[CLSA-2026:1780484111] Fix CVE(s): CVE-2025-10059, CVE-2025-14847, CVE-2025-6710

Type:

security

Severity:

Low

Release date:

2026-06-03 10:55:26 UTC

Description:

   * SECURITY UPDATE: pre-auth heap memory disclosure via OP_COMPRESSED (MongoBleed)
     - debian/patches/CVE-2025-14847.patch: in
       ZlibMessageCompressor::decompressData, return the actual number of
       bytes written by ::uncompress() (length) instead of the output buffer
       capacity (output.length()). The size guard in
       MessageCompressorManager::decompressMessage now correctly rejects
       undersized payloads, preventing exfiltration of the uninitialized
       heap tail between actual-decompressed-bytes and uncompressedSize.
     - CVE-2025-14847 (CISA KEV)

CVEs fixed:

Updated packages:

mongodb42_4.2.25-1+tuxcare.els10_amd64.deb
sha:76617feeefb6b7c00bc805dbc1fca29b62c35c62
mongodb42-mongos_4.2.25-1+tuxcare.els10_amd64.deb
sha:a2c97105f301e2f1853bf5e6690b65bd0a4add2e
mongodb42-server_4.2.25-1+tuxcare.els10_amd64.deb
sha:49fa3974b21d16b12b8ba10e7b89aaed763e285b
mongodb42-shell_4.2.25-1+tuxcare.els10_amd64.deb
sha:b012022157c674b394d99baf02c33eb187cf9398
mongodb42_4.2.25-1+tuxcare.els10_arm64.deb
sha:a43ba83252b524ba72ffa5414a4497338eb56667
mongodb42-mongos_4.2.25-1+tuxcare.els10_arm64.deb
sha:0e2453d81b4ea55a5063537fd2df732d26a8c1fe
mongodb42-server_4.2.25-1+tuxcare.els10_arm64.deb
sha:2f6eb40f09328b2333eaacced36f68d1cfd1b9f3
mongodb42-shell_4.2.25-1+tuxcare.els10_arm64.deb
sha:5b96d40a3bf031d69b132ac03b13b012aa009212

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.