FS#70152 : [go-ipfs] [Security] multiple issues (CVE-2020-26283 CVE-2020-26279)

FS#70152 - [go-ipfs] [Security] multiple issues (CVE-2020-26283 CVE-2020-26279)

Attached to Project: Community Packages
Opened by Jonas Witschel (diabonas) - Wednesday, 24 March 2021, 23:15 GMT
Last edited by Johannes Löthberg (demize) - Friday, 26 March 2021, 16:02 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Johannes Löthberg (demize) Levente Polyak (anthraxx)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	1 Discordian (Discordian) (2021-03-25)
Private	No

Details

Summary
=======

The package go-ipfs is vulnerable to multiple issues including directory traversal and content spoofing via CVE-2020-26283 and CVE-2020-26279.

Guidance
========

Upgrading go-ipfs to version 0.8.0 (https://github.com/ipfs/go-ipfs/releases/tag/v0.8.0) fixes the issues.

References
==========

https://security.archlinux.org/AVG-1735
https://github.com/ipfs/go-ipfs/security/advisories/GHSA-r4gv-vj59-cccm
https://github.com/ipfs/go-ipfs/pull/7831
https://github.com/ipfs/go-ipfs/commit/fb0a9acd2d8288bd1028c3219a420de62a09683a
https://github.com/ipfs/go-ipfs/security/advisories/GHSA-27pv-q55r-222g
https://github.com/ipfs/go-ipfs/commit/79d96815a8d396b46acefa25d35b7c5997de6853
https://github.com/whyrusleeping/tar-utils/commit/20a61371de5b51380bbdb0c7935b30b0625ac227

This task depends upon

Closed by Johannes Löthberg (demize)
Friday, 26 March 2021, 16:02 GMT
Reason for closing: Fixed
Additional comments about closing: 0.8.0-1 in community

Comment by Discordian (Discordian) - Thursday, 25 March 2021, 13:28 GMT

Hello, I've been waiting on the v0.8.0 upgrade. I would be happy to maintain the package if necessary. Thanks!

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#70152 - [go-ipfs] [Security] multiple issues (CVE-2020-26283 CVE-2020-26279)

Details

Loading...