[Bug 1934518] Re: improper invalidation of authorization sessions

[Ubuntu Foundations Team Bug Bot]

The attachment "CVE-2019-2386-bionic-20210702.debdiff" seems to be a
debdiff.  The ubuntu-sponsors team has been subscribed to the bug report
so that they can review and hopefully sponsor the debdiff.  If the
attachment isn't a patch, please remove the "patch" flag from the
attachment, remove the "patch" tag, and if you are member of the
~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issue please contact him.]

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1934518

Title:
   improper invalidation of authorization sessions

Status in mongodb package in Ubuntu:
  New
Status in mongodb source package in Trusty:
  New
Status in mongodb source package in Bionic:
  New
Status in mongodb source package in Focal:
  New

Bug description:
  CVE: https://ubuntu.com/security/CVE-2019-2386

  After user deletion in MongoDB Server the improper invalidation of
  authorization sessions allows an authenticated user’s session to
  persist and become conflated with new accounts, if those accounts
  reuse the names of deleted ones. This issue affects: MongoDB Inc.
  MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to
  3.6.13; v3.4 versions prior to 3.4.22.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mongodb/+bug/1934518/+subscriptions