build(deps): bump github.com/tendermint/tendermint from 0.34.4 to 0.34.7

[dependabot]

Bumps github.com/tendermint/tendermint from 0.34.4 to 0.34.7.

Release notes

Sourced from github.com/tendermint/tendermint's releases.

0.34.7 (WARNING: BETA SOFTWARE)

https://github.com/tendermint/tendermint/blob/v0.34.7/CHANGELOG.md#v0.34.7

Changelog

Sourced from github.com/tendermint/tendermint's changelog.

v0.34.7

February 18, 2021

This release fixes a downstream security issue which impacts Cosmos SDK users who are:

• Using Cosmos SDK v0.40.0 or later, AND
• Running validator nodes, AND
• Using the file-based FilePV implementation for their consensus keys

Users who fulfill all the above criteria were susceptible to leaking private key material in the logs. All other users are unaffected.

The root cause was a discrepancy between the Tendermint Core (untyped) logger and the Cosmos SDK (typed) logger: Tendermint Core's logger automatically stringifies Go interfaces whenever possible; however, the Cosmos SDK's logger uses reflection to log the fields within a Go interface.

The introduction of the typed logger meant that previously un-logged fields within interfaces are now sometimes logged, including the private key material inside the FilePV struct.

Tendermint Core v0.34.7 fixes this issue; however, we strongly recommend that all validators use remote signer implementations instead of FilePV in production.

Thank you to @joe-bowman for his assistance with this vulnerability and a particular shout-out to @marbar3778 for diagnosing it quickly.

Friendly reminder: We have a bug bounty program.

BUG FIXES

• [consensus] #6128 Remove privValidator from log call (@tessr)

v0.34.6

February 18, 2021

Tendermint Core v0.34.5 and v0.34.6 have been recalled due to build tooling problems.

Commits

• 15eb2c2 .goreleaser: remove arm64 build instructions and bump changelog again (#6131)
• e4d2893 changelog: bump to v0.34.6
• afd0709 Revert "tooling: remove tools/Makefile (bp #6102) (#6106)"
• 340071d changelog: update for 0.34.5 (#6129)
• 53d40e1 consensus: remove privValidator from log call (#6128)
• bedb00d consensus: Groom Logs (#5917)
• 1030072 changelog: update 0.34.3 changelog with details on security vuln (bp #6108) (...
• 1b2174a tooling: remove tools/Makefile (bp #6102) (#6106)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Looks like github.com/tendermint/tendermint is up-to-date now, so this is no longer needed.