Debian-LTS has issued an advisory on August 24: https://www.debian.org/lts/security/2020/dla-2344 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
This is Joseph's territory.
Assignee: bugsquad => joequant
Status comment: (none) => Package should be dropped due to license issues
CC: (none) => joequant
The version of mongodb in Mageia is 4.1.4 and the CVE doesn't have the 4.1 branch as being vulnerable.
If 4.0 and 4.2 are vulnerable, surely 4.1 is as well.
I get the sense 4.1 isn't a stable branch. Here's the upstream commits from 4.0 and 4.2: https://github.com/mongodb/mongo/commit/7e28f4296a04d858a2e3dd84a1e79c9ba59a9568 https://github.com/mongodb/mongo/commit/444dab325b5351ddd566da1d5365ec8728a06634
i think that we should do like the other linux distributions ( mostly of them ) and remove mongodb becaues of the Server Side Public License (SSPLv1). This is not considered like a Free licence this is in french but we really can't keep mongodb in mageia. https://www.dsfc.net/infrastructure/base-de-donnees-infrastructure/licence-sspl-migration-en-vue-mongodb-vers-postgresql/ https://www.zdnet.fr/actualites/mongodb-la-nouvelle-licence-sspl-fait-grincer-des-dents-dans-l-open-source-39879413.htm
CC: (none) => mageia
Agreed, this has pretty much been the consensus each of the multiple times it has been discussed on the dev list the past couple of years. I've added it to task-obsolete for the next time it gets pushed.
closing then.
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Nope, still has to be dealt with in Mageia 7.
Resolution: FIXED => (none)Status: RESOLVED => REOPENEDVersion: Cauldron => 7Status comment: Package should be dropped due to license issues => Patches available from upstream and DebianWhiteboard: MGA7TOO => (none)
patch added in mga7: src: - mongodb-4.1.4-6.1.mga7
Assignee: joequant => qa-bugsStatus comment: Patches available from upstream and Debian => (none)
Package list: mongodb-4.1.4-6.1.mga7 mongodb-server-4.1.4-6.1.mga7
Advisory: ======================== Updated mongodb packages fix security vulnerability: A denial of service vulnerability was discovered in mongodb whereby a user authorized to perform database queries may issue specially crafted queries, which violate an invariant in the query subsystem's support for geoNear (CVE-2020-7923). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7923 https://www.debian.org/lts/security/2020/dla-2344
$ uname -a Linux linux.local 5.10.27-desktop-1.mga7 #1 SMP Wed Mar 31 00:16:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux The following 7 packages are going to be installed: - lib64boost_program_options1.68.0-1.68.0-4.mga7.x86_64 - lib64pcrecpp0-8.44-1.mga7.x86_64 - lib64snappy1-1.1.7-2.mga7.x86_64 - lib64tcmalloc4-2.7-2.mga7.x86_64 - lib64yaml-cpp0.6-0.6.2-1.mga7.x86_64 - mongodb-4.1.4-6.1.mga7.x86_64 - mongodb-server-4.1.4-6.1.mga7.x86_64 102MB of additional disk space will be used. ---- went into system and started mongod service next went to terminal $ mongo it spews forth information This code I borrowed from: https://docs.mongodb.com/manual/reference/sql-comparison/ > db.people.insertOne( { ... user_id: "abc123", ... age: 55, ... status: "A" ... } ) It reported back successful > db.people.insertOne( { user_id: "Brian", age: 25, status: "F" } ) it reported back successful to query I ran: > db.people.find() { "_id" : ObjectId("606df7fea48d4e3a3666b12d"), "user_id" : "abc123", "age" : 55, "status" : "A" } { "_id" : ObjectId("606df86aa48d4e3a3666b12e"), "user_id" : "Brian", "age" : 25, "status" : "F" } It returned back the rows. It works from this limited test.
CC: (none) => brtians1Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 11.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Advisory committed to SVN.
CVE: (none) => CVE-2020-7923CC: (none) => ouaurelienStatus: REOPENED => ASSIGNEDKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0177.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED