From 07d11ab01154a0206e99da5244152484873694a9 Mon Sep 17 00:00:00 2001 From: Gus Eggert Date: Wed, 9 Mar 2022 10:31:07 -0500 Subject: [PATCH 1/8] fix: listen on loopback for API and gateway ports in docker-compose.yaml (#8773) (cherry picked from commit 816a128aaf963d72c4930852ce32b9a4e31924a1) --- docker-compose.yaml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index eaf947cb3..447a1474b 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -10,11 +10,18 @@ services: environment: - IPFS_PATH=/data/ipfs ports: + # Swarm listens on all interfaces, so is remotely reachable. - 4001:4001/tcp - 4001:4001/udp - - 5001:5001 - - 8080:8080 - - 8081:8081 + + # The following ports only listen on the loopback interface, so are not remotely reachable by default. + # If you want to override these or add more ports, see https://docs.docker.com/compose/extends/ . + + # API port, which includes admin operations, so you probably don't want this remotely accessible. + - 127.0.0.1:5001:5001 + + # HTTP Gateway + - 127.0.0.1:8080:8080 volumes: ipfs_path: ipfs_fuse: From b21eeef406a76cd52e5a3672cd702b93c4baca3d Mon Sep 17 00:00:00 2001 From: Gus Eggert Date: Wed, 16 Mar 2022 17:50:11 -0400 Subject: [PATCH 2/8] docs: update changelog v0.12.1 --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3d4cbefe2..502c6cc83 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ # go-ipfs changelog +## v0.12.1 2022-03-10 +This patch release [fixes](https://github.com/ipfs/go-ipfs/commit/816a128aaf963d72c4930852ce32b9a4e31924a1) a security issue with the `docker-compose.yaml` file, introduced in v0.11.0, in which the IPFS daemon API listens on all interfaces instead of only the loopback interface, which could allow remote callers to control your IPFS daemon. If you use the included `docker-compose.yaml` file, it is recommended to upgrade. + ## v0.12.0 2022-02-17 We're happy to announce go-ipfs 0.12.0. This release switches the storage of IPLD blocks to be keyed by multihash instead of CID. From 6f9f6b58b5ad784f99c82d9668141bb7ce3ce388 Mon Sep 17 00:00:00 2001 From: Gus Eggert Date: Wed, 16 Mar 2022 17:50:31 -0400 Subject: [PATCH 3/8] Release v0.12.1 --- version.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.go b/version.go index 07019c1aa..128abc9e2 100644 --- a/version.go +++ b/version.go @@ -4,7 +4,7 @@ package ipfs var CurrentCommit string // CurrentVersionNumber is the current application's version literal -const CurrentVersionNumber = "0.12.0" +const CurrentVersionNumber = "0.12.1" const ApiVersion = "/go-ipfs/" + CurrentVersionNumber + "/" From 2685983536b30d30189e25d578f6f5d598c37513 Mon Sep 17 00:00:00 2001 From: Adin Schmahmann Date: Mon, 14 Mar 2022 15:29:22 -0400 Subject: [PATCH 4/8] chore: update go-codec-dagpb --- go.mod | 2 +- go.sum | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 0ea335814..817d80ef3 100644 --- a/go.mod +++ b/go.mod @@ -60,7 +60,7 @@ require ( github.com/ipfs/interface-go-ipfs-core v0.5.2 github.com/ipfs/tar-utils v0.0.2 github.com/ipld/go-car v0.3.2 - github.com/ipld/go-codec-dagpb v1.3.0 + github.com/ipld/go-codec-dagpb v1.3.2 github.com/ipld/go-ipld-prime v0.14.2 github.com/jbenet/go-random v0.0.0-20190219211222-123a90aedc0c