diff -uNr /usr/ports/security/vuxml/vuln.xml ./vuln.xml --- /usr/ports/security/vuxml/vuln.xml 2019-09-28 13:51:00.000000000 +0200 +++ ./vuln.xml 2019-09-30 20:28:11.577681000 +0200 @@ -58,6 +58,108 @@ * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + mongodb -- Bump Windows package dependencies + + + mongodb34 + 3.4.22 + + + mongodb36 + 3.6.14 + + + mongodb40 + 4.0.11 + + + + +

Rich Mirch reports:

+
An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server versions less than 4.0.11, 3.6.14, and 3.4.22 to run attacker defined code as the user running the utility.
+

+ + + + CVE-2019-2390 + https://jira.mongodb.org/browse/SERVER-42233 + + + 2019-08-06 + 2019-09-30 + + + + + mongodb -- Our init scripts check /proc/[pid]/stat should validate that `(${procname})` is the process' command name. + + + mongodb34 + 3.4.22 + + + mongodb36 + 3.6.14 + + + mongodb40 + 4.0.11 + + + + +

Sicheng Liu of Beijing DBSEC Technology Co., Ltd reports:

+
Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init.
+

+ + + + CVE-2019-2389 + https://jira.mongodb.org/browse/SERVER-40563 + + + 2019-08-06 + 2019-09-30 + + + + + mongodb -- Attach IDs to users + + + mongodb34 + 3.4.22 + + + mongodb36 + 3.6.13 + + + mongodb40 + 4.0.9 + + + + +

Mitch Wasson of Cisco's Advanced Malware Protection Group reports:

+
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones.
+

+ + + + CVE-2019-2386 + https://jira.mongodb.org/browse/SERVER-38984 + + + 2019-08-06 + 2019-09-28 + + + go -- invalid headers are normalized, allowing request smuggling