This package has been moved to github.com/ipfs/boxo/bitswap, this vulnerability is tracked there: GHSA-m974-xj4j-7qv5 (CVE-2023-25568)
Remediation
This is a two step process:
- Apply one of:
- (recommended) upgrade from
github.com/ipfs/go-bitswap to github.com/ipfs/boxo/bitswap.
- If you are still using
github.com/ipfs/go-bitswap and cannot upgrade to boxo, you can upgrade to github.com/ipfs/[email protected], this will replace the go-bitswap implementation by stubs which points to boxo.
- Open GHSA-m974-xj4j-7qv5 and then follow
boxo's remediation section.
Vulnerable symbols
>= v0.9.0; < v0.12.0
github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).MessageReceivedjackfan.us.kg/ipfs/go-bitswap/server/internal/decision.(*Engine).NotifyNewBlocksjackfan.us.kg/ipfs/go-bitswap/server/internal/decision.(*Engine).findOrCreatejackfan.us.kg/ipfs/go-bitswap/server/internal/decision.(*Engine).PeerConnected
v0.8.0
github.com/ipfs/go-bitswap/internal/decision.(*Engine).MessageReceivedjackfan.us.kg/ipfs/go-bitswap/internal/decision.(*Engine).NotifyNewBlocksjackfan.us.kg/ipfs/go-bitswap/internal/decision.(*Engine).findOrCreatejackfan.us.kg/ipfs/go-bitswap/internal/decision.(*Engine).PeerConnected
< v0.8.0
github.com/ipfs/go-bitswap/internal/decision.(*Engine).MessageReceivedjackfan.us.kg/ipfs/go-bitswap/internal/decision.(*Engine).receiveBlocksFromjackfan.us.kg/ipfs/go-bitswap/internal/decision.(*Engine).findOrCreatejackfan.us.kg/ipfs/go-bitswap/internal/decision.(*Engine).PeerConnected
Workarounds
If you are using the stubs at github.com/ipfs/go-bitswap and not taking advantage of the features provided by the server, refactoring your code to use the new split API will allows you to run in a client-only mode using: github.com/ipfs/go-bitswap/client.
This package has been moved to
github.com/ipfs/boxo/bitswap, this vulnerability is tracked there: GHSA-m974-xj4j-7qv5 (CVE-2023-25568)Remediation
This is a two step process:
github.com/ipfs/go-bitswaptojackfan.us.kg/ipfs/boxo/bitswap.github.com/ipfs/go-bitswapand cannot upgrade toboxo, you can upgrade tojackfan.us.kg/ipfs/[email protected], this will replace thego-bitswapimplementation by stubs which points toboxo.boxo's remediation section.Vulnerable symbols
>= v0.9.0; < v0.12.0jackfan.us.kg/ipfs/go-bitswap/server/internal/decision.(*Engine).MessageReceivedjackfan.us.kg/ipfs/go-bitswap/server/internal/decision.(*Engine).NotifyNewBlocksjackfan.us.kg/ipfs/go-bitswap/server/internal/decision.(*Engine).findOrCreatejackfan.us.kg/ipfs/go-bitswap/server/internal/decision.(*Engine).PeerConnectedv0.8.0jackfan.us.kg/ipfs/go-bitswap/internal/decision.(*Engine).MessageReceivedjackfan.us.kg/ipfs/go-bitswap/internal/decision.(*Engine).NotifyNewBlocksjackfan.us.kg/ipfs/go-bitswap/internal/decision.(*Engine).findOrCreatejackfan.us.kg/ipfs/go-bitswap/internal/decision.(*Engine).PeerConnected< v0.8.0jackfan.us.kg/ipfs/go-bitswap/internal/decision.(*Engine).MessageReceivedjackfan.us.kg/ipfs/go-bitswap/internal/decision.(*Engine).receiveBlocksFromjackfan.us.kg/ipfs/go-bitswap/internal/decision.(*Engine).findOrCreatejackfan.us.kg/ipfs/go-bitswap/internal/decision.(*Engine).PeerConnectedWorkarounds
If you are using the stubs at
github.com/ipfs/go-bitswapand not taking advantage of the features provided by the server, refactoring your code to use the new split API will allows you to run in a client-only mode using:github.com/ipfs/go-bitswap/client.