CVE-2024-22189 quic-go: memory exhaustion attack

[bmwiedemann]

Checklist

• [X] This is a bug report, not a question. Ask questions on discuss.ipfs.tech.
• [X] I have searched on the issue tracker for my bug.
• [X] I am running the latest kubo version or have an issue updating.

Installation method

built from source

Version

0.27.0

Config

No response

Description

In https://bugzilla.opensuse.org/show_bug.cgi?id=1222479 our security team made me aware of a security issue in the quic-go version used in kubo.

[Stebalien]

The just-released v0.28 includes the fix: https://github.com/ipfs/kubo/releases/tag/v0.28.0