| Summary: | <dev-ruby/bson-3.0.4: DoS and possible injection (CVE-2015-4410) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | ruby |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2015/06/06/1 | ||
| Whiteboard: | ~3 [noglsa cve] | ||
| Package list: | Runtime testing required: | --- | |
bson-3.0.4 is now in the tree. There are no stable versions. (In reply to Hans de Graaff from comment #1) > bson-3.0.4 is now in the tree. There are no stable versions. Are the old version affected? If yes you need to cleanup. Please Cleanup: 1.6.2-r1, 1.12.0, 2.3.0 It has been 30 day, please cleanup! ./dev-ruby/mongo/mongo-1.12.0.ebuild:ruby_add_rdepend "~dev-ruby/bson-${PV}"
Maintainer(s), Thank you for you for cleanup. Thank you all. Closing as noglsa. |
From ${URL} : Egor Homakov recently disclosed a vulnerability in the `bson` rubygem as seen here: http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html Could we please get a CVE? By submitting a specially crafted string to a service relying on the bson rubygem, an attacker may trigger denials of service or even inject data into victim's MongoDB instances. Users are advised to update to versions >= 3.0.4 of the `bson` rubygem. Relevant commits can be seen here: https://github.com/mongodb/bson-ruby/compare/7446d7c6764dfda8dc4480ce16d5c023e74be5ca...28f34978a85b689a4480b4d343389bf4886522e7 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.