Release date:
2026-06-03 10:21:28 UTC
Description:
* SECURITY UPDATE: pre-auth heap memory disclosure via OP_COMPRESSED (MongoBleed)
- debian/patches/CVE-2025-14847.patch: in
ZlibMessageCompressor::decompressData, return the actual number of
bytes written by ::uncompress() (length) instead of the output buffer
capacity (output.length()). The size guard in
MessageCompressorManager::decompressMessage now correctly rejects
undersized payloads, preventing exfiltration of the uninitialized
heap tail between actual-decompressed-bytes and uncompressedSize.
- CVE-2025-14847 (CISA KEV)
Updated packages:
-
mongodb42_4.2.25-1+tuxcare.els10_amd64.deb
sha:7594be5e92f9a5343d13437cd0f3e6a762da4ddf
-
mongodb42-mongos_4.2.25-1+tuxcare.els10_amd64.deb
sha:ab6174ef1f7046bd13ce7282a9a4ef2e8fcfed42
-
mongodb42-server_4.2.25-1+tuxcare.els10_amd64.deb
sha:6f9f4fe4f7fadabdfe70e56bfc5b99a7d217529b
-
mongodb42-shell_4.2.25-1+tuxcare.els10_amd64.deb
sha:c4de565ed91fbd23e4b6a840da6221496573f91d
-
mongodb42_4.2.25-1+tuxcare.els10_arm64.deb
sha:1f1c5e48b578c6a09e3481f31d406febadc3790f
-
mongodb42-mongos_4.2.25-1+tuxcare.els10_arm64.deb
sha:a30fa1446fc1a9b7a612cbc1504532779e8b2a06
-
mongodb42-server_4.2.25-1+tuxcare.els10_arm64.deb
sha:f3476d368d2c4e51e1e36de0487ef0ebff4c61bf
-
mongodb42-shell_4.2.25-1+tuxcare.els10_arm64.deb
sha:7df653f0e3a5049c49f2f0306165f15a744d64da
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
