obsolete

python-pymongo-3.0.3-1.fc22

FEDORA-2015-3e4043f088 created by hguemar 9 years ago for Fedora 22

python-pymongo-3.0.3-1.fc21

  • Upstream 3.0.3
  • Fix CVE-2013-7440 (#1231231 #1231232)

python-pymongo-3.0.3-1.fc22

  • Upstream 3.0.3
  • Fix CVE-2013-7440 (#1231231 #1231232)

python-pymongo-3.0.3-1.el6

  • Upstream 3.0.3
  • Fix CVE-2013-7440 (#1231231 #1231232)

python-pymongo-3.0.3-1.el7

  • Upstream 3.0.3
  • Fix CVE-2013-7440 (#1231231 #1231232)

python-pymongo-3.0.3-1.fc23

  • Upstream 3.0.3
  • Fix CVE-2013-7440 (#1231231 #1231232)

This update has been submitted for testing by hguemar.

9 years ago

This update has been pushed to testing.

9 years ago

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

9 years ago
User Icon rbarlow commented & provided feedback 8 years ago
karma

Please do not push this update out to stable! pymongo version 3 is not backwards compatible and will break its dependent packages! Also, the CVE this addresses is extremely low impact and is highly unlikely to happen in the real world as CAs do not issue certificates like this. If we want to fix the CVE, the correct thing to do is to backport a patch, not to raise the version in a way that breaks dependencies.

This update has been unpushed.

This update has been submitted for testing by hguemar.

8 years ago
User Icon hguemar commented & provided feedback 8 years ago

@rbarlow: come with concrete examples where this update breaks package.

User Icon hguemar commented & provided feedback 8 years ago

@rbarlow: come with concrete examples where this update breaks any package. Openstack packages require v3.

User Icon rbarlow commented & provided feedback 8 years ago
karma

This update breaks Pulp, which depends on python-pymongo through python-mongoengine:

https://bugzilla.redhat.com/show_bug.cgi?id=1298427

Also, the CVE's impact is listed as low and taking advantage of it is listed as complex. These evaluations were made by the secteam.

User Icon rbarlow commented & provided feedback 8 years ago

Furthermore, the backwards incompatibility of this change is well documented here and is extensive:

https://api.mongodb.org/python/current/changelog.html#changes-in-version-3-0

User Icon mhrivnak commented & provided feedback 8 years ago
karma

As observed by rbarlow, this would break potentially a lot of projects; anyone who uses pymongo in fedora.

User Icon jcline provided feedback 8 years ago
karma
User Icon pcreech17 commented & provided feedback 8 years ago
karma

Per the update policy, under the "Philosophy" section,

"Releases of the Fedora distribution are like releases of the individual packages that compose it. A major version number reflects a more-or-less stable set of features and functionality. As a result, we should avoid major updates of packages within a stable release. Updates should aim to fix bugs, and not introduce features, particularly when those features would materially affect the user or developer experience. The update rate for any given release should drop off over time, approaching zero near release end-of-life; since updates are primarily bugfixes, fewer and fewer should be needed over time."

https://fedoraproject.org/wiki/Updates_Policy

This is a major version update of the package, breaking backwards compatibility with the previous major version. I suggest finding an alternate solution.

It is already noted here that this will break functionality for one package (Pulp)

This update has been submitted for testing by hguemar.

8 years ago
User Icon hguemar commented & provided feedback 8 years ago

pulp is not in F22

User Icon rbarlow commented & provided feedback 8 years ago
karma

This is inappropriate. The update policy does not say that it only applies for dependencies that are in Fedora - you are NOT to make backwards incompatible changes. Many projects depend on the distribution to be stable. Do not push this change again.


Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
-4
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-3
Stable by Karma
1
Stable by Time
disabled
Thresholds
Minimum Karma
+1
Minimum Testing
7 days
Dates
submitted
9 years ago
in testing
9 years ago
BZ#1210043 Mongoengine require pymongo 2.7.1
0
0
BZ#1231231 CVE-2013-7440 CVE-2013-2099 python-pymongo: various flaws [fedora-all]
0
0
BZ#1231232 CVE-2013-7440 CVE-2013-2099 python-pymongo: various flaws [epel-all]
0
0

Automated Test Results