This package has been moved to github.com/ipfs/boxo/bitswap, this vulnerability is tracked there: GHSA-m974-xj4j-7qv5 (CVE-2023-25568)

Remediation

This is a two step process:

1. Apply one of:
   • (recommended) upgrade from github.com/ipfs/go-bitswap to github.com/ipfs/boxo/bitswap.
   • If you are still using github.com/ipfs/go-bitswap and cannot upgrade to boxo, you can upgrade to github.com/ipfs/go-bitswap@v0.12.0, this will replace the go-bitswap implementation by stubs which points to boxo.
2. Open GHSA-m974-xj4j-7qv5 and then follow boxo's remediation section.

Vulnerable symbols

• >= v0.9.0; < v0.12.0
  • github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).MessageReceived
  • github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).NotifyNewBlocks
  • github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).findOrCreate
  • github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).PeerConnected
• v0.8.0
  • github.com/ipfs/go-bitswap/internal/decision.(*Engine).MessageReceived
  • github.com/ipfs/go-bitswap/internal/decision.(*Engine).NotifyNewBlocks
  • github.com/ipfs/go-bitswap/internal/decision.(*Engine).findOrCreate
  • github.com/ipfs/go-bitswap/internal/decision.(*Engine).PeerConnected
• < v0.8.0
  • github.com/ipfs/go-bitswap/internal/decision.(*Engine).MessageReceived
  • github.com/ipfs/go-bitswap/internal/decision.(*Engine).receiveBlocksFrom
  • github.com/ipfs/go-bitswap/internal/decision.(*Engine).findOrCreate
  • github.com/ipfs/go-bitswap/internal/decision.(*Engine).PeerConnected

Workarounds

If you are using the stubs at github.com/ipfs/go-bitswap and not taking advantage of the features provided by the server, refactoring your code to use the new split API will allows you to run in a client-only mode using: github.com/ipfs/go-bitswap/client.

References

• GHSA-m974-xj4j-7qv5
• GHSA-q3j6-22wf-3jh9
• GHSA-m974-xj4j-7qv5
• https://nvd.nist.gov/vuln/detail/CVE-2023-25568
• ipfs/boxo@62cbac4
• ipfs/boxo@9cb5cb5