[SERVER-48273] Backport CVE fixes from yaml-cpp v0.6.3 to v0.6.2 Created: 18/May/20  Updated: 29/Oct/23  Resolved: 20/May/20

Status: Closed
Project: Core Server
Component/s: Build
Affects Version/s: 4.5 Desired
Fix Version/s: 4.4.0-rc7, 4.7.0

Type: Task Priority: Major - P3
Reporter: Ryan Egesdahl (Inactive) Assignee: Ryan Egesdahl (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Related
related to SERVER-48391 Bring yaml-cpp into mongodb-forks Backlog
Backwards Compatibility: Fully Compatible
Sprint: Dev Platform 2020-06-01
Participants:

 Description   

We had a request to upgrade yaml-cpp to 0.6.3+ to get some CVE fixes (see SERVER-44081). Unfortunately, at least one unfixed breaking change is preventing us from doing that right now (see SERVER-43980). What we will do instead is to backport the CVE fixes and then see if we can work with the devloper to get a version 0.6.4+ released that we can build against.



 Comments   
Comment by Githook User [ 20/May/20 ]

Author:

{'name': 'Ryan Egesdahl', 'email': 'ryan.egesdahl@mongodb.com', 'username': 'deriamis'}

Message: SERVER-48273 SERVER-48273 Backport yaml-cpp CVE fixes from 0.6.3 to 0.6.2

Backport the following yaml-cpp CVE fixes from version 0.6.3 to version 0.6.2:

  • CVE-2019-6292
  • CVE-2019-6285

Also, backport one fix from 0.6.3 for failing VS2017 builds.

We were previously downloading a source archive for yaml-cpp. To support
easily backporting fixes, it's changed to use git instead.

(cherry picked from commit 1845ea31140161354ff6308296bde3436d0bd5f9)
Branch: v4.4
https://github.com/mongodb/mongo/commit/3bb9020468cdb5a7ab028ece70604aa349e509df

Comment by Githook User [ 20/May/20 ]

Author:

{'name': 'Ryan Egesdahl', 'email': 'ryan.egesdahl@mongodb.com', 'username': 'deriamis'}

Message: SERVER-48273 SERVER-48273 Backport yaml-cpp CVE fixes from 0.6.3 to 0.6.2

Backport the following yaml-cpp CVE fixes from version 0.6.3 to version 0.6.2:

  • CVE-2019-6292
  • CVE-2019-6285

Also, backport one fix from 0.6.3 for failing VS2017 builds.

We were previously downloading a source archive for yaml-cpp. To support
easily backporting fixes, it's changed to use git instead.
Branch: master
https://github.com/mongodb/mongo/commit/1845ea31140161354ff6308296bde3436d0bd5f9

Generated at Thu Feb 08 05:16:38 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.