Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.
Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).
This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).
Release Notes
mongodb/node-mongodb-native (mongodb)
### [`v4.17.2`](https://redirect.github.com/mongodb/node-mongodb-native/releases/tag/v4.17.2)
[Compare Source](https://redirect.github.com/mongodb/node-mongodb-native/compare/v4.17.1...v4.17.2)
The MongoDB Node.js team is pleased to announce version 4.17.2 of the `mongodb` package!
#### Release Notes
##### Fix connection leak when serverApi is enabled
When enabling serverApi the driver's RTT mesurment logic (used to determine the closest node) still sent the legacy hello command "isMaster" causing the server to return an error. Unfortunately, the error handling logic did not correctly destroy the socket which would cause a leak.
Both sending the correct hello command and the error handling connection clean up logic are fixed in this change.
##### Bug Fixes
- **NODE-5751:** RTTPinger always sends legacy hello ([#3923](https://redirect.github.com/mongodb/node-mongodb-native/issues/3923)) ([bc3d020](https://redirect.github.com/mongodb/node-mongodb-native/commit/bc3d02015c8d91b363e127c6826c3090f0f11d6b))
#### Documentation
- [Reference](https://docs.mongodb.com/drivers/node/current/)
- [API](https://mongodb.github.io/node-mongodb-native/4.17/)
- [Changelog](https://redirect.github.com/mongodb/node-mongodb-native/blob/v4.17.2/HISTORY.md)
We invite you to try the `mongodb` library immediately, and report any issues to the [NODE project](https://jira.mongodb.org/projects/NODE).
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
dpebot
commented
2 months ago
This PR contains the following updates:
4.17.1->4.17.2GitHub Vulnerability Alerts
CVE-2021-32050
Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.
Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).
This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).
Release Notes
mongodb/node-mongodb-native (mongodb)
### [`v4.17.2`](https://redirect.github.com/mongodb/node-mongodb-native/releases/tag/v4.17.2) [Compare Source](https://redirect.github.com/mongodb/node-mongodb-native/compare/v4.17.1...v4.17.2) The MongoDB Node.js team is pleased to announce version 4.17.2 of the `mongodb` package! #### Release Notes ##### Fix connection leak when serverApi is enabled When enabling serverApi the driver's RTT mesurment logic (used to determine the closest node) still sent the legacy hello command "isMaster" causing the server to return an error. Unfortunately, the error handling logic did not correctly destroy the socket which would cause a leak. Both sending the correct hello command and the error handling connection clean up logic are fixed in this change. ##### Bug Fixes - **NODE-5751:** RTTPinger always sends legacy hello ([#3923](https://redirect.github.com/mongodb/node-mongodb-native/issues/3923)) ([bc3d020](https://redirect.github.com/mongodb/node-mongodb-native/commit/bc3d02015c8d91b363e127c6826c3090f0f11d6b)) #### Documentation - [Reference](https://docs.mongodb.com/drivers/node/current/) - [API](https://mongodb.github.io/node-mongodb-native/4.17/) - [Changelog](https://redirect.github.com/mongodb/node-mongodb-native/blob/v4.17.2/HISTORY.md) We invite you to try the `mongodb` library immediately, and report any issues to the [NODE project](https://jira.mongodb.org/projects/NODE).Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.