c37d8f76e810ae991d2bd2a466d36dbc054aa51ac93604a004a9fa07e2bce5fda7b2e8ce1ae0a1958a4f9fe6e234b252700fa6e731ddd26ab5ca67e50d8 windows-x64.zip
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Stacks Signer:
Git commit hash: bd9ee6310516b31ef4ecce07e42e73ed0f774ada
SHA512SUMS:
071dbac797513022ba9dfe1b92a4e9b213c3604e11f26983bf2a2b60b0ab2bf039b679ba8f93a96d37e951c5726328c1c98866c790557625917f87d1c576d4ec linux-glibc-arm64.zip
917cdbb680dae1b2a3ae4076110e8134880fbd9172194b0f5c3930342345acb22670adcacaeff4c2404c56d43578d29b1996cbad15fcad8fa556ccfeca6a0b6d linux-glibc-x64.zip
f8f74aa1c52d45358008ab101d320f63ff6d8d22c3f6934683a202fc74a3a460a420e3f3a1ae866349b2102722041d1dc4e40a80fc9433350bc9ead683d02f5a linux-musl-arm64.zip
49d74ccb1e14f128b62e8090de5216fde37d8b19341d3bdf75c78a2d458fad8c7ba2a50c4dfcac3116f3cbef0ca6b16a1d2682b890d66be8fc69666e9af9e66e linux-musl-x64.zip
52abb3bf1c4709d3d8970f76c26086e01cee25382f2746233b9385accb94836b1c2e13752bde3e2b9c6885f9ac23d37d143803454fbb9f1a393c85ea5dfe4b5c macos-arm64.zip
145b20ea567cf0e9b016f7fea01240e85545a61dd43814ef35e3a76ed335475a030df4660d41284c2ab282e925cf7e718423f2ba28413f8a92a156c77587cb0b windows-x64.zip
Best,
Jesse Wiley
Engineering Partner, Stacks Foundation
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEcyLAWCVQ3ogXwlXZge1cNguBENcFAmjlaKsRHGplc3NlQHN0
YWNrcy5vcmcACgkQge1cNguBENdT6hAA09aURHobJlGw1cYczGZh2X+j93b0MnqN
AZ5o/m+Yw6VjOEGdXclBQfXG9eZAwPhfrpSfQmCuJDQikH3xjl9bFthg+rPEfy6I
NCwvzGhJKW+8jzubrjNOnESZDTqzAxsx8OdguQFWzHPtgsNJFDU44lbw5/JIg62S
5smrb5D23eey6ZofwnAt1pgu9itqmSJJUEj7ihb0l4xprLoPXOSTVv5TB8aJ2k+C
tXxs8fnMt+mrdNJWkDCxdGEK5Uvq1TFd+HO5g3Pn3WZyImF6jokkgzC+X+PRgWtV
t7/Qh73v9sJRGgNs+YptM4YaYtuMxkU414VPDyaDNCjedck0X9pL2TDf8dFaWQb2
2QffyldL8SPPxb64bWU9b1KYtn2FGaLXoKDGYmvNwJHmIO87zG4CkUPeUOUOWvaI
/SH1qivjjHoVfqGKAUZbpEGzIrj1xqbVlLmDJPGz3uFLLR+LovD2AFiQt2cXOK35
DffpXutgA0QaioOJDRDy8xoEbWQvZjpK70MnYaTKU7TzUCUhq+Dyvnk+E5ZnJD/E
z+jCWG5ZjXQIYd7MPF3UE4d2tJufCb7ra3Q++4hdckPGWAafOw7pkrhPKBPKr2eC
Cpy7wC/Tg0nBaMHnaAMWCLi4CJhQiKC5/yK45LP68DHT1Q+qM2v97tl1FP5tby7q
tCa4i+r7CdY=
=a5uE
-----END PGP SIGNATURE-----
Hash: SHA512
Hello,
**This release resolves a critical vulnerability and all node operators are strongly encouraged to upgrade**
Stacks core developers have released Stacks Core version 3.2.0.0.2, available here: https://github.com/stacks-network/stacks-core/releases/tag/3.2.0.0.2.
