[DOCS-5109] Comment on: "about/alerts.txt#security-related" Created: 25/Mar/15 Updated: 03/Nov/17 Resolved: 01/Apr/15 |
|
| Status: | Closed |
| Project: | Documentation |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 01112017-cleanup |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Brian Martin | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | collector-298ba4e7 | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Location: http://www.mongodb.org/about/alerts/#security-related |
||
| Participants: | |
| Days since reply: | 8 years, 47 weeks ago |
| Description |
|
03/25/2015 mongod Remotely trigger a denial of service (crash) via a specially crafted regular expression. 2.6.8 and earlier, 3.0.0 2.6.9 and 3.0.1 CVE-2015-2327, CVE-2015-2328
|
| Comments |
| Comment by Christopher Sandulow [ 26/Mar/15 ] |
|
Brian CVE-2014-8964 was issued for a vulnerability in a third party PCRE library. The MongoDB versions listed in ( http://www.mongodb.org/about/alerts/#security-related ) are vulnerable to denial of service as they use this version of PCRE. Even though the actual vulnerability is in the underlying PCRE library, we received a vulnerability report from a third party regarding exploiting this version of PCRE in MongoDB to cause a denial of service. That external party requested CVEs for the issues they identified in MongoDB and those CVEs are CVE-2015-2327 and CVE-2015-2328. I understand this can be confusing; we will update |