From ${URL} : It was found that the mongod server did not correctly validate certain malformed BSON requests. A remote, unauthenticated attacker could use a specially crafted BSON message to crash a mongod server. Upstream issue: https://jira.mongodb.org/browse/SERVER-17264 Upstream patches: 2.4 -- https://github.com/mongodb/mongo/commit/3a7e85ea1f672f702660e5472566234b1d19038e 2.6 -- https://github.com/mongodb/mongo/commit/8f1c734c7f1862180f607c241fb167640889efba 3.0 -- https://github.com/mongodb/mongo/commit/5285225e71c5c0652520ef99d0ae4ca24655f72f @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Thanks a lot mate. Yes, unaffected packages are in tree already so please stabilize the following packages and drop the affected ones. - mongodb-2.4.13.ebuild - mongodb-2.6.8.ebuild or do you want separate bug filled with depend on this one ?
Arches, please test and mark stable: =dev-db/mongodb-2.4.13 =dev-db/mongodb-2.6.8 Target keywords : "amd64 x86"
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Cleanup done, thx ago.
Arches and Maintainer(s), Thank you for your work. Vote: Yes
CVE-2015-1609 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1609): MongoDB before 2.4.13 and 2.6.x before 2.6.8 allows remote attackers to cause a denial of service via a crafted UTF-8 string in a BSON request.
GLSA Vote: Yes, new request filed
This issue was resolved and addressed in GLSA 201611-13 at https://security.gentoo.org/glsa/201611-13 by GLSA coordinator Aaron Bauman (b-man).
