Update dependency libp2p to v0.38.0 [SECURITY] #354
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.35.8
->0.38.0
GitHub Vulnerability Alerts
CVE-2022-23487
Impact
Versions older than
v0.38.0
of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of js-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack.Patches (What to do as a js-libp2p consumer:)
Update your js-libp2p dependency to
v0.38.0
or greater.Workarounds
There are no workarounds, and so we recommend to upgrade your js-libp2p version.
Some range of attacks can be mitigated using OS tools (like manually blocking malicious peers using iptables or ufw ) or making use of a load balancer in front of libp2p nodes.
You can also use the allow deny list in js-libp2p to deny specific peers.
However these require direct action & responsibility on your part and are no substitutes for upgrading js-libp2p. Therefore, we highly recommend upgrading your js-libp2p version for the way it enables tighter scoped limits and provides visibility into and easier reasoning about js-libp2p resource utilization.
References
Please see the related disclosure for go-libp2p: GHSA-j7qp-mfxf-8xjw and rust-libp2p: GHSA-jvgw-gccv-q5p8
For more information
If you have any questions or comments about this advisory, please email us at security@libp2p.io.
Release Notes
libp2p/js-libp2p (libp2p)
v0.38.0
: libp2p v0.38.0Compare Source
⚠ BREAKING CHANGES
Duplex<Uint8ArrayList, Uint8ArrayList | Uint8Array>
connectionManager.peerValue
has been removed, usepeerStore.tagPeer
insteadFeatures
Bug Fixes
deps
v0.37.3
: libp2p v0.37.3Compare Source
Bug Fixes
v0.37.2
: libp2p v0.37.2Compare Source
Bug Fixes
v0.37.1
: libp2p v0.37.1Compare Source
Bug Fixes
v0.37.0
: libp2p v0.37.0Compare Source
Upgrading
Please see the migration guide for upgrading to this release: doc/migrations/v0.36-v.037.md
⚠ BREAKING CHANGES
Features
Bug Fixes
v0.36.2
: libp2p v0.36.2Compare Source
Bug Fixes
v0.36.1
: libp2p v0.36.1Compare Source
Bug Fixes
v0.36.0
: libp2p v0.36.0Compare Source
⚠ BREAKING CHANGES
libp2p.handle
,libp2p.registrar.register
and the peerstore methods have become asyncFeatures
Bug Fixes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.