[Bug 1934518] Re: improper invalidation of authorization sessions

[Heather Lemon]

I am getting a build failure after integrating the changes from v3.4 
https://github.com/mongodb/mongo/commit/64d8e9e1b12d16b54d6a592bae8110226c491b4e

Checking for mongoc_get_major_version() in C library mongoc-1.0... no
*** Run 'pip2 install --user regex' to speed up error code checking
DUPLICATE IDS: 40437
  src/mongo/bson/bsonelement.h:624:17:uassert(40437
  src/mongo/bson/bsonelement.h:655:17:uassert(40437
next id to use: 40679
debian/rules:45: recipe for target 'override_dh_auto_clean' failed
make[1]: *** [override_dh_auto_clean] Error 1
make[1]: Leaving directory '/root/userid-validate-CVE-2019-2386/mongodb-3.6.3'
debian/rules:74: recipe for target 'clean' failed
make: *** [clean] Error 2
dpkg-buildpackage: error: fakeroot debian/rules clean subprocess returned exit status 2
debuild: fatal error at line 1152:
dpkg-buildpackage -rfakeroot -us -uc -ui -S -i failed

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1934518

Title:
   improper invalidation of authorization sessions

Status in mongodb source package in Trusty:
  Confirmed
Status in mongodb source package in Bionic:
  Confirmed
Status in mongodb source package in Focal:
  Confirmed

Bug description:
  CVE: https://ubuntu.com/security/CVE-2019-2386

  After user deletion in MongoDB Server the improper invalidation of
  authorization sessions allows an authenticated user’s session to
  persist and become conflated with new accounts, if those accounts
  reuse the names of deleted ones. This issue affects: MongoDB Inc.
  MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to
  3.6.13; v3.4 versions prior to 3.4.22.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/trusty/+source/mongodb/+bug/1934518/+subscriptions