Attachment #207963 for bug #239717

View | Details | Raw Unified | Return to bug 239717 | Differences between
Collapse All | Expand All




  * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
  <vuln vid="fd2e0ca8-e3ae-11e9-8af7-08002720423d">
    <topic>mongodb -- Bump Windows package dependencies</topic>
    <affects>
      <package>
	<name>mongodb34</name>
	<range><lt>3.4.22</lt></range>
      </package>
      <package>
	<name>mongodb36</name>
	<range><lt>3.6.14</lt></range>
      </package>
      <package>
	<name>mongodb40</name>
	<range><lt>4.0.11</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Rich Mirch reports:</p>
	<blockquote cite="https://jira.mongodb.org/browse/SERVER-42233">
	  <p>An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server versions less than 4.0.11, 3.6.14, and 3.4.22 to run attacker defined code as the user running the utility.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2019-2390</cvename>
      <url>https://jira.mongodb.org/browse/SERVER-42233</url>
    </references>
    <dates>
      <discovery>2019-08-06</discovery>
      <entry>2019-09-30</entry>
    </dates>
  </vuln>

  <vuln vid="273c6c43-e3ad-11e9-8af7-08002720423d">
    <topic>mongodb -- Our init scripts check /proc/[pid]/stat should validate that `(${procname})` is the process' command name.</topic>
    <affects>
      <package>
	<name>mongodb34</name>
	<range><lt>3.4.22</lt></range>
      </package>
      <package>
	<name>mongodb36</name>
	<range><lt>3.6.14</lt></range>
      </package>
      <package>
	<name>mongodb40</name>
	<range><lt>4.0.11</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Sicheng Liu of Beijing DBSEC Technology Co., Ltd reports:</p>
	<blockquote cite="https://jira.mongodb.org/browse/SERVER-40563">
	  <p>Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2019-2389</cvename>
      <url>https://jira.mongodb.org/browse/SERVER-40563</url>
    </references>
    <dates>
      <discovery>2019-08-06</discovery>
      <entry>2019-09-30</entry>
    </dates>
  </vuln>

  <vuln vid="880bca8f-e201-11e9-8af7-08002720423d">
    <topic>mongodb -- Attach IDs to users</topic>
    <affects>
      <package>
	<name>mongodb34</name>
	<range><lt>3.4.22</lt></range>
      </package>
      <package>
	<name>mongodb36</name>
	<range><lt>3.6.13</lt></range>
      </package>
      <package>
	<name>mongodb40</name>
	<range><lt>4.0.9</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Mitch Wasson of Cisco's Advanced Malware Protection Group reports:</p>
	<blockquote cite="https://jira.mongodb.org/browse/SERVER-38984">
	  <p>After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2019-2386</cvename>
      <url>https://jira.mongodb.org/browse/SERVER-38984</url>
    </references>
    <dates>
      <discovery>2019-08-06</discovery>
      <entry>2019-09-28</entry>
    </dates>
  </vuln>

  <vuln vid="a92dcc5c-e05c-11e9-b589-10c37b4ac2ea">
    <topic>go -- invalid headers are normalized, allowing request smuggling</topic>
    <affects>

Return to bug 239717

Lines 58-63 Link Here

(-)./vuln.xml (+102 lines)
58	* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)	58	* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
59	-->	59	-->
60	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">	60	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
		61	<vuln vid="fd2e0ca8-e3ae-11e9-8af7-08002720423d">
		62	<topic>mongodb -- Bump Windows package dependencies</topic>
		63	<affects>
		64	<package>
		65	<name>mongodb34</name>
		66	<range><lt>3.4.22</lt></range>
		67	</package>
		68	<package>
		69	<name>mongodb36</name>
		70	<range><lt>3.6.14</lt></range>
		71	</package>
		72	<package>
		73	<name>mongodb40</name>
		74	<range><lt>4.0.11</lt></range>
		75	</package>
		76	</affects>
		77	<description>
		78	<body xmlns="http://www.w3.org/1999/xhtml">
		79	<p>Rich Mirch reports:</p>
		80	<blockquote cite="https://jira.mongodb.org/browse/SERVER-42233">
		81	<p>An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server versions less than 4.0.11, 3.6.14, and 3.4.22 to run attacker defined code as the user running the utility.</p>
		82	</blockquote>
		83	</body>
		84	</description>
		85	<references>
		86	<cvename>CVE-2019-2390</cvename>
		87	<url>https://jira.mongodb.org/browse/SERVER-42233</url>
		88	</references>
		89	<dates>
		90	<discovery>2019-08-06</discovery>
		91	<entry>2019-09-30</entry>
		92	</dates>
		93	</vuln>
		94
		95	<vuln vid="273c6c43-e3ad-11e9-8af7-08002720423d">
		96	<topic>mongodb -- Our init scripts check /proc/[pid]/stat should validate that `(${procname})` is the process' command name.</topic>
		97	<affects>
		98	<package>
		99	<name>mongodb34</name>
		100	<range><lt>3.4.22</lt></range>
		101	</package>
		102	<package>
		103	<name>mongodb36</name>
		104	<range><lt>3.6.14</lt></range>
		105	</package>
		106	<package>
		107	<name>mongodb40</name>
		108	<range><lt>4.0.11</lt></range>
		109	</package>
		110	</affects>
		111	<description>
		112	<body xmlns="http://www.w3.org/1999/xhtml">
		113	<p>Sicheng Liu of Beijing DBSEC Technology Co., Ltd reports:</p>
		114	<blockquote cite="https://jira.mongodb.org/browse/SERVER-40563">
		115	<p>Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init.</p>
		116	</blockquote>
		117	</body>
		118	</description>
		119	<references>
		120	<cvename>CVE-2019-2389</cvename>
		121	<url>https://jira.mongodb.org/browse/SERVER-40563</url>
		122	</references>
		123	<dates>
		124	<discovery>2019-08-06</discovery>
125	<entry>2019-09-30</entry>
126	</dates>
127	</vuln>
128
129	<vuln vid="880bca8f-e201-11e9-8af7-08002720423d">
130	<topic>mongodb -- Attach IDs to users</topic>
131	<affects>
132	<package>
133	<name>mongodb34</name>
134	<range><lt>3.4.22</lt></range>
135	</package>
136	<package>
137	<name>mongodb36</name>
138	<range><lt>3.6.13</lt></range>
139	</package>
140	<package>
141	<name>mongodb40</name>
142	<range><lt>4.0.9</lt></range>
143	</package>
144	</affects>
145	<description>
146	<body xmlns="http://www.w3.org/1999/xhtml">
147	<p>Mitch Wasson of Cisco's Advanced Malware Protection Group reports:</p>
148	<blockquote cite="https://jira.mongodb.org/browse/SERVER-38984">
149	<p>After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones.</p>
150	</blockquote>
151	</body>
152	</description>
153	<references>
154	<cvename>CVE-2019-2386</cvename>
155	<url>https://jira.mongodb.org/browse/SERVER-38984</url>
156	</references>
157	<dates>
158	<discovery>2019-08-06</discovery>
159	<entry>2019-09-28</entry>
160	</dates>
161	</vuln>
162
61	<vuln vid="a92dcc5c-e05c-11e9-b589-10c37b4ac2ea">	163	<vuln vid="a92dcc5c-e05c-11e9-b589-10c37b4ac2ea">
62	<topic>go -- invalid headers are normalized, allowing request smuggling</topic>	164	<topic>go -- invalid headers are normalized, allowing request smuggling</topic>
63	<affects>	165	<affects>