go-ipfs v0.13.1 Release
This release includes security fixes for various DOS vectors when importing untrusted user input with ipfs dag import
and the v0/dag/import endpoint.
View the linked security advisory for more information.
Changelog
Full Changelog
- github.com/ipfs/go-ipfs:
- chore: update car
- github.com/ipld/go-car (v0.3.2 -> v0.4.0) & (v2.1.1 -> v2.4.0):
- Bump version in prep for releasing go-car
v0 - Revert changes to
insertionindex - Revert changes to
index.Indexwhile keeping most of security fixes - Return error when section length is invalid
varint - Drop repeated package name from
CarStats - Benchmark
Reader.Inspectwith and without hash validation - Use consistent CID mismatch error in
InspectandBlockReader.Next - Use streaming APIs to verify the hash of blocks in CAR
Inspect - test: add fuzzing for reader#Inspect
- feat: add block hash validation to Inspect()
- feat: add Reader#Inspect() function to check basic validity of a CAR and return stats
- Remove support for
ForEachenumeration from car-index-sorted - Use a fix code as the multihash code for
CarIndexSorted - Fix testutil assertion logic and update index generation tests
- fix: tighter constraint of singleWidthIndex width, add index recommentation docs
- fix: explicitly disable serialization of insertionindex
- feat: MaxAllowed{Header,Section}Size option
- feat: MaxAllowedSectionSize default to 32M
- fix: use CidFromReader() which has overread and OOM protection
- fix: staticcheck catches
- fix: revert to internalio.NewOffsetReadSeeker in Reader#IndexReader
- fix index comparisons
- feat: Refactor indexes to put storage considerations on consumers
- test: v2 add fuzzing of the index
- fix: v2 don't divide by zero in width indexes
- fix: v2 don't allocate indexes too big
- test: v2 add fuzzing to Reader
- fix: v2 don't accept overflowing offsets while reading v2 headers
- test: v2 add fuzzing to BlockReader
- fix: v2 don't OOM if the header size is too big
- test: add fuzzing of NewCarReader
- fix: do bound check while checking for CIDv0
- fix: don't OOM if the header size is too big
- Add API to regenerate index from CARv1 or CARv2
- PrototypeChooser support (#305) (ipld/go-car#305)
- bump to newer blockstore err not found (#301) (ipld/go-car#301)
- Car command supports for
largebytesnodes (#296) (ipld/go-car#296) - fix(test): rootless fixture should have no roots, not null roots
- Allow extracton of a raw unixfs file (#284) (ipld/go-car#284)
- cmd/car: use a better install command in the README
- feat: --version selector for
car create& update deps - feat: add option to create blockstore that writes a plain CARv1 (#288) (ipld/go-car#288)
- add
car detach-index listto list detached index contents (#287) (ipld/go-car#287) - add
car rootcommand (#283) (ipld/go-car#283) - make specification of root cid in get-dag command optional (#281) (ipld/go-car#281)
- Update
version.jsonafter manual tag push - Update v2 to context datastores (#275) (ipld/go-car#275)
- update context datastore (ipld/go-car#273)
- Traversal-based car creation (#269) (ipld/go-car#269)
- Seek to start before index generation in
ReadOnlyblockstore - support extraction of unixfs content stored in car files (#263) (ipld/go-car#263)
- Add a barebones readme to the car CLI (#262) (ipld/go-car#262)
- sync: update CI config files (#261) (ipld/go-car#261)
- fix!: use -version=n instead of -v1 for index command
- feat: fix get-dag and add version=1 option
- creation of car from file / directory (#246) (ipld/go-car#246)
- forEach iterates over index in stable order (#258) (ipld/go-car#258)
- Bump version in prep for releasing go-car
- github.com/multiformats/go-multicodec (v0.4.1 -> v0.5.0):
- Bump version to 0.5.0
- Bump version to 0.4.2
- deps: update stringer version in go generate command
- docs(readme): improved usage examples (#66) (multiformats/go-multicodec#66)
❤ Contributors
| Contributor | Commits | Lines ± | Files Changed |
|---|---|---|---|
| Masih H. Derkani | 27 | +1494/-1446 | 100 |
| Rod Vagg | 31 | +2021/-606 | 105 |
| Will | 19 | +1898/-151 | 69 |
| Jorropo | 27 | +1638/-248 | 76 |
| Aayush Rajasekaran | 1 | +130/-100 | 10 |
| whyrusleeping | 1 | +24/-22 | 4 |
| Marcin Rataj | 1 | +27/-1 | 1 |