Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update MongoDB & Tools from 3.6.12 to 3.6.18 #73

Open
fbuchmeier opened this issue May 28, 2020 · 2 comments
Open

Update MongoDB & Tools from 3.6.12 to 3.6.18 #73

fbuchmeier opened this issue May 28, 2020 · 2 comments

Comments

@fbuchmeier
Copy link

Due to a security issue in 3.6.12 () the package should be updated to 3.6.18 (http://downloads.mongodb.org/linux/mongodb-linux-x86_64-3.6.18.tgz)

https://jira.mongodb.org/browse/SERVER-45472
CVE-2020-7921

We have already updated the release internally but since we don't have access to the underlying blobstore I don't think it would be possible to create a pull request for this:

diff --git a/README.md b/README.md
index 4fb0844..ed43d0c 100644
--- a/README.md
+++ b/README.md
@@ -47,9 +47,9 @@ This version exclude the rocksdb engine, which is not supported anymore.

 | Package         | Version     | Note                  |
 | --------------- | ----------- | --------------------- |
-| mongodb         | `3.6.12`    |                       |
+| mongodb         | `3.6.18`    |                       |
 | ~~mongo-rocks~~ | ~~`3.4.7`~~ | Not supported anymore |
-| mongo-tools     | `3.6.12`    |                       |
+| mongo-tools     | `3.6.18`    |                       |
 | ~~rocksdb~~     | ~~`3.4.7`~~ | Not supported anymore |


diff --git a/config/blobs.yml b/config/blobs.yml
index 0e81202..9518f8f 100644
--- a/config/blobs.yml
+++ b/config/blobs.yml
@@ -2,10 +2,9 @@ cf-cli/cf-cli_6.30.0_linux_x86-64.tgz:
   size: 5909858
   object_id: e57130b7-9c58-447b-43b2-bd83770093cf
   sha: 10a795927fd6f03f1b7212f21ac508e6278270fd
-mongodb/mongodb-linux-x86_64-3.6.12.tar.gz:
-  size: 100307521
-  object_id: 4f4284a7-9755-4340-714a-70291712c2b9
-  sha: 5a145cccd202aab0764b326f1e7503f246b8d506
+mongodb/mongodb-linux-x86_64-3.6.18.tar.gz:
+  size: 100717642
+  sha: sha256:aedd36ba22a81e2fed6e2b3b38ee38976bde027d9e323fef82127424fc1ebb7e
 openjdk/openjdk.tar.gz:
   size: 126476497
   object_id: eb5177af-ce3b-4dfd-657d-ae9b84a255a7
diff --git a/mongodb_version b/mongodb_version
index 81c117c..c241e96 100644
--- a/mongodb_version
+++ b/mongodb_version
@@ -1 +1 @@
-3.6.12
\ No newline at end of file
+3.6.18

Thanks!

Florian.
@JCL38-ORANGE
Copy link
Collaborator

Hello Florian,

Thanks for your feedback.
It is a documentation problem.
Our lastest bosh release includes the mongodb product 4.0.13.
@jraverdy-orange
Regards,
Jean-Christophe.

@fbuchmeier
Copy link
Author

Hi Jean-Christophe,

this means you won't be supporting 3.6.x anymore? (security updates)

In this case, 4.013 is also affected by this CVE as described in the linked JIRA Ticket:

4.0 versions prior to 4.0.15;
4.3 versions prior to 4.3.3;
3.6 versions prior to 3.6.18.

Regards,
Florian.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fbuchmeier @JCL38-ORANGE