Merge pull request #2469 from input-output-hk/jpraynaud/client-snapshot-security-advisory-dev-blog-post

Docs: add dev blog post for client security advisory

Author: jpraynaud

docs/website/blog/2025-05-05-distribution-2517.md

@@ -7,6 +7,13 @@ tags: [release, distribution, 2517, security-advisory]
 
 ### Distribution `2517` is now available
 
+:::warning
+
+- This distribution embeds a fix for the **Mithril snapshots for Cardano database could be compromised by an adversary** security advisory [GHSA-qv97-5qr8-2266](https://github.com/input-output-hk/mithril/security/advisories/GHSA-qv97-5qr8-2266)
+- All users running a **client library or client CLI** are **strongly encouraged** to update to the latest versions.
+
+:::
+
 :::info Update 2025/05/06
 
 The team released the hotfix `2517.1` to address a bug in the `2517.0` distribution that caused the Cardano node to fail during startup when using a snapshot downloaded with the Mithril client.
@@ -18,7 +25,7 @@ The [`2517.1`](https://github.com/input-output-hk/mithril/releases/tag/2517.1) d
 - ⚠️ **Breaking** changes in Mithril client CLI and library:
   - To fast bootstrap a Cardano node, the new `--include-ancillary` option has been added to the _Cardano node database_ command in the Mithril client CLI.
   - Without this option, only final immutable files are downloaded, and the ledger state must be computed from the genesis block when the Cardano node starts.
-  - The `--include-ancillary` option requires the usage of an **ancillary verification key** (`--ancillary-verification-key` or `ANCILLARY_VERIFICATION_KEY`) which is specified in the [Networks configuration](https://mithril.network/doc/next/manual/getting-started/network-configurations) page.
+  - The `--include-ancillary` option requires the usage of an **ancillary verification key** (`--ancillary-verification-key` or `ANCILLARY_VERIFICATION_KEY`) which is specified in the [Networks configuration](https://mithril.network/doc/manual/getting-started/network-configurations) page.
   - Clients from distribution [`2513`] and earlier are **not compatible** with this change and **must be updated**.
 - Support for `Cardano node` `10.3.1` in the signer and the aggregator
 - Support for origin tags in Mithril client library, CLI and WASM to record the origin of client requests.

docs/website/blog/2025-05-07-client-security-advisory.md

@@ -0,0 +1,33 @@
+---
+title: Mithril Cardano database snapshots security advisory
+authors:
+  - name: Mithril Team
+tags:
+  [spo, mithril client, mainnet, production, beta, security, cardano-database]
+---
+
+### Mithril snapshots for Cardano database could be compromised by an adversary
+
+The Mithril team has published a [security advisory](https://github.com/input-output-hk/mithril/security/advisories/GHSA-qv97-5qr8-2266) for users running the Mithril client on the `mainnet` infrastructure:
+
+- **Identifier**: GHSA-qv97-5qr8-2266
+- **Title**: Mithril snapshots for Cardano database could be compromised by an adversary
+- **Location**: [GHSA-qv97-5qr8-2266](https://github.com/input-output-hk/mithril/security/advisories/GHSA-qv97-5qr8-2266)
+- **Severity**: Moderate (4.9/10).
+
+:::danger
+
+We strongly encourage all `mainnet` users running a **client library or client CLI** to update to the latest versions to prevent the issue:
+
+- The **Mithril client library** has been fixed with version `0.12.2` and is available [here](https://crates.io/crates/mithril-client)
+- The **Mithril client CLI** has been fixed with version `0.12.1` and can be downloaded with the following command:
+
+```bash
+curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/input-output-hk/mithril/refs/heads/main/mithril-install.sh | sh -s -- -c mithril-client -d 2517.1 -p $(pwd)
+```
+
+**Note that all the previous versions must not be used anymore.**
+
+:::
+
+For any inquiries or assistance, contact the team on the [Discord channel](https://discord.gg/5kaErDKDRq).