Mirantis OpenStack

Provide updated MongoDB package

Bug #1800780 reported by Adam Heczko on 2018-10-31

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mirantis OpenStack	Fix Released	Low	Denis Meltsaykin	Mirantis OpenStack 9.2-mu-9

Bug Description

Detailed bug description:
It was observed that mongo db server 2.6.10 package shipping with MOS is outdated / vulnerable.
Please provide updated mongodb package.
https://www.cvedetails.com/vulnerability-list/vendor_id-12752/product_id-25450/version_id-229559/Mongodb-Mongodb-2.6.10.html

Expected results:
Fix affecting CVE.

Tags:

CVE References

2016-6494

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2018-11-02: Fix proposed to packages/trusty/mongodb (9.0)

Fix proposed to branch: 9.0
Change author: Denis V. Meltsaykin <email address hidden>
Review: https://review.fuel-infra.org/39625

Changed in mos:
status:	New → In Progress

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2018-11-05: Fix merged to packages/trusty/mongodb (9.0)

Reviewed: https://review.fuel-infra.org/39625
Submitter: Pkgs Jenkins <email address hidden>
Branch: 9.0

Commit: 690970ee535db9b6dfa42cc7d166aeaa13c2ff3e
Author: Denis V. Meltsaykin <email address hidden>
Date: Fri Nov 2 17:47:51 2018

Resolve CVE-2016-6494

The source of the patch:
https://launchpad.net/debian/+source/mongodb/1:2.6.12-3

Change-Id: I5532011f87aa79f866c8448412b4f29b1e712381
Closes-Bug: #1800780

Changed in mos:
status:	In Progress → Fix Committed

Denis Meltsaykin (dmeltsaykin) on 2018-11-05

Changed in mos:
milestone:	none → 9.2-mu-9

Revision history for this message

Mikhail Samoylov (msamoylov) wrote on 2018-11-16:

Verified here.
[root@nailgun ~]# yum info mongodb
Loaded plugins: fastestmirror, priorities
Loading mirror speeds from cached hostfile
* mos9.0-base: mirror.seed-us1.fuel-infra.org
* mos9.0-security: mirror.seed-us1.fuel-infra.org
* mos9.0-updates: mirror.seed-us1.fuel-infra.org
* mos92-updates: mirror.seed-us1.fuel-infra.org
15833 packages excluded due to repository priority protections
Available Packages
Name : mongodb
Arch : x86_64
Version : 3.0.6
Release : 2.el7~mos2
Size : 11 M
Repo : temporary-3
Summary : High-performance, schema-free document-oriented database
URL : http://www.mongodb.org
License : AGPLv3 and zlib and ASL 2.0
Description : Mongo (from "humongous") is a high-performance, open source, schema-free
            : document-oriented database. MongoDB is written in C++ and offers the following
            : features:
            : * Collection oriented storage: easy storage of object/JSON-style data
            : * Dynamic queries
            : * Full index support, including on inner objects and embedded arrays
            : * Query profiling
            : * Replication and fail-over support
            : * Efficient storage of binary data including large objects (e.g. photos
            : and videos)
            : * Auto-sharding for cloud-level scalability (currently in early alpha)
            : * Commercial Support Available
            :
            : A key goal of MongoDB is to bridge the gap between key/value stores (which are
            : fast and highly scalable) and traditional RDBMS systems (which are deep in
            : functionality).

cat /etc/yum.repos.d/temporary-3.repo
[temporary-3]
name=temporary-3
baseurl=http://mirror.seed-cz1.fuel-infra.org/mos-repos/centos/mos9.0-centos7/snapshots/os-2017-04-18-120411/x86_64/
gpgcheck=0
priority=1

[root@nailgun ~]# fuel fuel-version
api: '1'
auth_required: true
feature_groups: []
openstack_version: mitaka-9.0
release: '9.2'

