This package has been moved to github.com/ipfs/boxo/bitswap, this vulnerability is tracked there: GHSA-m974-xj4j-7qv5 (CVE-2023-25568)
Remediation
This is a two step process:
- Apply one of:
- (recommended) upgrade from
github.com/ipfs/go-bitswap to github.com/ipfs/boxo/bitswap.
- If you are still using
github.com/ipfs/go-bitswap and cannot upgrade to boxo, you can upgrade to github.com/ipfs/go-bitswap@v0.12.0, this will replace the go-bitswap implementation by stubs which points to boxo.
- Open GHSA-m974-xj4j-7qv5 and then follow
boxo's remediation section.
Vulnerable symbols
>= v0.9.0; < v0.12.0
github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).MessageReceivedgithub.com/ipfs/go-bitswap/server/internal/decision.(*Engine).NotifyNewBlocksgithub.com/ipfs/go-bitswap/server/internal/decision.(*Engine).findOrCreategithub.com/ipfs/go-bitswap/server/internal/decision.(*Engine).PeerConnected
v0.8.0
github.com/ipfs/go-bitswap/internal/decision.(*Engine).MessageReceivedgithub.com/ipfs/go-bitswap/internal/decision.(*Engine).NotifyNewBlocksgithub.com/ipfs/go-bitswap/internal/decision.(*Engine).findOrCreategithub.com/ipfs/go-bitswap/internal/decision.(*Engine).PeerConnected
< v0.8.0
github.com/ipfs/go-bitswap/internal/decision.(*Engine).MessageReceivedgithub.com/ipfs/go-bitswap/internal/decision.(*Engine).receiveBlocksFromgithub.com/ipfs/go-bitswap/internal/decision.(*Engine).findOrCreategithub.com/ipfs/go-bitswap/internal/decision.(*Engine).PeerConnected
Workarounds
If you are using the stubs at github.com/ipfs/go-bitswap and not taking advantage of the features provided by the server, refactoring your code to use the new split API will allows you to run in a client-only mode using: github.com/ipfs/go-bitswap/client.
This package has been moved to
github.com/ipfs/boxo/bitswap, this vulnerability is tracked there: GHSA-m974-xj4j-7qv5 (CVE-2023-25568)Remediation
This is a two step process:
github.com/ipfs/go-bitswaptogithub.com/ipfs/boxo/bitswap.github.com/ipfs/go-bitswapand cannot upgrade toboxo, you can upgrade togithub.com/ipfs/go-bitswap@v0.12.0, this will replace thego-bitswapimplementation by stubs which points toboxo.boxo's remediation section.Vulnerable symbols
>= v0.9.0; < v0.12.0github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).MessageReceivedgithub.com/ipfs/go-bitswap/server/internal/decision.(*Engine).NotifyNewBlocksgithub.com/ipfs/go-bitswap/server/internal/decision.(*Engine).findOrCreategithub.com/ipfs/go-bitswap/server/internal/decision.(*Engine).PeerConnectedv0.8.0github.com/ipfs/go-bitswap/internal/decision.(*Engine).MessageReceivedgithub.com/ipfs/go-bitswap/internal/decision.(*Engine).NotifyNewBlocksgithub.com/ipfs/go-bitswap/internal/decision.(*Engine).findOrCreategithub.com/ipfs/go-bitswap/internal/decision.(*Engine).PeerConnected< v0.8.0github.com/ipfs/go-bitswap/internal/decision.(*Engine).MessageReceivedgithub.com/ipfs/go-bitswap/internal/decision.(*Engine).receiveBlocksFromgithub.com/ipfs/go-bitswap/internal/decision.(*Engine).findOrCreategithub.com/ipfs/go-bitswap/internal/decision.(*Engine).PeerConnectedWorkarounds
If you are using the stubs at
github.com/ipfs/go-bitswapand not taking advantage of the features provided by the server, refactoring your code to use the new split API will allows you to run in a client-only mode using:github.com/ipfs/go-bitswap/client.