Fedora has issued an advisory on March 19: https://lists.fedoraproject.org/pipermail/package-announce/2015-March/153690.html The issue is fixed upstream in 2.4.13. The upstream patch to fix the issue is linked in the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1200446 Mageia 4 and Mageia 5 are affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=12251#c3 I don't see a PoC.
Upstream patch checked into Mageia 4 and Cauldron SVN. Freeze push requested for Cauldron.
Patched packages uploaded for Mageia 4 and Cauldron. See the test procedure linked in Comment 1. Advisory: ======================== Updated mongodb packages fix security vulnerability: It was found that the mongod server did not correctly validate certain malformed BSON requests. A remote, unauthenticated attacker could use a specially crafted BSON message to crash a mongod server (CVE-2015-1609). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0252 https://lists.fedoraproject.org/pipermail/package-announce/2015-March/153690.html ======================== Updated packages in core/updates_testing: ======================== mongodb-2.4.6-2.2.mga4 mongodb-server-2.4.6-2.2.mga4 from mongodb-2.4.6-2.2.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => has_procedure
Testing on Mageia4x32 real hardware, following instructions : http://docs.mongodb.org/manual/tutorial/getting-started/ (mentioned in Comment 1) From current packages : --------------------- mongodb-2.4.6-2.1.mga4 mongodb-server-2.4.6-2.1.mga4 # systemctl start mongod # systemctl status mongod mongod.service - High-performance, schema-free document-oriented database Loaded: loaded (/usr/lib/systemd/system/mongod.service; enabled) Active: active (running) since lun. 2015-03-30 21:21:01 CEST; 8s ago $ mongo MongoDB shell version: 2.4.6 connecting to: test (...) (some warnings about using a 32bits version) > used several commands in mongodb shell to show dbname, logs, create new db, create collection, documents, multiple documents, query collection, iterate query...) Finally deleted the 2 databases : > use mydb switched to db mydb > db.dropDatabase(); { "dropped" : "mydb", "ok" : 1 } > use test switched to db test > db.dropDatabase(); { "dropped" : "test", "ok" : 1 } > exit; # systemctl stop mongod Updated to testing packages : --------------------------- mongodb-2.4.6-2.2.mga4 mongodb-server-2.4.6-2.2.mga4 # systemctl start mongod # systemctl status mongod mongod.service - High-performance, schema-free document-oriented database Loaded: loaded (/usr/lib/systemd/system/mongod.service; enabled) Active: active (running) since lun. 2015-03-30 21:49:16 CEST; 4s ago (...) Followed the same procedure. All OK
CC: (none) => olchalWhiteboard: has_procedure => has_procedure MGA4-32-OK
Created attachment 6163 [details] mongodb : Full testing procedure I used In attachment : full testing procedure I used
Testing on Mageia4x64 real hardware using quite the same procedure as in comment 4 From current packages : --------------------- mongodb-2.4.6-2.1.mga4 mongodb-server-2.4.6-2.1.mga4 OK This time I did not drop database "mydb" to verify I could find it after updating To updated testing packages : --------------------------- mongodb-2.4.6-2.2.mga4 mongodb-server-2.4.6-2.2.mga4 Could find "mydb" after update. Followed then same procedure. mongodb and mongodb-server running OK
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
Validating. Advisory uploaded Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0130.html
Status: NEW => RESOLVEDResolution: (none) => FIXED