Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 551496 (CVE-2015-4410) - <dev-ruby/bson-3.0.4: DoS and possible injection (CVE-2015-4410)
Summary: <dev-ruby/bson-3.0.4: DoS and possible injection (CVE-2015-4410)
Status: RESOLVED FIXED
Alias: CVE-2015-4410
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-08 13:03 UTC by Agostino Sarubbo
Modified: 2015-09-08 05:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-06-08 13:03:49 UTC
From ${URL} :

Egor Homakov recently disclosed a vulnerability in the `bson` rubygem as
seen here: http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html

Could we please get a CVE?

By submitting a specially crafted string to a service relying on the bson
rubygem, an attacker may trigger denials of service or even inject data
into victim's MongoDB instances.

Users are advised to update to versions >= 3.0.4 of the `bson` rubygem.
Relevant commits can be seen here:
https://github.com/mongodb/bson-ruby/compare/7446d7c6764dfda8dc4480ce16d5c023e74be5ca...28f34978a85b689a4480b4d343389bf4886522e7



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Hans de Graaff gentoo-dev 2015-06-08 19:12:47 UTC
bson-3.0.4 is now in the tree. There are no stable versions.
Comment 2 Agostino Sarubbo gentoo-dev 2015-06-09 07:40:33 UTC
(In reply to Hans de Graaff from comment #1)
> bson-3.0.4 is now in the tree. There are no stable versions.

Are the old version affected? If yes you need to cleanup.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev Security 2015-07-06 13:11:02 UTC
Please Cleanup:
1.6.2-r1, 1.12.0, 2.3.0
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2015-08-10 15:04:42 UTC
It has been 30 day, please cleanup!
Comment 5 Manuel Rüger (RETIRED) gentoo-dev 2015-08-10 15:37:03 UTC
./dev-ruby/mongo/mongo-1.12.0.ebuild:ruby_add_rdepend "~dev-ruby/bson-${PV}"
Comment 6 Yury German Gentoo Infrastructure gentoo-dev Security 2015-09-08 05:44:26 UTC
Maintainer(s), Thank you for you for cleanup.

Thank you all. Closing as noglsa.