From 2685983536b30d30189e25d578f6f5d598c37513 Mon Sep 17 00:00:00 2001 From: Adin Schmahmann Date: Mon, 14 Mar 2022 15:29:22 -0400 Subject: [PATCH 1/5] chore: update go-codec-dagpb --- go.mod | 2 +- go.sum | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 0ea335814d6..817d80ef365 100644 --- a/go.mod +++ b/go.mod @@ -60,7 +60,7 @@ require ( github.com/ipfs/interface-go-ipfs-core v0.5.2 github.com/ipfs/tar-utils v0.0.2 github.com/ipld/go-car v0.3.2 - github.com/ipld/go-codec-dagpb v1.3.0 + github.com/ipld/go-codec-dagpb v1.3.2 github.com/ipld/go-ipld-prime v0.14.2 github.com/jbenet/go-random v0.0.0-20190219211222-123a90aedc0c github.com/jbenet/go-temp-err-catcher v0.1.0 diff --git a/go.sum b/go.sum index 49a1addffe4..c6c8ad488db 100644 --- a/go.sum +++ b/go.sum @@ -583,8 +583,9 @@ github.com/ipfs/tar-utils v0.0.2/go.mod h1:4qlnRWgTVljIMhSG2SqRYn66NT+3wrv/kZt9V github.com/ipld/go-car v0.3.2 h1:V9wt/80FNfbMRWSD98W5br6fyjUAyVgI2lDOTZX16Lg= github.com/ipld/go-car v0.3.2/go.mod h1:WEjynkVt04dr0GwJhry0KlaTeSDEiEYyMPOxDBQ17KE= github.com/ipld/go-codec-dagpb v1.2.0/go.mod h1:6nBN7X7h8EOsEejZGqC7tej5drsdBAXbMHyBT+Fne5s= -github.com/ipld/go-codec-dagpb v1.3.0 h1:czTcaoAuNNyIYWs6Qe01DJ+sEX7B+1Z0LcXjSatMGe8= github.com/ipld/go-codec-dagpb v1.3.0/go.mod h1:ga4JTU3abYApDC3pZ00BC2RSvC3qfBb9MSJkMLSwnhA= +github.com/ipld/go-codec-dagpb v1.3.2 h1:MZQUIjanHXXfDuYmtWYT8nFbqfFsZuyHClj6VDmSXr4= +github.com/ipld/go-codec-dagpb v1.3.2/go.mod h1:ga4JTU3abYApDC3pZ00BC2RSvC3qfBb9MSJkMLSwnhA= github.com/ipld/go-ipld-prime v0.9.0/go.mod h1:KvBLMr4PX1gWptgkzRjVZCrLmSGcZCb/jioOQwCqZN8= github.com/ipld/go-ipld-prime v0.9.1-0.20210324083106-dc342a9917db/go.mod h1:KvBLMr4PX1gWptgkzRjVZCrLmSGcZCb/jioOQwCqZN8= github.com/ipld/go-ipld-prime v0.11.0/go.mod h1:+WIAkokurHmZ/KwzDOMUuoeJgaRQktHtEaLglS3ZeV8= From 5fc3338c751130ae02ebd134579c8b6b0a4fbf4e Mon Sep 17 00:00:00 2001 From: Adin Schmahmann Date: Thu, 17 Mar 2022 14:56:52 -0400 Subject: [PATCH 2/5] docs: update changelog for v0.12.2 and v0.11.1 --- CHANGELOG.md | 47 +++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 45 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 502c6cc8365..6836ba00a93 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,50 @@ # go-ipfs changelog -## v0.12.1 2022-03-10 -This patch release [fixes](https://github.com/ipfs/go-ipfs/commit/816a128aaf963d72c4930852ce32b9a4e31924a1) a security issue with the `docker-compose.yaml` file, introduced in v0.11.0, in which the IPFS daemon API listens on all interfaces instead of only the loopback interface, which could allow remote callers to control your IPFS daemon. If you use the included `docker-compose.yaml` file, it is recommended to upgrade. +## v0.12.2 and v0.11.1 2022-04-08 + +This patch release fixes a security issue wherein traversing some malformed DAGs can cause the node to panic. + +See also the security advisory: https://github.com/ipfs/go-ipfs/security/advisories/GHSA-mcq2-w56r-5w2w + +Note: the v0.11.1 patch release contains the Docker compose fix from v0.12.1 as well + +### Changelog + +
+Full Changelog +- github.com/ipld/go-codec-dagpb (v1.3.0 -> v1.3.2): + - fix: use protowire for Links bytes decoding +
