Bug 27212

This is Joseph's territory.

Assignee: bugsquad => joequant

The version of mongodb in Mageia is 4.1.4 and the CVE doesn't have the 4.1 branch as being vulnerable.

If 4.0 and 4.2 are vulnerable, surely 4.1 is as well.

I get the sense 4.1 isn't a stable branch.

Here's the upstream commits from 4.0 and 4.2:
https://github.com/mongodb/mongo/commit/7e28f4296a04d858a2e3dd84a1e79c9ba59a9568
https://github.com/mongodb/mongo/commit/444dab325b5351ddd566da1d5365ec8728a06634

i think that we should do like the other linux distributions ( mostly of them ) and remove mongodb becaues of the Server Side Public License (SSPLv1).

This is not considered like a Free licence

this is in french but we really can't keep mongodb in mageia.

https://www.dsfc.net/infrastructure/base-de-donnees-infrastructure/licence-sspl-migration-en-vue-mongodb-vers-postgresql/

https://www.zdnet.fr/actualites/mongodb-la-nouvelle-licence-sspl-fait-grincer-des-dents-dans-l-open-source-39879413.htm

CC: (none) => mageia

Agreed, this has pretty much been the consensus each of the multiple times it has been discussed on the dev list the past couple of years.

I've added it to task-obsolete for the next time it gets pushed.

closing then.

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Nope, still has to be dealt with in Mageia 7.

Resolution: FIXED => (none)
Status: RESOLVED => REOPENED
Version: Cauldron => 7
Status comment: Package should be dropped due to license issues => Patches available from upstream and Debian
Whiteboard: MGA7TOO => (none)

patch added in mga7:

src:
    - mongodb-4.1.4-6.1.mga7

Assignee: joequant => qa-bugs
Status comment: Patches available from upstream and Debian => (none)

Package list:
mongodb-4.1.4-6.1.mga7
mongodb-server-4.1.4-6.1.mga7

Advisory:
========================

Updated mongodb packages fix security vulnerability:

A denial of service vulnerability was discovered in mongodb whereby a user
authorized to perform database queries may issue specially crafted queries,
which violate an invariant in the query subsystem's support for geoNear
(CVE-2020-7923).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7923
https://www.debian.org/lts/security/2020/dla-2344

$ uname -a
Linux linux.local 5.10.27-desktop-1.mga7 #1 SMP Wed Mar 31 00:16:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

The following 7 packages are going to be installed:

- lib64boost_program_options1.68.0-1.68.0-4.mga7.x86_64
- lib64pcrecpp0-8.44-1.mga7.x86_64
- lib64snappy1-1.1.7-2.mga7.x86_64
- lib64tcmalloc4-2.7-2.mga7.x86_64
- lib64yaml-cpp0.6-0.6.2-1.mga7.x86_64
- mongodb-4.1.4-6.1.mga7.x86_64
- mongodb-server-4.1.4-6.1.mga7.x86_64

102MB of additional disk space will be used.

----

went into system and started mongod service

next went to terminal

$ mongo

it spews forth information

This code I borrowed from:  https://docs.mongodb.com/manual/reference/sql-comparison/

> db.people.insertOne( {
...     user_id: "abc123",
...     age: 55,
...     status: "A"
...  } )

It reported back successful


> db.people.insertOne( {     user_id: "Brian",     age: 25,     status: "F"  } )

it reported back successful


to query I ran:

> db.people.find()
{ "_id" : ObjectId("606df7fea48d4e3a3666b12d"), "user_id" : "abc123", "age" : 55, "status" : "A" }
{ "_id" : ObjectId("606df86aa48d4e3a3666b12e"), "user_id" : "Brian", "age" : 25, "status" : "F" }

It returned back the rows.

It works from this limited test.

CC: (none) => brtians1
Whiteboard: (none) => MGA7-64-OK

Validating. Advisory in Comment 11.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Advisory committed to SVN.

CVE: (none) => CVE-2020-7923
CC: (none) => ouaurelien
Status: REOPENED => ASSIGNED
Keywords: (none) => advisory

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0177.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED