[Bug 1934518] Re: improper invalidation of authorization sessions

Launchpad Bug Tracker 1934518 at bugs.launchpad.net
Thu Aug 26 01:26:39 UTC 2021


This bug was fixed in the package mongodb - 1:3.6.3-0ubuntu1.3

---------------
mongodb (1:3.6.3-0ubuntu1.3) bionic-security; urgency=medium

  [Heather Lemon]
  * SECURITY UPDATE: account session reuse leads to unauthorized access (LP: #1934518)
    - d/p/CVE-2019-2386-SERVER-38984-Validate-unique-User-ID-on-UserCache-hi.patch:
      Attach ID to users.
      After user deletion in MongoDB Server the improper invalidation of
      authorization sessions allows an authenticated user's session to
      persist and become conflated with new accounts
    - CVE-2019-2386

  [Alex Murray]
  * Refresh
    d/p/CVE-2019-2386-SERVER-38984-Validate-unique-User-ID-on-UserCache-hi.patch
    with the version from the 3.4 upstream branch that is still licensed
    under the AGPL.

 -- Alex Murray <alex.murray at canonical.com>  Fri, 06 Aug 2021 12:08:41
+0930

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1934518

Title:
   improper invalidation of authorization sessions

Status in mongodb source package in Trusty:
  Confirmed
Status in mongodb source package in Bionic:
  Fix Released
Status in mongodb source package in Focal:
  Fix Released

Bug description:
  CVE: https://ubuntu.com/security/CVE-2019-2386

  After user deletion in MongoDB Server the improper invalidation of
  authorization sessions allows an authenticated user’s session to
  persist and become conflated with new accounts, if those accounts
  reuse the names of deleted ones. This issue affects: MongoDB Inc.
  MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to
  3.6.13; v3.4 versions prior to 3.4.22.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/trusty/+source/mongodb/+bug/1934518/+subscriptions




More information about the Ubuntu-sponsors mailing list