+ +### ❤ Contributors + +| Contributor | Commits | Lines ± | Files Changed | +|-------------|---------|---------|---------------| +| Rod Vagg | 1 | +34/-19 | 2 | + +## v0.12.1 2022-03-17 + +This patch release [fixes](https://github.com/ipfs/go-ipfs/commit/816a128aaf963d72c4930852ce32b9a4e31924a1) a security issue with the `docker-compose.yaml` file in which the IPFS daemon API listens on all interfaces instead of only the loopback interface, which could allow remote callers to control your IPFS daemon. If you use the included `docker-compose.yaml` file, it is recommended to upgrade. + +See also the security advisory: https://github.com/ipfs/go-ipfs/security/advisories/GHSA-fx5p-f64h-93xc + +Thanks to @LynHyper for finding and disclosing this. + +### Changelog + +
+Full Changelog + +- github.com/ipfs/go-ipfs: + - fix: listen on loopback for API and gateway ports in docker-compose.yaml + +
+ +### ❤ Contributors + +| Contributor | Commits | Lines ± | Files Changed | +|-------------|---------|---------|---------------| +| guseggert | 1 | +10/-3 | 1 | ## v0.12.0 2022-02-17 From 2e4fdb267db62c09c661d8a0b6ab33d8ee6ee2e7 Mon Sep 17 00:00:00 2001 From: Adin Schmahmann Date: Fri, 8 Apr 2022 11:52:55 -0400 Subject: [PATCH 3/5] ci: test against the correct version of go-ipfs-http-client --- .circleci/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.circleci/main.yml b/.circleci/main.yml index 19e6f0573e3..aac1da52b03 100644 --- a/.circleci/main.yml +++ b/.circleci/main.yml @@ -292,6 +292,9 @@ jobs: command: | git clone https://github.com/ipfs/go-ipfs-http-client.git git -C go-ipfs-http-client log -1 + cd go-ipfs-http-client + git checkout v0.2.0 + cd .. - restore_cache: keys: - v1-http-client-{{ checksum "~/ipfs/go-ipfs/go-ipfs-http-client/go.sum" }} From d7b60d44fd86937e69faade9c01760354b7b8be7 Mon Sep 17 00:00:00 2001 From: Adin Schmahmann Date: Fri, 8 Apr 2022 14:17:30 -0400 Subject: [PATCH 4/5] build: update to Go 1.16.15 --- .circleci/main.yml | 8 ++++---- Dockerfile | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.circleci/main.yml b/.circleci/main.yml index aac1da52b03..1fe38fc7a76 100644 --- a/.circleci/main.yml +++ b/.circleci/main.yml @@ -36,7 +36,7 @@ default_environment: &default_environment executors: golang: docker: - - image: cimg/go:1.16.12 + - image: cimg/go:1.16.15 working_directory: ~/ipfs/go-ipfs environment: <<: *default_environment @@ -61,7 +61,7 @@ executors: E2E_IPFSD_TYPE: go dockerizer: docker: - - image: cimg/go:1.16.12 + - image: cimg/go:1.16.15 environment: IMAGE_NAME: ipfs/go-ipfs WIP_IMAGE_TAG: wip @@ -150,8 +150,8 @@ jobs: - run: sudo apt update - run: | mkdir ~/localgo && cd ~/localgo - wget https://golang.org/dl/go1.16.12.linux-amd64.tar.gz - tar xfz go1.16.12.linux-amd64.tar.gz + wget https://golang.org/dl/go1.16.15.linux-amd64.tar.gz + tar xfz go1.16.15.linux-amd64.tar.gz echo "export PATH=$(pwd)/go/bin:\$PATH" >> ~/.bashrc - run: go version - run: sudo apt install socat net-tools diff --git a/Dockerfile b/Dockerfile index 5be170b5e07..751ba6a9f23 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Note: when updating the go minor version here, also update the go-channel in snap/snapcraft.yml -FROM golang:1.16.12-buster +FROM golang:1.16.15-buster LABEL maintainer="Steven Allen " # Install deps From 9b5ff415a054300a4803b970689d28cb3f5d385c Mon Sep 17 00:00:00 2001 From: Adin Schmahmann Date: Fri, 18 Mar 2022 09:26:26 -0400 Subject: [PATCH 5/5] Release v0.12.2 --- version.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.go b/version.go index 128abc9e21e..79b1721a285 100644 --- a/version.go +++ b/version.go @@ -4,7 +4,7 @@ package ipfs var CurrentCommit string // CurrentVersionNumber is the current application's version literal -const CurrentVersionNumber = "0.12.1" +const CurrentVersionNumber = "0.12.2" const ApiVersion = "/go-ipfs/" + CurrentVersionNumber + "/"