[Buildroot] [PATCH] package/mongodb: security bump to version 4.0.12
Peter Korsgaard
peter at korsgaard.com
Wed Oct 2 19:33:16 UTC 2019
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes the following (low severity) security vulnerabilities:
> 4.0.9:
> - CVE-2019-2386: After user deletion in MongoDB Server the improper
> invalidation of authorization sessions allows an authenticated user's
> session to persist and become conflated with new accounts, if those
> accounts reuse the names of deleted ones
> https://jira.mongodb.org/browse/SERVER-38984
> 4.0.11:
> - CVE-2019-2389: Incorrect scoping of kill operations in MongoDB Server's
> packaged SysV init scripts allow users with write access to the PID file
> to insert arbitrary PIDs to be killed when the root user stops the MongoDB
> process via SysV init
> https://jira.mongodb.org/browse/SERVER-40563
> - CVE-2019-2390: An unprivileged user or program on Microsoft Windows which
> can create OpenSSL configuration files in a fixed location may cause
> utility programs shipped with MongoDB server versions less than 4.0.11
> https://jira.mongodb.org/browse/SERVER-42233
> Plus a number of other bugfixes. For details, see the release notes:
> https://docs.mongodb.com/manual/release-notes/4.0/
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed to 2019.02.x, 2019.05.x and 2019.08.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list