MongoDB Alerts

This page lists critical alerts and advisories for MongoDB. This page is a work in progress and will be enhanced over time.

See <http://jira.mongodb.org/> for a comprehensive list of bugs and feature requests.

Data Integrity Related

• Secondary indexes (i.e. all indexes other than _id) may be corrupted on an initial sync if write operations are performed on the sync source during the initial sync. This affects version 2.4.0 and is fixed in 2.4.1. See SERVER-9087 for more information.
• Documents may be missing on a replication secondary after initial sync if a high number of updates occur during the sync that move the document (i.e., the documents are growing).
  • <https://jira.mongodb.org/browse/SERVER-3956> Replica set case. Fixed: 1.8.4, 2.0.1
  • <https://jira.mongodb.org/browse/SERVER-4270> Master/slave case. Fixed: 1.8.5, 2.0.2
• When stepping down a replica set primary, the primary’s connection to clients is not automatically closed in 2.0.1. This means that if the primary steps down while an application is issuing fire-and-forget write, the application won’t necessarily fail over until it issues a query. Applications that only issue safe writes are not affected by this. The issue is fixed in 2.0.2. See <https://jira.mongodb.org/browse/SERVER-4405> for details.

Security Related

Date	Component	Description	Affects Versions	Fixed in Versions	CVE	Ref
02/20/2013	JS Engine	Unchecked access to SpiderMonkey’s JavaScript nativeHelper function.	2.0.8, 2.2.3, and earlier.	2.0.9, 2.2.4, 2.4.2	CVE-2013-1892*	SERVER-9124
02/02/2013	mongo Shell	It is possible to create documents that collide with JavaScript functions when fetched using the mongo shell.	2.2.3, 2.4.1, and earlier	(scheduled, unreleased)	n/a	SERVER-9131
10/02/2012	Authentication	Password hashing insecurity.	2.2-series and earlier.	2.4.0	CVE-2012-5241*	Docs

Make sure to subscribe to <http://groups.google.com/group/mongodb-announce> for important announcements.