FEDORA-EPEL-2015-68a2c2db36

security update in Fedora EPEL 6 for python-pymongo

Status: pending 3 years ago

python-pymongo-3.0.3-1.fc21

  • Upstream 3.0.3
  • Fix CVE-2013-7440 (#1231231 #1231232)

python-pymongo-3.0.3-1.fc22

  • Upstream 3.0.3
  • Fix CVE-2013-7440 (#1231231 #1231232)

python-pymongo-3.0.3-1.el6

  • Upstream 3.0.3
  • Fix CVE-2013-7440 (#1231231 #1231232)

python-pymongo-3.0.3-1.el7

  • Upstream 3.0.3
  • Fix CVE-2013-7440 (#1231231 #1231232)

python-pymongo-3.0.3-1.fc23

  • Upstream 3.0.3
  • Fix CVE-2013-7440 (#1231231 #1231232)

Comments 9

This update has been submitted for testing by hguemar.

This update has been pushed to testing.

This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes

This update has been unpushed.

Please do not push this update out to stable! pymongo version 3 is not backwards compatible and will break its dependent packages! Also, the CVE this addresses is extremely low impact and is highly unlikely to happen in the real world as CAs do not issue certificates like this. If we want to fix the CVE, the correct thing to do is to backport a patch, not to raise the version in a way that breaks dependencies.

karma: -1

Furthermore, the backwards incompatibility of this change is well documented here and is extensive:

https://api.mongodb.org/python/current/changelog.html#changes-in-version-3-0

Per the update policy, under the "Philosophy" section, "Releases of the Fedora distribution are like releases of the individual packages that compose it. A major version number reflects a more-or-less stable set of features and functionality. As a result, we should avoid major updates of packages within a stable release. Updates should aim to fix bugs, and not introduce features, particularly when those features would materially affect the user or developer experience. The update rate for any given release should drop off over time, approaching zero near release end-of-life; since updates are primarily bugfixes, fewer and fewer should be needed over time." https://fedoraproject.org/wiki/Updates_Policy This is a major version update of the package, breaking backwards compatibility with the previous major version. I suggest finding an alternate solution. It is already noted here that this will break functionality for one package (Pulp)

karma: -1

rbarlow edited this update.

This update has been submitted for testing by rbarlow.

Content Type
RPM
Status
pending
Test Gating
Submitted by
Update Type
security
Update Severity
high
Karma
-2
stable threshold: 30
unstable threshold: -3
Autopush
Enabled
Dates
submitted 3 years ago
in testing 3 years ago
modified 3 years ago

Related Bugs 3

00 #1210043 Mongoengine require pymongo 2.7.1
00 #1231231 CVE-2013-7440 CVE-2013-2099 python-pymongo: various flaws [fedora-all]
00 #1231232 CVE-2013-7440 CVE-2013-2099 python-pymongo: various flaws [epel-all]

Automated Test Results