Bug 27212 - mongodb new security issue CVE-2020-7923
Summary: mongodb new security issue CVE-2020-7923
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2020-08-27 22:33 CEST by David Walser
Modified: 2021-04-12 22:02 CEST (History)
6 users (show)

See Also:
Source RPM: mongodb-4.1.4-15.mga8.src.rpm
CVE: CVE-2020-7923
Status comment:


Description David Walser 2020-08-27 22:33:21 CEST
Debian-LTS has issued an advisory on August 24:

Mageia 7 is also affected.
David Walser 2020-08-27 23:37:26 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-08-28 20:10:06 CEST
This is Joseph's territory.

Assignee: bugsquad => joequant

David Walser 2020-12-27 20:24:24 CET

Status comment: (none) => Package should be dropped due to license issues

David Walser 2020-12-27 20:24:36 CET

CC: (none) => joequant

Comment 2 Joseph Wang 2020-12-28 11:15:23 CET
The version of mongodb in Mageia is 4.1.4 and the CVE doesn't have the 4.1 branch as being vulnerable.
Comment 3 David Walser 2020-12-28 12:58:12 CET
If 4.0 and 4.2 are vulnerable, surely 4.1 is as well.
Comment 4 David Walser 2020-12-28 12:59:24 CET
I get the sense 4.1 isn't a stable branch.

Here's the upstream commits from 4.0 and 4.2:
Comment 5 Nicolas Lécureuil 2020-12-28 22:48:49 CET
i think that we should do like the other linux distributions ( mostly of them ) and remove mongodb becaues of the Server Side Public License (SSPLv1).

This is not considered like a Free licence

this is in french but we really can't keep mongodb in mageia.



CC: (none) => mageia

Comment 6 David Walser 2020-12-28 23:47:14 CET
Agreed, this has pretty much been the consensus each of the multiple times it has been discussed on the dev list the past couple of years.

I've added it to task-obsolete for the next time it gets pushed.
Comment 7 Nicolas Lécureuil 2020-12-28 23:55:31 CET
closing then.

Resolution: (none) => FIXED

Comment 8 David Walser 2020-12-28 23:56:53 CET
Nope, still has to be dealt with in Mageia 7.

Resolution: FIXED => (none)
Version: Cauldron => 7
Status comment: Package should be dropped due to license issues => Patches available from upstream and Debian
Whiteboard: MGA7TOO => (none)

Comment 9 Nicolas Lécureuil 2021-03-25 21:53:20 CET
patch added in mga7:

    - mongodb-4.1.4-6.1.mga7

Assignee: joequant => qa-bugs
Status comment: Patches available from upstream and Debian => (none)

Comment 10 David Walser 2021-03-26 20:54:49 CET
Package list:
Comment 11 David Walser 2021-03-26 21:10:13 CET

Updated mongodb packages fix security vulnerability:

A denial of service vulnerability was discovered in mongodb whereby a user
authorized to perform database queries may issue specially crafted queries,
which violate an invariant in the query subsystem's support for geoNear

Comment 12 Brian Rockwell 2021-04-07 20:27:48 CEST
$ uname -a
Linux linux.local 5.10.27-desktop-1.mga7 #1 SMP Wed Mar 31 00:16:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

The following 7 packages are going to be installed:

- lib64boost_program_options1.68.0-1.68.0-4.mga7.x86_64
- lib64pcrecpp0-8.44-1.mga7.x86_64
- lib64snappy1-1.1.7-2.mga7.x86_64
- lib64tcmalloc4-2.7-2.mga7.x86_64
- lib64yaml-cpp0.6-0.6.2-1.mga7.x86_64
- mongodb-4.1.4-6.1.mga7.x86_64
- mongodb-server-4.1.4-6.1.mga7.x86_64

102MB of additional disk space will be used.


went into system and started mongod service

next went to terminal

$ mongo

it spews forth information

This code I borrowed from:  https://docs.mongodb.com/manual/reference/sql-comparison/

> db.people.insertOne( {
...     user_id: "abc123",
...     age: 55,
...     status: "A"
...  } )

It reported back successful

> db.people.insertOne( {     user_id: "Brian",     age: 25,     status: "F"  } )

it reported back successful

to query I ran:

> db.people.find()
{ "_id" : ObjectId("606df7fea48d4e3a3666b12d"), "user_id" : "abc123", "age" : 55, "status" : "A" }
{ "_id" : ObjectId("606df86aa48d4e3a3666b12e"), "user_id" : "Brian", "age" : 25, "status" : "F" }

It returned back the rows.

It works from this limited test.

CC: (none) => brtians1
Whiteboard: (none) => MGA7-64-OK

Comment 13 Thomas Andrews 2021-04-08 00:14:42 CEST
Validating. Advisory in Comment 11.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 14 Aurelien Oudelet 2021-04-12 17:03:35 CEST
Advisory committed to SVN.

CVE: (none) => CVE-2020-7923
CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 15 Mageia Robot 2021-04-12 22:02:15 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.