From ${URL} : MongoDB was found to be affected by a memory over-read bug that can be used by an authenticated user (if applicable) to obtain raw MongoDB server process memory contents via incorrect BSON object length. This issue does not seem to cross a security boundary under most deployments, but for some it could, like differently-privileged MongoDB users, data already deleted from the DB yet staying in process memory, or/and metadata that is not normally retrievable. References: http://seclists.org/oss-sec/2014/q1/27 http://blog.ptsecurity.com/2012/11/attacking-mongodb.html https://github.com/cyberpunkych/attacking_mongodb (The files used for the attack demonstration.) @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
FYI, removed offending version from tree. + 23 Jul 2014; Ultrabug <ultrabug@gentoo.org> -mongodb-2.2.7.ebuild, + -files/mongodb-2.2-fix-sharedclient.patch, + -files/mongodb-2.2-fix-x86client.patch, + -files/mongodb-2.2-r1-fix-scons.patch, + -files/mongodb-2.2-r2-boost-1.50.patch: + drop old and vulnerable version wrt #497540 +
(In reply to Ultrabug from comment #1) > FYI, removed offending version from tree. > > In what version is the fix to this contained? The only version that is stable is 2.4.6-r2, do we need to stabilize? If so please let us know when the ebuild is ready for stabilization.
(In reply to Yury German from comment #2) > (In reply to Ultrabug from comment #1) > > FYI, removed offending version from tree. > > > > > > In what version is the fix to this contained? The only version that is > stable is 2.4.6-r2, do we need to stabilize? If so please let us know when > the ebuild is ready for stabilization. mongodb > 2.3.1 So no, we already have a stable and non-vulnerable version in tree thank you
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No
NO too, closing. Thanks everyone.
