This package has been moved to github.com/ipfs/boxo/bitswap
, this vulnerability is tracked there: GHSA-m974-xj4j-7qv5 (CVE-2023-25568
)
Remediation
This is a two step process:
- Apply one of:
- (recommended) upgrade from
github.com/ipfs/go-bitswap
to github.com/ipfs/boxo/bitswap
.
- If you are still using
github.com/ipfs/go-bitswap
and cannot upgrade to boxo
, you can upgrade to github.com/ipfs/[email protected]
, this will replace the go-bitswap
implementation by stubs which points to boxo
.
- Open GHSA-m974-xj4j-7qv5 and then follow
boxo
's remediation section.
Vulnerable symbols
>= v0.9.0; < v0.12.0
github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).MessageReceived
github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).NotifyNewBlocks
github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).findOrCreate
github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).PeerConnected
v0.8.0
github.com/ipfs/go-bitswap/internal/decision.(*Engine).MessageReceived
github.com/ipfs/go-bitswap/internal/decision.(*Engine).NotifyNewBlocks
github.com/ipfs/go-bitswap/internal/decision.(*Engine).findOrCreate
github.com/ipfs/go-bitswap/internal/decision.(*Engine).PeerConnected
< v0.8.0
github.com/ipfs/go-bitswap/internal/decision.(*Engine).MessageReceived
github.com/ipfs/go-bitswap/internal/decision.(*Engine).receiveBlocksFrom
github.com/ipfs/go-bitswap/internal/decision.(*Engine).findOrCreate
github.com/ipfs/go-bitswap/internal/decision.(*Engine).PeerConnected
Workarounds
If you are using the stubs at github.com/ipfs/go-bitswap
and not taking advantage of the features provided by the server, refactoring your code to use the new split API will allows you to run in a client-only mode using: github.com/ipfs/go-bitswap/client
.
References
This package has been moved to
github.com/ipfs/boxo/bitswap
, this vulnerability is tracked there: GHSA-m974-xj4j-7qv5 (CVE-2023-25568
)Remediation
This is a two step process:
github.com/ipfs/go-bitswap
togithub.com/ipfs/boxo/bitswap
.github.com/ipfs/go-bitswap
and cannot upgrade toboxo
, you can upgrade togithub.com/ipfs/[email protected]
, this will replace thego-bitswap
implementation by stubs which points toboxo
.boxo
's remediation section.Vulnerable symbols
>= v0.9.0; < v0.12.0
github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).MessageReceived
github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).NotifyNewBlocks
github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).findOrCreate
github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).PeerConnected
v0.8.0
github.com/ipfs/go-bitswap/internal/decision.(*Engine).MessageReceived
github.com/ipfs/go-bitswap/internal/decision.(*Engine).NotifyNewBlocks
github.com/ipfs/go-bitswap/internal/decision.(*Engine).findOrCreate
github.com/ipfs/go-bitswap/internal/decision.(*Engine).PeerConnected
< v0.8.0
github.com/ipfs/go-bitswap/internal/decision.(*Engine).MessageReceived
github.com/ipfs/go-bitswap/internal/decision.(*Engine).receiveBlocksFrom
github.com/ipfs/go-bitswap/internal/decision.(*Engine).findOrCreate
github.com/ipfs/go-bitswap/internal/decision.(*Engine).PeerConnected
Workarounds
If you are using the stubs at
github.com/ipfs/go-bitswap
and not taking advantage of the features provided by the server, refactoring your code to use the new split API will allows you to run in a client-only mode using:github.com/ipfs/go-bitswap/client
.References