Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 636200 (CVE-2017-15535) - <dev-db/mongodb-3.4.10: networkMessageCompressors configuration allows denial of service or memory modification
Summary: <dev-db/mongodb-3.4.10: networkMessageCompressors configuration allows denial...
Status: RESOLVED FIXED
Alias: CVE-2017-15535
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://jira.mongodb.org/browse/SERVE...
Whiteboard: ~3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-01 19:12 UTC by Aleksandr Wagner (Kivak)
Modified: 2017-11-11 13:43 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-11-01 19:12:01 UTC 
CVE-2017-15535 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15535):

MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory. 

References:

https://jira.mongodb.org/browse/SERVER-31273

@ Maintainer(s): Please bump to a fixed ebuild.
Comment 1 Tomáš Mózes 2017-11-02 10:31:38 UTC 
https://github.com/gentoo/gentoo/pull/6108
Comment 2 Ultrabug gentoo-dev 2017-11-05 18:15:43 UTC 
Thanks to Tomáš we have the fixed 3.4.10 now.

I cleaned up all previous 3.4.x ebuilds from tree, we should be good now.

Thanks!
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-07 01:20:55 UTC 
(In reply to Ultrabug from comment #2)
> Thanks to Tomáš we have the fixed 3.4.10 now.
> 
> I cleaned up all previous 3.4.x ebuilds from tree, we should be good now.
> 
> Thanks!

Thank you, downgrading it to ~3 since no stable version was affected.

GLSA Vote: No