<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 08:37:03 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[GODRIVER-1748] CVE-2019-11254 - Known vulnerability in yaml.v2 v2.2.2</title>
                <link>https://jira.mongodb.org/browse/GODRIVER-1748</link>
                <project id="14289" key="GODRIVER">Go Driver</project>
                    <description>&lt;p&gt;The latest of the mongo-go-driver imports 2 packages which in turn import&#160;gopkg.in/yaml.v2-v2.2.2, this has a vulnerability identified in &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2019-11254&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2019-11254&lt;/a&gt;&#160;and first exposed in the kubernetes API - &lt;a href=&quot;https://github.com/kubernetes/kubernetes/issues/89535&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/kubernetes/kubernetes/issues/89535&lt;/a&gt;&#160;&lt;/p&gt;

&lt;p&gt;The 2 packages are:&lt;/p&gt;

&lt;p&gt;github.com/pelletier/go-toml@v1.4.0&lt;/p&gt;

&lt;p&gt;github.com/stretchr/testify@v1.4.0&lt;/p&gt;

&lt;p&gt;the current versions of both package are patched to a higher level of the yaml package.&lt;/p&gt;</description>
                <environment></environment>
        <key id="1469959">GODRIVER-1748</key>
            <summary>CVE-2019-11254 - Known vulnerability in yaml.v2 v2.2.2</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13201">Fixed</resolution>
                                        <assignee username="divjot.arora@mongodb.com">Divjot Arora</assignee>
                                    <reporter username="nicholas_beenham@cable.comcast.com">Nicholas Beenham</reporter>
                        <labels>
                    </labels>
                <created>Thu, 10 Sep 2020 19:12:51 +0000</created>
                <updated>Sat, 28 Oct 2023 11:38:02 +0000</updated>
                            <resolved>Fri, 25 Sep 2020 20:33:36 +0000</resolved>
                                    <version>1.4.1</version>
                                    <fixVersion>1.4.2</fixVersion>
                                    <component>Core API</component>
                                        <votes>0</votes>
                                    <watches>2</watches>
                                                                                                                <comments>
                            <comment id="3412609" author="divjot.arora" created="Fri, 25 Sep 2020 20:33:36 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=nicholas_beenham%40cable.comcast.com&quot; class=&quot;user-hover&quot; rel=&quot;nicholas_beenham@cable.comcast.com&quot;&gt;nicholas_beenham@cable.comcast.com&lt;/a&gt;&#160;Once again, thanks for bringing this to our attention! It required some back and forth, but we&apos;ve upgraded all required dependencies to ensure that we only depend on go-yaml v2.2.8 and higher. I&apos;ve backported this work so it will be available in the upcoming 1.4.2 release.&lt;/p&gt;

&lt;p&gt;&amp;#8211; Divjot&lt;/p&gt;</comment>
                            <comment id="3412602" author="xgen-internal-githook" created="Fri, 25 Sep 2020 20:31:56 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Divjot Arora&apos;, &apos;email&apos;: &apos;divjot.arora@10gen.com&apos;, &apos;username&apos;: &apos;divjotarora&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/GODRIVER-1748&quot; title=&quot;CVE-2019-11254 - Known vulnerability in yaml.v2 v2.2.2&quot; class=&quot;issue-link&quot; data-issue-key=&quot;GODRIVER-1748&quot;&gt;&lt;del&gt;GODRIVER-1748&lt;/del&gt;&lt;/a&gt; Upgrade transitive go-yaml dependency (#505)&lt;/p&gt;

&lt;p&gt;This commit upgrades our direct aws-sdk-go, go-toml and testify&lt;br/&gt;
dependencies, which transitively depend on go-yaml to address&lt;br/&gt;
CVE-2019-11254.&lt;br/&gt;
Branch: release/1.4&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-go-driver/commit/44a08b7d04549d3f72d94aa926a633f583650c84&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-go-driver/commit/44a08b7d04549d3f72d94aa926a633f583650c84&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="3412589" author="xgen-internal-githook" created="Fri, 25 Sep 2020 20:28:41 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Divjot Arora&apos;, &apos;email&apos;: &apos;divjot.arora@10gen.com&apos;, &apos;username&apos;: &apos;divjotarora&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/GODRIVER-1748&quot; title=&quot;CVE-2019-11254 - Known vulnerability in yaml.v2 v2.2.2&quot; class=&quot;issue-link&quot; data-issue-key=&quot;GODRIVER-1748&quot;&gt;&lt;del&gt;GODRIVER-1748&lt;/del&gt;&lt;/a&gt; Upgrade transitive go-yaml dependency (#505)&lt;/p&gt;

