Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 7.1.0-rc0, 6.3.2, 6.0.7, 5.0.19, 4.4.23
Affects Version/s: 6.0.6, 4.4.22, 5.0.18
Component/s: None
Labels:
None

Assigned Teams:

Server Security
Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Backport Requested:

v7.0, v6.3, v6.0, v5.0, v4.4, v4.2
Steps To Reproduce:
Hide

Download any .msi and its .msi.sha256 from one of the affected versions. Compare the contents of the .sha256 file with the output of sha256sum (or Get-FileHash -Algorithm sha256 on Windows).

$ wget -q https://fastdl.mongodb.org/windows/mongodb-windows-x86_64-4.4.22-signed.msi $ wget -q https://fastdl.mongodb.org/windows/mongodb-windows-x86_64-4.4.22-signed.msi.sha256 $ cat mongodb-windows-x86_64-4.4.22-signed.msi.sha256 b47270027451a262a3661ead2dc79861edca93efd096526c31c310c1b733851a mongodb-windows-x86_64-4.4.22.msi $ sha256sum mongodb-windows-x86_64-4.4.22-signed.msi 95a021db597790008f2e7070fab4a7c3e0d30262f2305c615b95cb7b8afb4eed mongodb-windows-x86_64-4.4.22-signed.msi $ wget -q https://fastdl.mongodb.org/windows/mongodb-windows-x86_64-5.0.18-signed.msi $ wget -q https://fastdl.mongodb.org/windows/mongodb-windows-x86_64-5.0.18-signed.msi.sha256 $ cat mongodb-windows-x86_64-5.0.18-signed.msi.sha256 a42c5849ce363ea12cfa2dfa0ae825c302a905378afd8a8c9daf2abe34e93743 mongodb-windows-x86_64-5.0.18.msi $ sha256sum mongodb-windows-x86_64-5.0.18-signed.msi 369e0cdc34c29290bfcc9d47569e1debad1b86010ea5e00aefd7c670717f434b mongodb-windows-x86_64-5.0.18-signed.msi $ wget -q https://fastdl.mongodb.org/windows/mongodb-windows-x86_64-6.0.6-signed.msi $ wget -q https://fastdl.mongodb.org/windows/mongodb-windows-x86_64-6.0.6-signed.msi.sha256 $ cat mongodb-windows-x86_64-6.0.6-signed.msi.sha256 1a593fd9a018127a8c34cfacc83fe048c984c7030ce807f300830376d5596f9d mongodb-windows-x86_64-6.0.6.msi $ sha256sum mongodb-windows-x86_64-6.0.6-signed.msi 585afad69ec57040b1a8f502a039c3fef160dccbe6c48c53e15adde9976724a6 mongodb-windows-x86_64-6.0.6-signed.msi
Show
Download any .msi and its .msi.sha256 from one of the affected versions. Compare the contents of the .sha256 file with the output of sha256sum (or Get-FileHash -Algorithm sha256 on Windows). $ wget -q https: //fastdl.mongodb.org/windows/mongodb-windows-x86_64-4.4.22-signed.msi $ wget -q https: //fastdl.mongodb.org/windows/mongodb-windows-x86_64-4.4.22-signed.msi.sha256 $ cat mongodb-windows-x86_64-4.4.22-signed.msi.sha256 b47270027451a262a3661ead2dc79861edca93efd096526c31c310c1b733851a mongodb-windows-x86_64-4.4.22.msi $ sha256sum mongodb-windows-x86_64-4.4.22-signed.msi 95a021db597790008f2e7070fab4a7c3e0d30262f2305c615b95cb7b8afb4eed mongodb-windows-x86_64-4.4.22-signed.msi $ wget -q https: //fastdl.mongodb.org/windows/mongodb-windows-x86_64-5.0.18-signed.msi $ wget -q https: //fastdl.mongodb.org/windows/mongodb-windows-x86_64-5.0.18-signed.msi.sha256 $ cat mongodb-windows-x86_64-5.0.18-signed.msi.sha256 a42c5849ce363ea12cfa2dfa0ae825c302a905378afd8a8c9daf2abe34e93743 mongodb-windows-x86_64-5.0.18.msi $ sha256sum mongodb-windows-x86_64-5.0.18-signed.msi 369e0cdc34c29290bfcc9d47569e1debad1b86010ea5e00aefd7c670717f434b mongodb-windows-x86_64-5.0.18-signed.msi $ wget -q https: //fastdl.mongodb.org/windows/mongodb-windows-x86_64-6.0.6-signed.msi $ wget -q https: //fastdl.mongodb.org/windows/mongodb-windows-x86_64-6.0.6-signed.msi.sha256 $ cat mongodb-windows-x86_64-6.0.6-signed.msi.sha256 1a593fd9a018127a8c34cfacc83fe048c984c7030ce807f300830376d5596f9d mongodb-windows-x86_64-6.0.6.msi $ sha256sum mongodb-windows-x86_64-6.0.6-signed.msi 585afad69ec57040b1a8f502a039c3fef160dccbe6c48c53e15adde9976724a6 mongodb-windows-x86_64-6.0.6-signed.msi
Story Points:
4

Following the docs to verify the Windows msi installer and the sha256 files are all incorrect. This now happens on all released versions (4.4.22, 5.0.18, 6.0.6); previous versions worked correctly (except for the RCs of these releases). Downloaded files all match the etag (md5sum) provided in http headers.

All the msi urls are extracted from https://downloads.mongodb.org/current.json

Thank you and hopefully this is filled in the right project.

Assignee:: Tural Farhadov

Reporter:: Joseph Ferguson

Participants:: Chris Kelly, Githook User, Joseph Ferguson, Tural Farhadov

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: May 22 2023 10:02:59 PM UTC

Updated:: Oct 29 2023 09:21:03 PM UTC

Resolved:: Jun 01 2023 04:56:09 PM UTC

Details

Description

Attachments

Activity

People

Dates