760827 – (CVE-2019-2392, CVE-2020-7925, CVE-2020-7928) <dev-db/mongodb-{4.0.20,4.2.10}: multiple vulnerabilities (CVE-2019-2392, CVE-2020-{7925,7928})

Bug 760827 (CVE-2019-2392, CVE-2020-7925, CVE-2020-7928) - <dev-db/mongodb-{4.0.20,4.2.10}: multiple vulnerabilities (CVE-2019-2392, CVE-2020-{7925,7928})

Summary: <dev-db/mongodb-{4.0.20,4.2.10}: multiple vulnerabilities (CVE-2019-2392, CVE...

Status:	IN_PROGRESS

Alias:	CVE-2019-2392, CVE-2020-7925, CVE-2020-7928

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa?]
Keywords:

Depends on:
Blocks:

Reported:	2020-12-20 08:11 UTC by John Helmert III
Modified:	2021-07-29 18:13 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	No

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2020-12-20 08:11:34 UTC

CVE-2019-2392 (https://jira.mongodb.org/browse/SERVER-43699):

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20.

CVE-2020-7925 (https://jira.mongodb.org/browse/SERVER-49142):

Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.0-rc12; v4.2 versions prior to 4.2.9.

CVE-2020-7928 (https://jira.mongodb.org/browse/SERVER-49404):

A user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20.


Maintainer, please proceed with stabilization when ready.

Comment 1 Sam James archtester

2021-01-18 01:34:54 UTC

ultrabug: ping, ready?

Comment 2 NATTkA bot gentoo-dev

2021-01-18 10:45:39 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: dev-db/mongodb-4.2.10

Comment 3 Ultrabug gentoo-dev

2021-01-18 10:47:10 UTC

It's time we get rid of pmasked packages and vulnerable ones yes, I've done this first:

* commit 53e1b1668820ffaa146ca8806fd9e2a36e550662 (HEAD -> master, origin/master, origin/HEAD)
| Author: Alexys Jacob <ultrabug@gentoo.org>
| Date:   Mon Jan 18 11:40:51 2021 +0100
| 
|     dev-db/mongodb: drop pmasked and vulnerable wrt #760827
|     
|     Package-Manager: Portage-3.0.13, Repoman-3.0.2
|     Signed-off-by: Alexys Jacob <ultrabug@gentoo.org>
| ---
|  10 files changed, 945 deletions(-)

Comment 4 John Helmert III archtester

2021-01-18 16:27:08 UTC

(In reply to Ultrabug from comment #3)
> It's time we get rid of pmasked packages and vulnerable ones yes, I've done
> this first:
> 
> * commit 53e1b1668820ffaa146ca8806fd9e2a36e550662 (HEAD -> master,
> origin/master, origin/HEAD)
> | Author: Alexys Jacob <ultrabug@gentoo.org>
> | Date:   Mon Jan 18 11:40:51 2021 +0100
> | 
> |     dev-db/mongodb: drop pmasked and vulnerable wrt #760827
> |     
> |     Package-Manager: Portage-3.0.13, Repoman-3.0.2
> |     Signed-off-by: Alexys Jacob <ultrabug@gentoo.org>
> | ---
> |  10 files changed, 945 deletions(-)

How about 4.2.8? Do we need to stable 4.2.11?

Comment 5 Ultrabug gentoo-dev

2021-01-18 17:03:35 UTC

yes we need to stable 4.2.11 before we can get rid of 4.2.8

Comment 6 John Helmert III archtester

2021-01-18 21:43:47 UTC

(In reply to Ultrabug from comment #5)
> yes we need to stable 4.2.11 before we can get rid of 4.2.8

Ok, please proceed when ready then!

Comment 7 Sam James archtester

2021-01-28 03:02:05 UTC

(In reply to Ultrabug from comment #5)
> yes we need to stable 4.2.11 before we can get rid of 4.2.8

Ready?

Comment 8 Ultrabug gentoo-dev

2021-02-03 09:08:42 UTC

Yes please start stabilization, thank you!

Comment 9 Sam James archtester

2021-02-18 08:39:11 UTC

amd64 done

all arches done

Comment 10 John Helmert III archtester

2021-02-19 01:29:59 UTC

Please cleanup

Comment 11 Ultrabug gentoo-dev

2021-02-19 08:17:14 UTC

Cleanup done, tree is clean

Comment 12 John Helmert III archtester

2021-02-19 15:03:34 UTC

(In reply to Ultrabug from comment #11)
> Cleanup done, tree is clean

Thank you!

Comment 13 NATTkA bot gentoo-dev

2021-07-29 17:24:55 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 14 NATTkA bot gentoo-dev

2021-07-29 17:33:27 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 15 NATTkA bot gentoo-dev

2021-07-29 17:41:20 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 16 NATTkA bot gentoo-dev

2021-07-29 17:49:28 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 17 NATTkA bot gentoo-dev

2021-07-29 18:05:23 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 18 NATTkA bot gentoo-dev

2021-07-29 18:13:42 UTC

Package list is empty or all packages have requested keywords.