github.com/jbenet/go-temp-err-catcher v0.1.0 diff --git a/go.sum b/go.sum index 49a1addff..c6c8ad488 100644 --- a/go.sum +++ b/go.sum @@ -583,8 +583,9 @@ github.com/ipfs/tar-utils v0.0.2/go.mod h1:4qlnRWgTVljIMhSG2SqRYn66NT+3wrv/kZt9V github.com/ipld/go-car v0.3.2 h1:V9wt/80FNfbMRWSD98W5br6fyjUAyVgI2lDOTZX16Lg= github.com/ipld/go-car v0.3.2/go.mod h1:WEjynkVt04dr0GwJhry0KlaTeSDEiEYyMPOxDBQ17KE= github.com/ipld/go-codec-dagpb v1.2.0/go.mod h1:6nBN7X7h8EOsEejZGqC7tej5drsdBAXbMHyBT+Fne5s= -github.com/ipld/go-codec-dagpb v1.3.0 h1:czTcaoAuNNyIYWs6Qe01DJ+sEX7B+1Z0LcXjSatMGe8= github.com/ipld/go-codec-dagpb v1.3.0/go.mod h1:ga4JTU3abYApDC3pZ00BC2RSvC3qfBb9MSJkMLSwnhA= +github.com/ipld/go-codec-dagpb v1.3.2 h1:MZQUIjanHXXfDuYmtWYT8nFbqfFsZuyHClj6VDmSXr4= +github.com/ipld/go-codec-dagpb v1.3.2/go.mod h1:ga4JTU3abYApDC3pZ00BC2RSvC3qfBb9MSJkMLSwnhA= github.com/ipld/go-ipld-prime v0.9.0/go.mod h1:KvBLMr4PX1gWptgkzRjVZCrLmSGcZCb/jioOQwCqZN8= github.com/ipld/go-ipld-prime v0.9.1-0.20210324083106-dc342a9917db/go.mod h1:KvBLMr4PX1gWptgkzRjVZCrLmSGcZCb/jioOQwCqZN8= github.com/ipld/go-ipld-prime v0.11.0/go.mod h1:+WIAkokurHmZ/KwzDOMUuoeJgaRQktHtEaLglS3ZeV8= From 5fc3338c751130ae02ebd134579c8b6b0a4fbf4e Mon Sep 17 00:00:00 2001 From: Adin Schmahmann Date: Thu, 17 Mar 2022 14:56:52 -0400 Subject: [PATCH 5/8] docs: update changelog for v0.12.2 and v0.11.1 --- CHANGELOG.md | 47 +++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 45 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 502c6cc83..6836ba00a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,50 @@ # go-ipfs changelog -## v0.12.1 2022-03-10 -This patch release [fixes](https://github.com/ipfs/go-ipfs/commit/816a128aaf963d72c4930852ce32b9a4e31924a1) a security issue with the `docker-compose.yaml` file, introduced in v0.11.0, in which the IPFS daemon API listens on all interfaces instead of only the loopback interface, which could allow remote callers to control your IPFS daemon. If you use the included `docker-compose.yaml` file, it is recommended to upgrade. +## v0.12.2 and v0.11.1 2022-04-08 + +This patch release fixes a security issue wherein traversing some malformed DAGs can cause the node to panic. + +See also the security advisory: https://github.com/ipfs/go-ipfs/security/advisories/GHSA-mcq2-w56r-5w2w + +Note: the v0.11.1 patch release contains the Docker compose fix from v0.12.1 as well + +### Changelog + +
+Full Changelog +- github.com/ipld/go-codec-dagpb (v1.3.0 -> v1.3.2): + - fix: use protowire for Links bytes decoding +
+ +### ❤ Contributors + +| Contributor | Commits | Lines ± | Files Changed | +|-------------|---------|---------|---------------| +| Rod Vagg | 1 | +34/-19 | 2 | + +## v0.12.1 2022-03-17 + +This patch release [fixes](https://github.com/ipfs/go-ipfs/commit/816a128aaf963d72c4930852ce32b9a4e31924a1) a security issue with the `docker-compose.yaml` file in which the IPFS daemon API listens on all interfaces instead of only the loopback interface, which could allow remote callers to control your IPFS daemon. If you use the included `docker-compose.yaml` file, it is recommended to upgrade. + +See also the security advisory: https://github.com/ipfs/go-ipfs/security/advisories/GHSA-fx5p-f64h-93xc + +Thanks to @LynHyper for finding and disclosing this. + +### Changelog + +
