<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Wed Feb 07 21:46:32 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[CSHARP-3869] Update SharpCompress to remedy vulnerability</title>
                <link>https://jira.mongodb.org/browse/CSHARP-3869</link>
                <project id="10041" key="CSHARP">C# Driver</project>
                    <description>&lt;p&gt;There is a vulnerability in SharpCompress versions earlier than 0.29.0 as reported by Snyk: &lt;a href=&quot;https://snyk.io/vuln/SNYK-DOTNET-SHARPCOMPRESS-1585664&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://snyk.io/vuln/SNYK-DOTNET-SHARPCOMPRESS-1585664&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;As noted in below comments, the driver&apos;s usage of SharpCompress does not expose the vulnerability.&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;</description>
                <environment></environment>
        <key id="1878233">CSHARP-3869</key>
            <summary>Update SharpCompress to remedy vulnerability</summary>
                <type id="3" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14718&amp;avatarType=issuetype">Task</type>
                                            <priority id="10300" iconUrl="https://jira.mongodb.org/images/icons/priorities/medium.svg">Unknown</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13201">Fixed</resolution>
                                        <assignee username="dmitry.lukyanov@mongodb.com">Dmitry Lukyanov</assignee>
                                    <reporter username="aleksander@idfy.io">Aleksander Sleire</reporter>
                        <labels>
                    </labels>
                <created>Mon, 20 Sep 2021 09:26:27 +0000</created>
                <updated>Sat, 28 Oct 2023 11:47:30 +0000</updated>
                            <resolved>Mon, 22 Nov 2021 16:27:05 +0000</resolved>
                                                    <fixVersion>2.14.0</fixVersion>
                                                        <votes>1</votes>
                                    <watches>6</watches>
                                                                                                                <comments>
                            <comment id="4205207" author="xgen-internal-githook" created="Mon, 22 Nov 2021 16:26:50 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Dmitry Lukyanov&apos;, &apos;email&apos;: &apos;dmitry.lukyanov@mongodb.com&apos;, &apos;username&apos;: &apos;DmitryLukyanov&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/CSHARP-3869&quot; title=&quot;Update SharpCompress to remedy vulnerability&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CSHARP-3869&quot;&gt;&lt;del&gt;CSHARP-3869&lt;/del&gt;&lt;/a&gt;: Update SharpCompress to remedy vulnerability. (#690)&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-csharp-driver/commit/9e82a088cec2f98e5d7c85010ef783e0c20989e7&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-csharp-driver/commit/9e82a088cec2f98e5d7c85010ef783e0c20989e7&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="4072573" author="dmitry.lukyanov" created="Mon, 20 Sep 2021 20:04:12 +0000"  >&lt;p&gt;Hey &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=aleksander%40idfy.io&quot; class=&quot;user-hover&quot; rel=&quot;aleksander@idfy.io&quot;&gt;aleksander@idfy.io&lt;/a&gt;,&lt;/p&gt;

&lt;p&gt;I&apos;ve checked your suggestion. Looking at the &lt;b&gt;Directory Traversal&lt;/b&gt; vulnerability description, it looks like we&apos;re safe now since the provided description says that it can be a problem only if &lt;a href=&quot;https://github.com/adamhathcock/sharpcompress/blob/cfef228afc7ca390f449efbca9de9d7d8db81182/src/SharpCompress/Common/ExtractionOptions.cs#L15&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;ExtractFullPath&lt;/a&gt; is set to true. Looking at the source code, it happens only in tests by default and we don&apos;t set this option in the driver, so likely we&apos;re safe now.&lt;/p&gt;

&lt;p&gt;However it looks like a good enough idea to have the version of this dependency up to date in any case. Unfortunately, I see a bug in latest versions that I filed &lt;a href=&quot;https://github.com/adamhathcock/sharpcompress/issues/617&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;here&lt;/a&gt;. So I move this ticket to blocked until this issue will be resolved.&lt;/p&gt;</comment>
                            <comment id="4071152" author="aleksander@idfy.io" created="Mon, 20 Sep 2021 13:02:51 +0000"  >&lt;p&gt;Interestingly, &lt;a href=&quot;https://www.site24x7.com/check-website-availability.html&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;Site247&lt;/a&gt; says that the link does not work in America. &lt;/p&gt;

&lt;p&gt;This link should work: &lt;a href=&quot;https://snyk.io/vuln/nuget:sharpcompress&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://snyk.io/vuln/nuget:sharpcompress&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Can you see the &lt;b&gt;Directory Traversal&lt;/b&gt; vulnerability there?&lt;/p&gt;</comment>
                            <comment id="4071137" author="jeff.yemin" created="Mon, 20 Sep 2021 12:53:40 +0000"  >&lt;p&gt;Probably the website required you to log in.&lt;/p&gt;</comment>
                            <comment id="4071130" author="aleksander@idfy.io" created="Mon, 20 Sep 2021 12:50:16 +0000"  >&lt;p&gt;Hi Jeffrey,&#160;&lt;/p&gt;

&lt;p&gt;I don&apos;t know how it can produce a 404. It works for me in an incognito window:&#160;&lt;/p&gt;

&lt;p&gt;&lt;span class=&quot;image-wrap&quot; style=&quot;&quot;&gt;&lt;img src=&quot;https://jira.mongodb.org/secure/attachment/336050/336050_image-2021-09-20-14-50-06-298.png&quot; style=&quot;border: 0px solid black&quot; /&gt;&lt;/span&gt;&lt;/p&gt;</comment>
                            <comment id="4071123" author="jeff.yemin" created="Mon, 20 Sep 2021 12:47:25 +0000"  >&lt;p&gt;Hi &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=aleksander%40idfy.io&quot; class=&quot;user-hover&quot; rel=&quot;aleksander@idfy.io&quot;&gt;aleksander@idfy.io&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The link you provided generates an HTTP 404.  Can you provide an updated link?&lt;/p&gt;

&lt;p&gt;Thanks.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10010">
                    <name>Duplicate</name>
                                                                <inwardlinks description="is duplicated by">
                                        <issuelink>
            <issuekey id="1879474">CSHARP-3871</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                                                <inwardlinks description="is related to">
                                                        </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                            <attachment id="336050" name="image-2021-09-20-14-50-06-298.png" size="164820" author="aleksander@idfy.io" created="Mon, 20 Sep 2021 12:50:07 +0000"/>
                            <attachment id="336058" name="image-2021-09-20-16-38-20-494.png" size="20816" author="dmitry.lukyanov@mongodb.com" created="Mon, 20 Sep 2021 13:38:21 +0000"/>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hzm4cn:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>