[USN-6904-1] PyMongo vulnerability

Mon Jul 22 17:23:25 UTC 2024

==========================================================================
Ubuntu Security Notice USN-6904-1
July 22, 2024

pymongo vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

PyMongo could be made to crash or expose sensitive information if it
received a crafted BSON.

Software Description:
- pymongo: Python interface to the MongoDB document-oriented database

Details:

It was discovered that PyMongo incorrectly handled certain BSON.
An attacker could possibly use this issue to read sensitive information
or cause a crash.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
  python3-bson                    3.11.0-1ubuntu0.24.04.1
  python3-bson-ext                3.11.0-1ubuntu0.24.04.1

Ubuntu 22.04 LTS
  python3-bson                    3.11.0-1ubuntu0.22.04.1
  python3-bson-ext                3.11.0-1ubuntu0.22.04.1

Ubuntu 20.04 LTS
  python3-bson                    3.10.1-0ubuntu2.1
  python3-bson-ext                3.10.1-0ubuntu2.1

Ubuntu 18.04 LTS
  python-bson                     3.6.1+dfsg1-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  python-bson-ext                 3.6.1+dfsg1-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  python3-bson                    3.6.1+dfsg1-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  python3-bson-ext                3.6.1+dfsg1-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  python-bson                     3.2-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  python-bson-ext                 3.2-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  python3-bson                    3.2-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  python3-bson-ext                3.2-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6904-1
  CVE-2024-5629

Package Information:
  https://launchpad.net/ubuntu/+source/pymongo/3.11.0-1ubuntu0.24.04.1
  https://launchpad.net/ubuntu/+source/pymongo/3.11.0-1ubuntu0.22.04.1
  https://launchpad.net/ubuntu/+source/pymongo/3.10.1-0ubuntu2.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20240722/c38c274d/attachment.sig>