+Full Changelog + +- github.com/ipfs/go-ipfs: + - fix: listen on loopback for API and gateway ports in docker-compose.yaml + +
+ +### ❤ Contributors + +| Contributor | Commits | Lines ± | Files Changed | +|-------------|---------|---------|---------------| +| guseggert | 1 | +10/-3 | 1 | ## v0.12.0 2022-02-17 From 2e4fdb267db62c09c661d8a0b6ab33d8ee6ee2e7 Mon Sep 17 00:00:00 2001 From: Adin Schmahmann Date: Fri, 8 Apr 2022 11:52:55 -0400 Subject: [PATCH 6/8] ci: test against the correct version of go-ipfs-http-client --- .circleci/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.circleci/main.yml b/.circleci/main.yml index 19e6f0573..aac1da52b 100644 --- a/.circleci/main.yml +++ b/.circleci/main.yml @@ -292,6 +292,9 @@ jobs: command: | git clone https://github.com/ipfs/go-ipfs-http-client.git git -C go-ipfs-http-client log -1 + cd go-ipfs-http-client + git checkout v0.2.0 + cd .. - restore_cache: keys: - v1-http-client-{{ checksum "~/ipfs/go-ipfs/go-ipfs-http-client/go.sum" }} From d7b60d44fd86937e69faade9c01760354b7b8be7 Mon Sep 17 00:00:00 2001 From: Adin Schmahmann Date: Fri, 8 Apr 2022 14:17:30 -0400 Subject: [PATCH 7/8] build: update to Go 1.16.15 --- .circleci/main.yml | 8 ++++---- Dockerfile | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.circleci/main.yml b/.circleci/main.yml index aac1da52b..1fe38fc7a 100644 --- a/.circleci/main.yml +++ b/.circleci/main.yml @@ -36,7 +36,7 @@ default_environment: &default_environment executors: golang: docker: - - image: cimg/go:1.16.12 + - image: cimg/go:1.16.15 working_directory: ~/ipfs/go-ipfs environment: <<: *default_environment @@ -61,7 +61,7 @@ executors: E2E_IPFSD_TYPE: go dockerizer: docker: - - image: cimg/go:1.16.12 + - image: cimg/go:1.16.15 environment: IMAGE_NAME: ipfs/go-ipfs WIP_IMAGE_TAG: wip @@ -150,8 +150,8 @@ jobs: - run: sudo apt update - run: | mkdir ~/localgo && cd ~/localgo - wget https://golang.org/dl/go1.16.12.linux-amd64.tar.gz - tar xfz go1.16.12.linux-amd64.tar.gz + wget https://golang.org/dl/go1.16.15.linux-amd64.tar.gz + tar xfz go1.16.15.linux-amd64.tar.gz echo "export PATH=$(pwd)/go/bin:\$PATH" >> ~/.bashrc - run: go version - run: sudo apt install socat net-tools diff --git a/Dockerfile b/Dockerfile index 5be170b5e..751ba6a9f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Note: when updating the go minor version here, also update the go-channel in snap/snapcraft.yml -FROM golang:1.16.12-buster +FROM golang:1.16.15-buster LABEL maintainer="Steven Allen " # Install deps From 9b5ff415a054300a4803b970689d28cb3f5d385c Mon Sep 17 00:00:00 2001 From: Adin Schmahmann Date: Fri, 18 Mar 2022 09:26:26 -0400 Subject: [PATCH 8/8] Release v0.12.2 --- version.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.go b/version.go index 128abc9e2..79b1721a2 100644 --- a/version.go +++ b/version.go @@ -4,7 +4,7 @@ package ipfs var CurrentCommit string // CurrentVersionNumber is the current application's version literal -const CurrentVersionNumber = "0.12.1" +const CurrentVersionNumber = "0.12.2" const ApiVersion = "/go-ipfs/" + CurrentVersionNumber + "/"