Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency libp2p to v0.38.0 [SECURITY] #354

Closed
wants to merge 1 commit into from
Closed

Update dependency libp2p to v0.38.0 [SECURITY] #354

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 8, 2022
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
libp2p 0.35.8 -> 0.38.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-23487

Impact

Versions older than v0.38.0 of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of js-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack.

Patches (What to do as a js-libp2p consumer:)

Update your js-libp2p dependency to v0.38.0 or greater.

Workarounds

There are no workarounds, and so we recommend to upgrade your js-libp2p version.
Some range of attacks can be mitigated using OS tools (like manually blocking malicious peers using iptables or ufw ) or making use of a load balancer in front of libp2p nodes.
You can also use the allow deny list in js-libp2p to deny specific peers.

However these require direct action & responsibility on your part and are no substitutes for upgrading js-libp2p. Therefore, we highly recommend upgrading your js-libp2p version for the way it enables tighter scoped limits and provides visibility into and easier reasoning about js-libp2p resource utilization.

References

Please see the related disclosure for go-libp2p: GHSA-j7qp-mfxf-8xjw and rust-libp2p: GHSA-jvgw-gccv-q5p8

For more information

If you have any questions or comments about this advisory, please email us at security@libp2p.io.

Release Notes

libp2p/js-libp2p (libp2p)

v0.38.0: libp2p v0.38.0

Compare Source

⚠ BREAKING CHANGES
  • Streams are now Duplex<Uint8ArrayList, Uint8ArrayList | Uint8Array>
  • connectionManager.peerValue has been removed, use peerStore.tagPeer instead
  • limit protocol streams per-connection (#​1255)
  • uses new single-issue libp2p interface modules
Features
Bug Fixes
deps

v0.37.3: libp2p v0.37.3

Compare Source

Bug Fixes

v0.37.2: libp2p v0.37.2

Compare Source

Bug Fixes

v0.37.1: libp2p v0.37.1

Compare Source

Bug Fixes

v0.37.0: libp2p v0.37.0

Compare Source

Upgrading

Please see the migration guide for upgrading to this release: doc/migrations/v0.36-v.037.md

⚠ BREAKING CHANGES
  • types are no longer hand crafted, this module is now ESM only
Features
Bug Fixes

v0.36.2: libp2p v0.36.2

Compare Source

Bug Fixes

v0.36.1: libp2p v0.36.1

Compare Source

Bug Fixes

v0.36.0: libp2p v0.36.0

Compare Source

⚠ BREAKING CHANGES
  • abort-controller dep is gone from dependency tree
  • libp2p.handle, libp2p.registrar.register and the peerstore methods have become async
Features
Bug Fixes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@cloudflare-pages
Copy link

cloudflare-pages bot commented Dec 8, 2022
edited
Loading

Deploying with  Cloudflare Pages  Cloudflare Pages

Latest commit: 0e60c7a
Status:🚫  Build failed.

View logs

@renovate renovate bot force-pushed the renovate/npm-libp2p-vulnerability branch from e0bca36 to 9b225cc Compare January 18, 2023 23:02
@renovate renovate bot force-pushed the renovate/npm-libp2p-vulnerability branch from 9b225cc to fce4bcc Compare February 23, 2023 02:51
@renovate renovate bot force-pushed the renovate/npm-libp2p-vulnerability branch 2 times, most recently from 3a24b41 to 7e44223 Compare March 14, 2023 03:10
@renovate renovate bot force-pushed the renovate/npm-libp2p-vulnerability branch from 7e44223 to dc87ae9 Compare March 29, 2023 20:58
@renovate renovate bot force-pushed the renovate/npm-libp2p-vulnerability branch 2 times, most recently from 12a98ce to 1947bf9 Compare May 26, 2023 16:14
@renovate renovate bot force-pushed the renovate/npm-libp2p-vulnerability branch 2 times, most recently from db9a194 to a5ba9f8 Compare July 2, 2023 09:32
@renovate renovate bot force-pushed the renovate/npm-libp2p-vulnerability branch from a5ba9f8 to 6a89745 Compare July 11, 2023 01:10
@renovate renovate bot force-pushed the renovate/npm-libp2p-vulnerability branch from 6a89745 to 36dd756 Compare July 28, 2023 22:35
@renovate renovate bot force-pushed the renovate/npm-libp2p-vulnerability branch from 36dd756 to 9867dff Compare August 13, 2023 22:01
@renovate renovate bot force-pushed the renovate/npm-libp2p-vulnerability branch from 9867dff to 0e60c7a Compare August 14, 2023 22:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@PsychoLlama