[jira] [Work logged] (BEAM-9564) Remove insecure ssl options from MongoDBIO

Mon, 23 Mar 2020 03:27:47 -0700 


     [ 
https://issues.apache.org/jira/browse/BEAM-9564?focusedWorklogId=407816&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-407816
 ]

ASF GitHub Bot logged work on BEAM-9564:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 23/Mar/20 10:26
            Start Date: 23/Mar/20 10:26
    Worklog Time Spent: 10m 
      Work Description: alexvanboxel commented on issue #11186: [BEAM-9564] 
Remove insecure ssl options from MongoDBIO
URL: https://github.com/apache/beam/pull/11186#issuecomment-602508337
 
 
   > I can inverse the order of the PRs if you prefer. Providing first the 
valid replacement alternative 
([BEAM-9571](https://issues.apache.org/jira/browse/BEAM-9571)) and then the 
removal of the method, we can even deprecate it and be more 'user friendly' if 
you prefer. (I wanted to go ahead faster because this is a potential security 
issue for users). WDYT?
   
   I'm afraid that when the second ticket doesn't make the release cut, this 
one could block users from upgrading... So if we can reverse the order this is 
more user friendly (they still need to change something)... and the security 
issue is not because it's a code vulnerability.
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

    Worklog Id:     (was: 407816)
    Time Spent: 1h 10m  (was: 1h)

> Remove insecure ssl options from MongoDBIO
> ------------------------------------------
>
>                 Key: BEAM-9564
>                 URL: https://issues.apache.org/jira/browse/BEAM-9564
>             Project: Beam
>          Issue Type: Improvement
>          Components: io-java-mongodb
>    Affects Versions: 2.21.0
>            Reporter: Ismaël Mejía
>            Assignee: Ismaël Mejía
>            Priority: Critical
>              Labels: backward-incompatible
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> The option MongoDBIO.withIgnoreSSLCertificate  and 
> withSSLInvalidHostNameAllowedslInvalidHostNameAllowed() are insecure by 
> design. We should not encourage users to be able to use them so better to 
> remove these options.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to