&lt;p&gt;This commit upgrades our direct aws-sdk-go, go-toml and testify&lt;br/&gt;
dependencies, which transitively depend on go-yaml to address&lt;br/&gt;
CVE-2019-11254.&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-go-driver/commit/93c2b896c41e4f14bfaa701588522c89f22b48ef&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-go-driver/commit/93c2b896c41e4f14bfaa701588522c89f22b48ef&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="3405287" author="divjot.arora" created="Tue, 22 Sep 2020 14:50:06 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=nicholas_beenham%40cable.comcast.com&quot; class=&quot;user-hover&quot; rel=&quot;nicholas_beenham@cable.comcast.com&quot;&gt;nicholas_beenham@cable.comcast.com&lt;/a&gt;&#160;Thanks for keeping us posted on the developments for this. I&apos;ve opened&#160;&lt;a href=&quot;https://github.com/mongodb/mongo-go-driver/pull/505&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-go-driver/pull/505&lt;/a&gt;&#160;to upgrade our go-toml, testify, and aws-sdk-go dependencies.&lt;/p&gt;</comment>
                            <comment id="3404948" author="JIRAUSER1256900" created="Tue, 22 Sep 2020 12:11:21 +0000"  >&lt;p&gt;&lt;a href=&quot;https://github.com/aws/aws-sdk-go/blob/v1.34.28/go.mod&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/aws/aws-sdk-go/blob/v1.34.28/go.mod&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;You should be good now, the latest release has the updated package&lt;/p&gt;</comment>
                            <comment id="3402015" author="JIRAUSER1256900" created="Sat, 19 Sep 2020 00:26:57 +0000"  >&lt;p&gt;Looks like the latest&#160;go-jmespath@0.4.0 has been updated, I think we&apos;ll see aws-sdk-go updated shortly.&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://github.com/aws/aws-sdk-go/pull/3546&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/aws/aws-sdk-go/pull/3546&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="3401189" author="divjot.arora" created="Fri, 18 Sep 2020 16:31:43 +0000"  >&lt;p&gt;Thanks for the update. I&apos;ll keep an eye on it. Once that&apos;s merged, we&apos;d have to wait for a new go-jmespath release and then ask for aws-sdk-go to upgrade to that release. I&apos;m not really sure what the right state for this ticket is at this time because there&apos;s no work for us to do here, but I also don&apos;t want it to get lost in the backlog, so I&apos;m going to leave it in &quot;Investigating&quot;. I&apos;ve subscribed to notifications on the go-jmespath PR so we can move forward once we see progress there.&lt;/p&gt;

&lt;p&gt;&amp;#8211; Divjot&lt;/p&gt;</comment>
                            <comment id="3401181" author="JIRAUSER1256900" created="Fri, 18 Sep 2020 16:29:03 +0000"  >&lt;p&gt;Someone beat me to to by half an hour! &lt;a href=&quot;https://github.com/jmespath/go-jmespath/pull/55&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/jmespath/go-jmespath/pull/55&lt;/a&gt;&#160;there is a PR open to update based on the CVE.&lt;/p&gt;</comment>
                            <comment id="3400919" author="divjot.arora" created="Fri, 18 Sep 2020 14:49:10 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=nicholas_beenham%40cable.comcast.com&quot; class=&quot;user-hover&quot; rel=&quot;nicholas_beenham@cable.comcast.com&quot;&gt;nicholas_beenham@cable.comcast.com&lt;/a&gt;&#160;I think you&apos;d have to reach out to&#160;github.com/jmespath/go-jmespath because v0.3.0 is the latest release of that module and it imports testify@v1.5.1, but testify&apos;s&#160;gopkg.in/yaml dependency wasn&apos;t bumped to v3 until v.1.6.0.&lt;/p&gt;</comment>
                            <comment id="3399179" author="JIRAUSER1256900" created="Thu, 17 Sep 2020 14:49:48 +0000"  >&lt;p&gt;Thanks! I&apos;m going to reach out to AWS and see what they are going to do about the SDK&lt;/p&gt;</comment>
                            <comment id="3397930" author="divjot.arora" created="Wed, 16 Sep 2020 20:54:40 +0000"  >&lt;p&gt;Hi &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=nicholas_beenham%40cable.comcast.com&quot; class=&quot;user-hover&quot; rel=&quot;nicholas_beenham@cable.comcast.com&quot;&gt;nicholas_beenham@cable.comcast.com&lt;/a&gt;,&lt;/p&gt;

&lt;p&gt;Thanks for reporting this vulnerability. I&apos;m working on upgrading the packages, but am running into a dead end. I upgraded testify and go-toml to the most recent versions, but&#160;gopkg.in/yaml.v2 v2.2.2 still shows up in our go.sum. I then upgraded aws-sdk-go to its latest version (v1.34.25) as it relied on an older testify version. v1.2.2 of gopkg.in/yaml.v2 is still showing up in go.sum.&lt;/p&gt;

&lt;p&gt;Running &quot;go mod graph&quot; shows this chain:&lt;/p&gt;

&lt;p&gt;github.com/aws/aws-sdk-go@v1.34.25 -&amp;gt; github.com/jmespath/go-jmespath@v0.3.0&lt;/p&gt;

&lt;p&gt;github.com/jmespath/go-jmespath@v0.3.0 github.com/stretchr/testify@v1.5.1&lt;/p&gt;

&lt;p&gt;github.com/stretchr/testify@v1.5.1 gopkg.in/yaml.v2@v2.2.2&lt;/p&gt;

&lt;p&gt;Do you know if this will still be problematic? If it helps, my work so far is at&#160;&lt;a href=&quot;https://github.com/divjotarora/mongo-go-driver/tree/godriver1748-yaml-upgrade&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/divjotarora/mongo-go-driver/tree/godriver1748-yaml-upgrade&lt;/a&gt;.&lt;/p&gt;</comment>
                    </comments>
                    <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hxpna7:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>