x/vulndb: potential Go vuln in github.com/ipfs/kubo: GHSA-qvqg-6rp8-4p9h

[GoVulnBot]

In GitHub Security Advisory GHSA-qvqg-6rp8-4p9h, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/ipfs/kubo	0.19.0	< 0.19.0

Cross references:

• Module github.com/ipfs/kubo appears in issue x/vulndb: potential Go vuln in github.com/ipfs/kubo: GHSA-mcq2-w56r-5w2w #423 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/ipfs/kubo
    versions:
      - fixed: 0.19.0
    packages:
      - package: github.com/ipfs/kubo
summary: github.com/ipfs/kubo affected by DOS Bitswap unbounded persistent memory
    leak
description: |-
    ### Impact
    An attacker is able allocate arbitrarily many bytes in the Bitswap server by sending many `WANT_BLOCK` and or `WANT_HAVE` requests which are queued in an unbounded queue, with allocations that persist even if the connection is closed.

    This affects users accepting or connecting untrusted connections such as by running in the public swarm and no pnet config.
    Nodes that are not publicly reachable but connects to untrusted nodes are also vulnerable to the untrusted nodes being connected to since libp2p connections are blindly bidirectional.

    ### Patches
    - 19feb15833c6f4d6e7f1e1b132efaae96d76481d [`boxo`](https://github.com/ipfs/boxo) update in Kubo
    - GHSA-m974-xj4j-7qv5 patches in boxo

    ### Workarounds

    Use [PNET](https://github.com/ipfs/kubo/blob/master/docs/experimental-features.md#private-networks), [swarm filters](https://github.com/ipfs/kubo/blob/master/docs/config.md#swarmaddrfilters) or [resource manager allows list](https://pkg.go.dev/github.com/libp2p/go-libp2p/p2p/host/resource-manager#readme-allowlisting-multiaddrs-to-mitigate-eclipse-attacks) to block untrusted connections.

    Note that using the resource manager will disrupt both client and server features because the bitswap protocol is a message based protocol mixing requests and responses.

    ### References
    - GHSA-m974-xj4j-7qv5
    - [CVE-2023-25568](https://nvd.nist.gov/vuln/detail/CVE-2023-25568)
ghsas:
  - GHSA-qvqg-6rp8-4p9h
references:
  - advisory: https://github.com/ipfs/boxo/security/advisories/GHSA-m974-xj4j-7qv5
  - advisory: https://github.com/ipfs/kubo/security/advisories/GHSA-qvqg-6rp8-4p9h
  - web: https://nvd.nist.gov/vuln/detail/CVE-2023-25568
  - advisory: https://github.com/advisories/GHSA-qvqg-6rp8-4p9h

[Jorropo]

Transitive #1766

[gopherbot]

Change https://go.dev/cl/495335 mentions this issue: data/excluded: batch add GO-2023-1775, GO-2023-1778, GO-2023-1774, GO-2023-1771, GO-2023-1769, GO-2023-1768, GO-2023-1779