Debian alert DLA-4175-1 (mongo-c-driver)
| From: | "Roberto C. Sánchez" <roberto@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4175-1] mongo-c-driver security update | |
| Date: | Tue, 20 May 2025 15:14:23 -0400 | |
| Message-ID: | <aCzUj61UcsNy9g1I@localhost> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-4175-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Roberto C. Sánchez May 20, 2025 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : mongo-c-driver Version : 1.17.6-1+deb11u1 CVE ID : CVE-2021-32050 CVE-2023-0437 CVE-2024-6381 CVE-2024-6383 CVE-2025-0755 Multiple vulnerabilities have been discovered in the MongoDB C Driver. CVE-2021-32050 Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). CVE-2023-0437 When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. CVE-2024-6381 The bson_strfreev function in the MongoDB C driver library may be susceptible to an integer overflow where the function will try to free memory at a negative offset. This may result in memory corruption. CVE-2024-6383 The bson_string_append function in MongoDB C Driver may be vulnerable to a buffer overflow where the function might attempt to allocate too small of buffer and may lead to memory corruption of neighbouring heap memory. CVE-2025-0755 The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and possible application crash. For Debian 11 bullseye, these problems have been fixed in version 1.17.6-1+deb11u1. We recommend that you upgrade your mongo-c-driver packages. For the detailed security status of mongo-c-driver please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mongo-c-driver Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEIYZ1DR4ae5UL01q7ldFmTdL1kUIFAmgs1IsACgkQldFmTdL1 kUJ0Qw//Rwd4vO9hJs/bXbr9n6Od+0EWaIuOf4JkRc0Qo2rpmMftNFvoSoZYI5dC Y5Ao/YcpK98PWVLDZXlsWHfhusSXO3xnqgzjkzbqFsKk8rIaRnRtRwxEp07/KlHb qk+yg3Pj8P8UNdfGjP9mmM0LdneZ+ACldt53VtCKq2EzsTYPELzytgeAKgO7gYIC uNHXCvBjlzvVNbDYmqiPL5r7TX/BuhPTpqZ8jMcoFsYjnRKQ/wF0q46SUlUenemA e334XU/yxlOdQJ3QdVEjKli4fewNSTmfvvsZv1sTeh07oe2aeFHP6RiCZuZJqaIC Q3F2u/ruLpAcZcm5jAneFrjv6zjMS2xK6TUUwtI/4xZrmEPlTr7JfJVGL/aOh+3s evb6mKnvkmGQnIi0vA7GPbU2I6gByn+U5v2PRFON20Zo5d6sRwnh149OD9vPmG2c nyGr/cMl/vfQU2+/1XVqXCSs//MTUZTC3+2jWilfUCm9U8BhT/9KGCJHTiuE6aWv pWnaua+dufGSQxUwooSSUpTM59tPXhA07kibqx21T/iRKTtCgPUbowoCgdtyDgcW 1CMQXoTek5FwXTf5yb892h0bOczool3gBUxLot5jbdugqTqplr4XtVs139bk+sQG fd/qNQsjhznZZTMA/M/SkqUa7f0EcS9ZTUbF5MLSYGivmFImUQc= =ddX7 -----END PGP SIGNATURE-----