openSUSE Security Update: Security update for kubo
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2025:0288-1
Rating:             moderate
References:         #1241776 
Cross-References:   CVE-2025-22872
CVSS scores:
                    CVE-2025-22872 (SUSE): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

Affected Products:
                    openSUSE Backports SLE-15-SP7
______________________________________________________________________________

   An update that fixes one vulnerability is now available.

Description:

   This update for kubo fixes the following issues:

   - 0.35.0
     * Opt-in HTTP Retrieval client
     * Dedicated Reprovider.Strategy for MFS
     * Experimental support for MFS as a FUSE mount point
     * Grid view in WebUI
     * Enhanced DAG-Shaping Controls
     * Datastore Metrics Now Opt-In
     * Improved performance of data onboarding
     * Optimized, dedicated queue for providing fresh CIDs
     * New Provider configuration options
     * Deprecated ipfs stats provider
     * New Bitswap configuration options
       * Bitswap.Libp2pEnabled
       * Bitswap.ServerEnabled
       * Internal.Bitswap.ProviderSearchMaxResults
     * New Routing configuration options
       * Routing.IgnoreProviders
       * Routing.DelegatedRouters
     * New Pebble database format config
     * New environment variables
       * Improved Log Output Setting
       * New Repo Lock Optional Wait
     * Updated golang.org/x/net to 0.40.0 (boo#1241776, CVE-2025-22872)

   - Update to 0.34.1 - for details see
     * https://github.com/ipfs/kubo/releases/tag/v0.34.1
     * Dependency updates
   - Update to 0.34.0 - for details see
     * https://github.com/ipfs/kubo/releases/tag/v0.34.0
     * AutoTLS now enabled by default for nodes with 1 hour uptime
     * New WebUI features: CAR file import and QR code sharing
     * RPC and CLI command changes ~ ipfs config is now validating json
       fields ~ Deprecated the bitswap reprovide command ~ The stats
       reprovide command now shows additional stats ~ ipfs files cp now
       performs basic codec check
     * Bitswap improvements from Boxo
     * IPNS publishing TTL change ~ we've lowered the default IPNS Record TTL
       during publishing to 5 minutes
     * IPFS_LOG_LEVEL deprecated
     * Pebble datastore format update
     * Badger datastore update
     * Datastore Implementation Updates
     * Datastore Implementation Updates
     * Fix hanging pinset operations during reprovides
     * Important dependency updates

   - Update to 0.33.1 - for details see
     * https://github.com/ipfs/kubo/releases/tag/v0.33.1
     * Bitswap improvements from Boxo
     * Improved IPNS interop
   - Update to 0.33.0 - for details see
     * https://github.com/ipfs/kubo/releases/tag/v0.33.0
     * Shared TCP listeners: Kubo now supports sharing the same TCP port
       (4001 by default) by both raw TCP and WebSockets libp2p transports.
     * AutoTLS takes care of Secure WebSockets setup: It is no longer
       necessary to manually add /tcp/../ws listeners to Addresses.Swarm when
       AutoTLS.Enabled is set to true. Kubo will detect if /ws listener is
       missing and add one on the same port as pre-existing TCP (e.g.
       /tcp/4001), removing the need for any extra configuration.
     * Bitswap improvements from Boxo
     * Using default libp2p_rcmgr metrics: Bespoke rcmgr metrics were
       removed, Kubo now exposes only the default libp2p_rcmgr metrics from
       go-libp2p.
     * Flatfs does not sync on each write: New repositories initialized with
       flatfs in Datastore.Spec will have sync set to false.
     * ipfs add --to-files no longer works with --wrap
     * ipfs --api supports HTTPS RPC endpoints
     * New options for faster writes: WriteThrough, BlockKeyCacheSize,
       BatchMaxNodes, BatchMaxSize
     * MFS stability with large number of writes
     * New DoH resolvers for non-ICANN DNSLinks: .eth and .crypto
     * Reliability improvements to the WebRTC Direct listener
     * Fix: Escape Redirect URL for Directory

Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP7:

      zypper in -t patch openSUSE-2025-288=1

Package List:

   - openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64):

      kubo-0.35.0-bp157.2.3.1

References:

   https://www.suse.com/security/cve/CVE-2025-22872.html
   https://bugzilla.suse.com/1241776