ASA-201801-5 generated external raw

[ASA-201801-5] mongodb: arbitrary code execution
Arch Linux Security Advisory ASA-201801-5 ========================================= Severity: High Date : 2018-01-05 CVE-ID : CVE-2017-15535 Package : mongodb Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-503 Summary ======= The package mongodb before version 3.6.0-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 3.6.0-1. # pacman -Syu "mongodb>=3.6.0-1" The problem has been fixed upstream in version 3.6.0. Workaround ========== To disable wire protocol compression, users may specify disabled as the compression engine, either in the command line: --networkMessageCompressors disabled or, alternatively, in the mongod configuration file as: net: compression: compressors: disabled Description =========== MongoDB 3.4.x before 3.4.10, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory of the running process. Impact ====== A remote unprivileged attacker is able to crash the mongodb service or modify memory of the running process. References ========== https://bugs.archlinux.org/task/56379 https://jira.mongodb.org/browse/SERVER-31273 https://github.com/mongodb/mongo/commit/5ad69b851801edadbfde8fdf271f4ba7c21170b5 https://security.archlinux.org/CVE-2017-15535