Verified here.
[root@nailgun ~]# yum info mongodb
Loaded plugins: fastestmirror, priorities
Loading mirror speeds from cached hostfile
 * mos9.0-base: mirror.seed-us1.fuel-infra.org
 * mos9.0-security: mirror.seed-us1.fuel-infra.org
 * mos9.0-updates: mirror.seed-us1.fuel-infra.org
 * mos92-updates: mirror.seed-us1.fuel-infra.org
15833 packages excluded due to repository priority protections
Available Packages
Name        : mongodb
Arch        : x86_64
Version     : 3.0.6
Release     : 2.el7~mos2
Size        : 11 M
Repo        : temporary-3
Summary     : High-performance, schema-free document-oriented database
URL         : http://www.mongodb.org
License     : AGPLv3 and zlib and ASL 2.0
Description : Mongo (from "humongous") is a high-performance, open source, schema-free
            : document-oriented database. MongoDB is written in C++ and offers the following
            : features:
            :     * Collection oriented storage: easy storage of object/JSON-style data
            :     * Dynamic queries
            :     * Full index support, including on inner objects and embedded arrays
            :     * Query profiling
            :     * Replication and fail-over support
            :     * Efficient storage of binary data including large objects (e.g. photos
            :     and videos)
            :     * Auto-sharding for cloud-level scalability (currently in early alpha)
            :     * Commercial Support Available
            : 
            : A key goal of MongoDB is to bridge the gap between key/value stores (which are
            : fast and highly scalable) and traditional RDBMS systems (which are deep in
            : functionality).

cat /etc/yum.repos.d/temporary-3.repo 
[temporary-3]
name=temporary-3
baseurl=http://mirror.seed-cz1.fuel-infra.org/mos-repos/centos/mos9.0-centos7/snapshots/os-2017-04-18-120411/x86_64/
gpgcheck=0
priority=1

[root@nailgun ~]# fuel fuel-version
api: '1'
auth_required: true
feature_groups: []
openstack_version: mitaka-9.0
release: '9.2'

Changed in mos:
status:	Fix Committed → Fix Released
status:	Fix Released → Confirmed

Revision history for this message

Mikhail Samoylov (msamoylov) wrote on 2018-11-16:

Bad previous comment.
I checked the same for controller node.
And we can look that we have the vuln. version of mongo in our repos.
[root@nailgun ~]# fuel nodes
id | status | name | cluster | ip | mac | roles | pending_roles | online | group_id
---+--------+---------------------+---------+------------+-------------------+------------+---------------+--------+---------
1 | ready | slave-02_controller | 1 | 10.109.0.4 | 64:15:bc:41:e6:a0 | controller | | 1 | 1
3 | ready | slave-03_controller | 1 | 10.109.0.5 | 64:1a:b2:f3:a0:1d | controller | | 1 | 1
2 | ready | slave-01_controller | 1 | 10.109.0.3 | 64:98:fd:1f:0f:03 | controller | | 1 | 1
4 | ready | slave-05_compute | 1 | 10.109.0.7 | 64:03:68:8e:0b:9e | compute | | 1 | 1
5 | ready | slave-04_compute | 1 | 10.109.0.6 | 64:64:3f:c7:aa:fb | compute | | 1 | 1
[root@nailgun ~]# ssh 10.109.0.4
Warning: Permanently added '10.109.0.4' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-139-generic x86_64)

* Documentation: https://help.ubuntu.com/
Last login: Fri Nov 16 10:12:47 2018 from 10.109.0.2
root@node-1:~# apt-cache policy mongodb
mongodb:
  Installed: (none)
  Candidate: 1:2.6.10-0u~u14.04+mos2
  Version table:
     1:2.6.10-0u~u14.04+mos2 0
       1050 http://10.109.0.2:8080/mitaka-9.0/ubuntu/x86_64/ mos9.0/main amd64 Packages
     1:2.4.9-1ubuntu2 0
       1001 http://mirror.seed-cz1.fuel-infra.org/pkgs/snapshots/ubuntu-2018-11-14-000001/ trusty/universe amd64 Packages

Revision history for this message

Mikhail Samoylov (msamoylov) wrote on 2018-11-16:

Previous last 2 comments was incorrect.
Package was patched and uploaded to repos.
root@node-1:~# apt-cache policy mongodb
mongodb:
  Installed: (none)
  Candidate: 1:2.6.10-0u~u14.04+mos2
  Version table:
     1:2.6.10-0u~u14.04+mos4 0
        500 http://mirror.fuel-infra.org/mos-repos/ubuntu/snapshots/9.0-2018-11-05-112333/ mos9.0-proposed/main amd64 Packages
     1:2.6.10-0u~u14.04+mos2 0
       1050 http://mirror.fuel-infra.org/mos-repos/ubuntu/snapshots/9.0-2018-11-05-112333/ mos9.0/main amd64 Packages
     1:2.4.9-1ubuntu2 0
       1001 http://mirror.seed-cz1.fuel-infra.org/pkgs/snapshots/ubuntu-2018-11-14-000001/ trusty/universe amd64 Packages

Changed in mos:
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.