Bug 1208428 - CVE-2015-2327 CVE-2015-2328 mongodb: multiple flaws in bundled version of PCRE
Summary: CVE-2015-2327 CVE-2015-2328 mongodb: multiple flaws in bundled version of PCRE
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-04-02 08:56 UTC by Martin Prpič
Modified: 2021-02-17 05:27 UTC (History)
44 users (show)

Fixed In Version: mongodb 2.6.9, mongodb 3.0.1
Clone Of:
Environment:
Last Closed: 2015-04-02 08:57:21 UTC
Embargoed:

Attachments (Terms of Use)

Description Martin Prpič 2015-04-02 08:56:22 UTC 
MongoDB bundles PCRE version 8.30 that, among other issues, is vulnerable to CVE-2014-8964. A remote, authenticated  attacker could use a specially crafted regular expression to crash a mongod server.

Upstream issue (with links to patches):

https://jira.mongodb.org/browse/SERVER-17252

Statement:

This issue did not affect the versions of MongoDB as shipped in any Red Hat product as they use the PCRE system library, not the bundled copy shipped with MongoDB. The CVE-2014-8964 PCRE flaw does not affect Red Hat Enterprise Linux 5 and 6, and has been fixed in Red Hat Enterprise Linux 7 via RHSA-2015:0330.
Comment 1 Adam Mariš 2015-12-01 10:05:43 UTC 
Vulnerabilities were in PCRE. Moving CVEs to the corresponding PCRE bugs.
Note You need to log in before you can comment on or make changes to this bug.