Hi everyone,
We’ve just released NServiceBus.Storage.MongoDB 3.0.3 and 2.3.3.
Fixed bugs
- #608 Newer versions of MongoDB.Driver cannot be used
- #603 CVE-2022-48282: Version range allows vulnerable version of MongoDB.Driver to be used
CVE-2022-48282
- The 3.0.3 version of this release includes a fix for CVE-2022-48282 that prevents vulnerable versions of MongoDB.Driver from being used.
- The 2.3.3 release is not able to fix the CVE because the unaffected versions of MongoDB.Driver would require a breaking change on the .NET Framework dependency. Users on .NET Framework are encouraged to use at least .NET Framework 4.7.2 and update the MongoDB.Driver package to version 2.19.0 or greater as recommended in the CVE.
How to know if you are affected
You are affected if you are attempting to upgrade MongoDB.Driver to a newer version.
Symptoms
The endpoint cannot be started because the cluster transaction mode is unknown.
When to upgrade
You should upgrade during your next maintenance window.
Where to get it
You can install the new versions of NServiceBus.Storage.MongoDB from NuGet.
With thanks,
The team in Particular
Please read our release policy for more details.