This release contains several bugfixes and improvements in the stacks-node and stacks-signer binaries, ensuring more consistent block production.
This release is compatible with chainstate directories from 3.x.x.x.x.
The version of stacks-signer compatible with this release is 3.2.0.0.2.0, available at: https://github.com/stacks-network/stacks-core/releases/tag/signer-3.2.0.0.2.0.
Note: `blockstack-cli` binary has been renamed to `stacks-cli` from this release forward.
### Added
- Renamed `clarity-serialization` to `clarity-types`.
- Add `stackerdb_timeout_secs` to miner config for limiting duration of StackerDB HTTP requests.
- When determining a global transaction replay set, the state evaluator now uses a longest-common-prefix algorithm to find a replay set in the case where a single replay set has less than 70% of signer weight.
- New endpoints /v3/tenures/blocks/, /v3/tenures/blocks/hash, /v3/tenures/blocks/height allowing retrieving the list of stacks blocks from a burn block
- New authenticated endpoint /v3/block/replay to replay the execution of any Nakamoto block in the chain (useful for validation, simulation, getting events...)
- Creates epoch 3.3 and costs-4 in preparation for a hardfork to activate Clarity 4
- Adds support for new Clarity 4 builtins (not activated until epoch 3.3):
- `contract-hash?`
- `current-contract`
- `block-time`
- `to-ascii?`
- Added `contract_cost_limit_percentage` to the miner config file — sets the percentage of a block’s execution cost at which, if a large non-boot contract call would cause a BlockTooBigError, the miner will stop adding further non-boot contract calls and only include STX transfers and boot contract calls for the remainder of the block.
- Added two-phase commit to signer block responses ensuring signers only issue a signature in a BlockResponse when a majority threshold number have pre-committed to sign a proposed Naka block
- When determining a global transaction replay set, the state evaluator now uses a longest-common-prefix algorithm to find a replay set in the case where a single replay set has less than 70% of signer weight.
### Changed
- Clarity errors pertaining to syntax binding errors have been made more
expressive (#6337)
- Removed affirmation maps logic throughout, upgrading chainstate DB schema to 11 and burnchain DB schema to 3 (#6314)
- Database schema updated to version 17
### Fixed
- When running `stacks-inspect decode-tx`, print the correct version of the address (mainnet or testnet) based on the transaction passed in
- When a contract deploy is analyzed, it will no longer throw a `CostError` when the contract contains an undefined top-level variable. Instead, it will throw a `UndefinedVariable` error.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Stacks Core:
Git commit hash: bd9ee6310516b31ef4ecce07e42e73ed0f774ada
SHA512SUMS:
