Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 798132 (CVE-2021-20326) - <dev-db/mongodb-{4.2.15,4.4.4}: DoS via crafted find query (CVE-2021-20326)
Summary: <dev-db/mongodb-{4.2.15,4.4.4}: DoS via crafted find query (CVE-2021-20326)
Status: IN_PROGRESS
Alias: CVE-2021-20326
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://jira.mongodb.org/browse/SERVE...
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 809583
Blocks:
  Show dependency tree
 
Reported: 2021-06-24 01:00 UTC by John Helmert III
Modified: 2021-10-21 16:52 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-24 01:00:16 UTC 
CVE-2021-20326:

A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.4.


Please stabilize mongodb-4.4.4.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-09 22:29:42 UTC 
(Removing glibc-2.34 blocker bug).
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-20 01:48:46 UTC 
Shall we? (Please file a new bug and have this bug depend on it.)
Comment 3 Tomáš Mózes 2021-08-20 15:22:52 UTC 
I'd wait for https://github.com/gentoo/gentoo/pull/22052 being merged and then stabilize the latest 4.2 and 4.4.
Comment 4 Tomáš Mózes 2021-08-20 15:50:01 UTC 
I'm also doing a binary package to deploy on some servers to test the glibc-2.34 patch (probably during the next week).
Comment 5 Ultrabug gentoo-dev 2021-08-20 18:12:27 UTC 
I cleaned up some useless versions already, please proceed
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-21 19:28:26 UTC 
It's unclear to me which versions are actually fixed for each branch (and thus need stabilization). CVE/issue says 4.4.4, but there are obviously other branches, what's the fixed version for 4.2.x?
Comment 7 Tomáš Mózes 2021-08-22 09:03:42 UTC 
(In reply to John Helmert III from comment #6)
> It's unclear to me which versions are actually fixed for each branch (and
> thus need stabilization). CVE/issue says 4.4.4, but there are obviously
> other branches, what's the fixed version for 4.2.x?

We have branches 4.2, 4.4 and 5.0 in portage. We are not going to stabilize 5.0 yet, so that's why the latest 4.2 and 4.4 versions are marked for stabilization.
Comment 8 NATTkA bot gentoo-dev 2021-08-23 12:08:34 UTC 
Resetting sanity check; package list is empty or all packages are done.
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-20 13:03:41 UTC 
Please cleanup.
Comment 10 Ultrabug gentoo-dev 2021-10-21 14:11:14 UTC 
cleanup done
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-21 16:52:16 UTC 
Thanks!