[SERVER-85810] Investigate any known security vulnerabilities in S2 library Created: 26/Jan/24  Updated: 05/Feb/24

Status: In Progress
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Will Buerger Assignee: Will Buerger
Resolution: Unresolved Votes: 0
Labels: qi-geo
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to SERVER-84617 Define a version for S2 In Progress
Participants:

 Description   

MongoDB vendored the S2 library in 2012 from an unversioned tarball, creating our own fork of the library. The library was made open source at google/s2geometry in 2015, and the first formally-versioned release was made in 2019. The earliest release of S2 was published with no known security vulnerabilities, and the same has applied to all subsequent releases.

This ticket will track the efforts to investigate if there were any vulnerabilities to the library that may have been fixed prior to the earliest release, but not applied to our fork, with the goal of confirming our confidence that our version of the S2 library is secure. We'll review the public commits made between 2015 and 2019, and attempt to contact the S2 maintainers for more information.


Generated at Thu Feb 08 06:58:40 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.