82a5c4622e69fc053ca929d4bd9b96493d9e664df3b85e79b07cb27361df5d3b70d114f79a0256750c4f47995f7cb4a34920e4e6c03e7323a58bb22a77618bbf linux-glibc-arm64.zip
b5edb0b0b7e388ab329f71dfac36a19e12d223ded90c6397e6e6e56a62821e413165ad7a6e0339f91df63e4005e265da1b289c14e5dd1b87c89992fd5c5f04ad linux-glibc-x64.zip
81036d39e5a9a4babc90286eae28e65a6ce968b8b7ffd318acee921bc479e0bab1cec6488e048f2230d0a6c0880f6e8fae00b65d3c95988523242325e5084777 linux-musl-arm64.zip
2ed94fe972f3ee8fdd00b9d2674ba0ed056cde24aeaeeb84a2a6cfb0e72785edc0bf41826f79fd67c33c60c8c7fde724afd2528bedbef071e7c8e95ab948b1b0 linux-musl-x64.zip
3bca5d6c516680aae2c189310d20de4839ed8e82d9ccd9dc4bc3cd3e7defa091ace2526842823bab19568dfdb127c7b254bffd8f4fa876e74201a89f2fc3940d macos-arm64.zip
f6141c37d8f76e810ae991d2bd2a466d36dbc054aa51ac93604a004a9fa07e2bce5fda7b2e8ce1ae0a1958a4f9fe6e234b252700fa6e731ddd26ab5ca67e50d8 windows-x64.zip
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Stacks Signer:
Git commit hash: bd9ee6310516b31ef4ecce07e42e73ed0f774ada
SHA512SUMS:
071dbac797513022ba9dfe1b92a4e9b213c3604e11f26983bf2a2b60b0ab2bf039b679ba8f93a96d37e951c5726328c1c98866c790557625917f87d1c576d4ec linux-glibc-arm64.zip
917cdbb680dae1b2a3ae4076110e8134880fbd9172194b0f5c3930342345acb22670adcacaeff4c2404c56d43578d29b1996cbad15fcad8fa556ccfeca6a0b6d linux-glibc-x64.zip
f8f74aa1c52d45358008ab101d320f63ff6d8d22c3f6934683a202fc74a3a460a420e3f3a1ae866349b2102722041d1dc4e40a80fc9433350bc9ead683d02f5a linux-musl-arm64.zip
49d74ccb1e14f128b62e8090de5216fde37d8b19341d3bdf75c78a2d458fad8c7ba2a50c4dfcac3116f3cbef0ca6b16a1d2682b890d66be8fc69666e9af9e66e linux-musl-x64.zip
52abb3bf1c4709d3d8970f76c26086e01cee25382f2746233b9385accb94836b1c2e13752bde3e2b9c6885f9ac23d37d143803454fbb9f1a393c85ea5dfe4b5c macos-arm64.zip
145b20ea567cf0e9b016f7fea01240e85545a61dd43814ef35e3a76ed335475a030df4660d41284c2ab282e925cf7e718423f2ba28413f8a92a156c77587cb0b windows-x64.zip
Best,
Jesse Wiley
Engineering Partner, Stacks Foundation
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEcyLAWCVQ3ogXwlXZge1cNguBENcFAmjlaKsRHGplc3NlQHN0
YWNrcy5vcmcACgkQge1cNguBENdT6hAA09aURHobJlGw1cYczGZh2X+j93b0MnqN
AZ5o/m+Yw6VjOEGdXclBQfXG9eZAwPhfrpSfQmCuJDQikH3xjl9bFthg+rPEfy6I
NCwvzGhJKW+8jzubrjNOnESZDTqzAxsx8OdguQFWzHPtgsNJFDU44lbw5/JIg62S
5smrb5D23eey6ZofwnAt1pgu9itqmSJJUEj7ihb0l4xprLoPXOSTVv5TB8aJ2k+C
tXxs8fnMt+mrdNJWkDCxdGEK5Uvq1TFd+HO5g3Pn3WZyImF6jokkgzC+X+PRgWtV
t7/Qh73v9sJRGgNs+YptM4YaYtuMxkU414VPDyaDNCjedck0X9pL2TDf8dFaWQb2
2QffyldL8SPPxb64bWU9b1KYtn2FGaLXoKDGYmvNwJHmIO87zG4CkUPeUOUOWvaI
/SH1qivjjHoVfqGKAUZbpEGzIrj1xqbVlLmDJPGz3uFLLR+LovD2AFiQt2cXOK35
DffpXutgA0QaioOJDRDy8xoEbWQvZjpK70MnYaTKU7TzUCUhq+Dyvnk+E5ZnJD/E
z+jCWG5ZjXQIYd7MPF3UE4d2tJufCb7ra3Q++4hdckPGWAafOw7pkrhPKBPKr2eC
Cpy7wC/Tg0nBaMHnaAMWCLi4CJhQiKC5/yK45LP68DHT1Q+qM2v97tl1FP5tby7q
tCa4i+r7CdY=
=a5uE
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
This conversation is locked
You cannot reply and perform actions on locked conversations.
0 new messages