github.com/ipfs/go-bitswap vulnerable to DOS unbounded persistent memory leak

Main / github.com/ipfs/go-bitswap vulnerable to DOS unbounded persistent memory leak

Discription

This package has been moved to [`github.com/ipfs/boxo/bitswap`](https://pkg.go.dev/github.com/ipfs/boxo/bitswap), this vulnerability is tracked there: https://github.com/ipfs/boxo/security/advisories/GHSA-m974-xj4j-7qv5 (`CVE-2023-25568`)

### Remediation
This is a two step process:
1. Apply one of:
– (**recommended**) upgrade from `github.com/ipfs/go-bitswap` to `github.com/ipfs/boxo/bitswap`.
– If you are still using `github.com/ipfs/go-bitswap` and cannot upgrade to `boxo`, you can upgrade to `github.com/ipfs/[email protected]`, this will replace the `go-bitswap` implementation by stubs which points to `boxo`.
2. Open https://github.com/ipfs/boxo/security/advisories/GHSA-m974-xj4j-7qv5 and then follow `boxo`’s remediation section.

### Vulnerable symbols
– `>= v0.9.0; Read More

References

Back to Main

Subscribe for the latest news: