SUSE Package Hub - openSUSE-2025-51

Update Info

openSUSE-2025-51

Security update for kubo

Type: security
Severity: moderate
Issued: 2025-02-03
Description:
This update for kubo fixes the following issues:

Update to 0.32.1:

  * https://github.com/ipfs/kubo/releases/tag/v0.32.1
  * AutoTLS: Automatic Certificates for libp2p WebSockets via libp2p.direct
  * Dependency updates
    + ipfs-webui to v4.4.0
    + boxo to v0.24.3
    + go-libp2p to v0.37.0
    + go-libp2p-kad-dht to v0.28.1
    + go-libp2p-pubsub to v0.12.0
    + p2p-forge/client to v0.0.2

- Update to 0.31.0 - for details see
  * https://github.com/ipfs/kubo/releases/tag/v0.31.0
  * Experimental Pebble Datastore
  * New metrics
  * lowpower profile no longer breaks DHT announcements
  * go 1.23, boxo 0.24 and go-libp2p 0.36.5
- Update to 0.30.0 - for details see
  * https://github.com/ipfs/kubo/releases/tag/v0.30.0
  * Improved P2P connectivity
  * Refactored Bitswap and dag-pb chunker
  * WebRTC-Direct Transport enabled by default
  * UnixFS 1.5: Mode and Modification Time Support
  * AutoNAT V2 Service Introduced Alongside V1
  * Automated ipfs version check
  * Version Suffix Configuration
  * /unix/ socket support in Addresses.API
  * Cleaned Up ipfs daemon Startup Log
  * Commands Preserve Specified Hostname 

- Update to 0.29.0 - for details see
  * https://github.com/ipfs/kubo/releases/tag/v0.29.0
  * Add search functionality for pin names
  * Customizing ipfs add defaults
- drop upstream 10243.patch
- drop upstream kubo-0.27.0-CVE-2024-22189.patch

- Add kubo-0.27.0-CVE-2024-22189.patch to avoid
  quic-go memory exhaustion attack (boo#1222479, CVE-2024-22189)

- Update to 0.27.0 - for details see
  * https://github.com/ipfs/kubo/releases/tag/v0.27.0
  * Gateway: support for /api/v0 is deprecated
  * IPNS resolver cache's TTL can now be configured via Ipns.MaxCacheTTL
  * RPC client: deprecated DHT API, added Routing API
  * Deprecated DHT commands removed from /api/v0/dht
  * Repository migrations are now trustless
- Let .service files wait for network-online.target (boo#1222194)

- Update to 0.26.0 - for details see
  * https://github.com/ipfs/kubo/releases/tag/v0.26.0
  * Removed several deprecated commands
  * Support optional pin names
  * jaeger trace exporter has been removed
  * fix quic-go memory exhaustion attack (boo#1235162, CVE-2023-49295)
- Update to 0.25.0 - for details see
  * https://github.com/ipfs/kubo/releases/tag/v0.25.0
  * WebUI: Updated Peers View
  * Kubo RPC API now supports optional HTTP Authorization.
  * MPLEX Removal
  * Graphsync Experiment Removal
  * Commands ipfs key sign and ipfs key verify

- Add 10243.patch to fix FUSE mounts

- Update to 0.24.0 - for details see
  * https://github.com/ipfs/kubo/releases/tag/v0.24.0
  * Support for content blocking
  * Gateway: the root of the CARs are no longer meaningful
  * IPNS: improved publishing defaults
  * IPNS: record TTL is used for caching
  * Experimental Transport: WebRTC Direct
References

Packages

kubo-0.32.1-bp156.2.3.1