Uploaded image for project: 'Java Driver'
  1. Java Driver
  2. JAVA-4696

Upgrade libmongocrypt dependency to 1.5.2

    • Type: Icon: Task Task
    • Resolution: Fixed
    • Priority: Icon: Blocker - P1 Blocker - P1
    • 4.7.1
    • Affects Version/s: None
    • Component/s: Client Side Encryption
    • None
    • Hide

      DRIVERS-2403:
      Release libmongocrypt bindings and/or drivers to use libmongocrypt 1.5.2 ASAP to provide a fix for MONGOCRYPT-464.

      If possible, pull the affected bindings releases (using libmongocrypt 1.5.0 or 1.5.1) from package managers concurrently with releasing the new package.

      Use the following blurb for release notes:

      """
      Fix a potential data corruption bug in RewrapManyDataKey when rotating encrypted data encryption keys backed by GCP or Azure key services.

      The following conditions will trigger this bug:

      A GCP-backed or Azure-backed data encryption key being rewrapped requires fetching an access token for decryption of the data encryption key.

      The result of this bug is that the key material for all data encryption keys being rewrapped is replaced by new randomly generated material, destroying the original key material.

      To mitigate potential data corruption, upgrade to this version or higher before using RewrapManyDataKey to rotate Azure-backed or GCP-backed data encryption keys. A backup of the key vault collection should always be taken before key rotation.
      """

      Upgrading to 1.5.2 will result in test failures in some CSFLE unified specification tests with an error like "The parameter is incorrect. HTTP status=400". See DRIVERS-2404 for instructions to update the tests.

      Show
      DRIVERS-2403: Release libmongocrypt bindings and/or drivers to use libmongocrypt 1.5.2 ASAP to provide a fix for MONGOCRYPT-464. If possible, pull the affected bindings releases (using libmongocrypt 1.5.0 or 1.5.1) from package managers concurrently with releasing the new package. Use the following blurb for release notes: """ Fix a potential data corruption bug in RewrapManyDataKey when rotating encrypted data encryption keys backed by GCP or Azure key services. The following conditions will trigger this bug: A GCP-backed or Azure-backed data encryption key being rewrapped requires fetching an access token for decryption of the data encryption key. The result of this bug is that the key material for all data encryption keys being rewrapped is replaced by new randomly generated material, destroying the original key material. To mitigate potential data corruption, upgrade to this version or higher before using RewrapManyDataKey to rotate Azure-backed or GCP-backed data encryption keys. A backup of the key vault collection should always be taken before key rotation. """ Upgrading to 1.5.2 will result in test failures in some CSFLE unified specification tests with an error like "The parameter is incorrect. HTTP status=400". See DRIVERS-2404 for instructions to update the tests.

      This ticket was split from DRIVERS-2403, please see that ticket for a detailed description.

            Assignee:
            ross@mongodb.com Ross Lawley
            Reporter:
            dbeng-pm-bot PM Bot
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: