MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory. Upstream issue: https://jira.mongodb.org/browse/SERVER-31273 Upstream patch [3.4.x]: https://github.com/mongodb/mongo/commit/5ad69b851801edadbfde8fdf271f4ba7c21170b5
Created mongodb tracking bugs for this issue: Affects: fedora-all [bug 1516185]
Statement: Satellite 6 uses a vulnerable version of MongoDB. However, it does not enable wire protocol compression, and thus the vulnerability can not be triggered. A fix may be provided in a future release.
(Not sure why we added 4.10 as a "fixed in" version earlier.. because that is wrong. MongoDB 3.4.10 and 3.6.0 fixing this vulnerability, just corrected the flaw bug.)