Release v0.37.2 (cometbft#972)

* changelog: Clean up and reorder

Signed-off-by: Thane Thomson <[email protected]>

* changelog: Add severity to security fixes

Signed-off-by: Thane Thomson <[email protected]>

* changelog: Add missing entries

Signed-off-by: Thane Thomson <[email protected]>

* changelog: Release v0.37.2

Signed-off-by: Thane Thomson <[email protected]>

* Rebuild changelog

Signed-off-by: Thane Thomson <[email protected]>

* version: Bump to v0.37.2

Signed-off-by: Thane Thomson <[email protected]>

* test/e2e: Use Debian Bullseye as base image

Golang recently started offering Debian Bookworm as the default distro
for `golang:1.20`, which provides a newer version of RocksDB than what
we support in cometbft-db.

For now this pins the image to Bullseye, which is the base image we have
been using for some time now.

Signed-off-by: Thane Thomson <[email protected]>

---------

Signed-off-by: Thane Thomson <[email protected]>

.changelog/v0.37.2/bug-fixes/771-kvindexer-parsing-big-ints.md

@@ -0,0 +1,4 @@
+- `[state/kvindex]` Querying event attributes that are bigger than int64 is now
+  enabled. We are not supporting reading floats from the db into the indexer
+  nor parsing them into BigFloats to not introduce breaking changes in minor
+  releases. ([\#771](https://github.com/cometbft/cometbft/pull/771))

.changelog/v0.37.2/bug-fixes/771-pubsub-parsing-big-ints.md

@@ -0,0 +1,4 @@
+- `[pubsub]` Pubsub queries are now able to parse big integers (larger than
+  int64). Very big floats are also properly parsed into very big integers
+  instead of being truncated to int64.
+  ([\#771](https://github.com/cometbft/cometbft/pull/771))

.changelog/v0.37.2/security-fixes/787-rpc-client-pw.md

@@ -0,0 +1,3 @@
+- `[rpc/jsonrpc/client]` **Low severity** - Prevent RPC
+  client credentials from being inadvertently dumped to logs
+  ([\#787](https://github.com/cometbft/cometbft/pull/787))

.changelog/v0.37.2/security-fixes/793-cli-debug-kill-unsafe-cast.md

@@ -0,0 +1,2 @@
+- `[cmd/cometbft/commands/debug/kill]` **Low severity** - Fix unsafe int cast in
+  `debug kill` command ([\#793](https://github.com/cometbft/cometbft/pull/793))

.changelog/v0.37.2/security-fixes/865-fix-peerstate-marshaljson.md

@@ -0,0 +1,3 @@
+- `[consensus]` **Low severity** - Avoid recursive call after rename to
+  `(*PeerState).MarshalJSON`
+  ([\#863](https://github.com/cometbft/cometbft/pull/863))

.changelog/v0.37.2/security-fixes/890-mempool-fix-cache.md

@@ -0,0 +1,3 @@
+- `[mempool/clist_mempool]` **Low severity** - Prevent a transaction from
+  appearing twice in the mempool
+  ([\#890](https://github.com/cometbft/cometbft/pull/890): @otrack)

.changelog/v0.37.2/summary.md

@@ -0,0 +1,4 @@
+*June 14, 2023*
+
+Provides several minor bug fixes, as well as fixes for several low-severity
+security issues.

CHANGELOG.md

@@ -1,5 +1,43 @@
 # CHANGELOG
 
+## v0.37.2
+
+*June 14, 2023*
+
+Provides several minor bug fixes, as well as fixes for several low-severity
+security issues.
+
+### BUG FIXES
+
+- `[state/kvindex]` Querying event attributes that are bigger than int64 is now
+  enabled. We are not supporting reading floats from the db into the indexer
+  nor parsing them into BigFloats to not introduce breaking changes in minor
+  releases. ([\#771](https://github.com/cometbft/cometbft/pull/771))
+- `[pubsub]` Pubsub queries are now able to parse big integers (larger than
+  int64). Very big floats are also properly parsed into very big integers
+  instead of being truncated to int64.
+  ([\#771](https://github.com/cometbft/cometbft/pull/771))
+
+### IMPROVEMENTS
+
+- `[rpc]` Remove response data from response failure logs in order
+  to prevent large quantities of log data from being produced
+  ([\#654](https://github.com/cometbft/cometbft/issues/654))
+
+### SECURITY FIXES
+
+- `[rpc/jsonrpc/client]` **Low severity** - Prevent RPC
+  client credentials from being inadvertently dumped to logs
+  ([\#787](https://github.com/cometbft/cometbft/pull/787))
+- `[cmd/cometbft/commands/debug/kill]` **Low severity** - Fix unsafe int cast in
+  `debug kill` command ([\#793](https://github.com/cometbft/cometbft/pull/793))
+- `[consensus]` **Low severity** - Avoid recursive call after rename to
+  `(*PeerState).MarshalJSON`
+  ([\#863](https://github.com/cometbft/cometbft/pull/863))
+- `[mempool/clist_mempool]` **Low severity** - Prevent a transaction from
+  appearing twice in the mempool
+  ([\#890](https://github.com/cometbft/cometbft/pull/890): @otrack)
+
 ## v0.37.1
 
 *April 26, 2023*

test/e2e/docker/Dockerfile

@@ -1,7 +1,7 @@
 # We need to build in a Linux environment to support C libraries, e.g. RocksDB.
 # We use Debian instead of Alpine, so that we can use binary database packages
 # instead of spending time compiling them.
-FROM golang:1.20
+FROM golang:1.20-bullseye
 
 RUN apt-get -qq update -y && apt-get -qq upgrade -y >/dev/null
 RUN apt-get -qq install -y libleveldb-dev librocksdb-dev >/dev/null

version/version.go

@@ -5,7 +5,7 @@ const (
 	// The default version of TMCoreSemVer is the value used as the
 	// fallback version of CometBFT when not using git describe.
 	// It is formatted with semantic versioning.
-	TMCoreSemVer = "0.37.1"
+	TMCoreSemVer = "0.37.2"
 	// ABCISemVer is the semantic version of the ABCI protocol
 	ABCISemVer  = "1.0.0"
 	ABCIVersion = ABCISemVer