libbson (1.4.2-1+deb9u1) stretch-security; urgency=medium

  * Fix CVE-2017-14227: the bson_iter_codewscope function in bson-iter.c
    miscalculates a bson_utf8_validate length argument, which allows remote
    attackers to cause a denial of service (heap-based buffer over-read in
    the bson_utf8_validate function in bson-utf8.c).
  * Fix CVE-2018-16790: _bson_iter_next_internal in bson-iter.c has a
    heap-based buffer over-read via a crafted bson buffer.
  * Fix CVE-2021-32050: Some MongoDB Drivers may erroneously publish events
    containing authentication-related data to a command listener configured
    by an application. The published events may contain security-sensitive
    data when specific authentication-related commands are executed. Without
    due care, an application may inadvertently expose this sensitive
    information, e.g., by writing it to a log file. This issue only arises if
    an application enables the command listener feature (this is not enabled
    by default).
  * Fix CVE-2023-0437: When calling bson_utf8_validate on some inputs a loop
    with an exit condition that cannot be reached may occur, i.e. an infinite
    loop.
  * Fix CVE-2024-6381: The bson_strfreev function in the MongoDB C driver
    library may be susceptible to an integer overflow where the function will
    try to free memory at a negative offset. This may result in memory
    corruption.
  * Fix CVE-2024-6383: The bson_string_append function in MongoDB C Driver may
    be vulnerable to a buffer overflow where the function might attempt to
    allocate too small of buffer and may lead to memory corruption of
    neighbouring heap memory.
  * Fix CVE-2025-0755: The various bson_append functions in the MongoDB C
    driver library may be susceptible to buffer overflow when performing
    operations that could result in a final BSON document which exceeds the
    maximum allowable size (INT32_MAX), resulting in a segmentation fault and
    possible application crash.

 -- Roberto C. Sanchez <roberto@connexer.com>  Mon, 26 May 2025 14:12:46 -0400

libbson (1.4.2-1) unstable; urgency=low

  * New upstream release

 -- A. Jesse Jiryu Davis <jesse@mongodb.com>  Wed, 12 Oct 2016 15:02:08 +0000

libbson (1.4.1-1) unstable; urgency=medium

  * New upstream release

 -- A. Jesse Jiryu Davis <jesse@mongodb.com>  Fri, 02 Sep 2016 18:42:36 +0000

libbson (1.3.5-1) unstable; urgency=low

  [ A. Jesse Jiryu Davis ]
  * New upstream release.
  * Fix man-pages install command.
  * Remove obsolete copyrights entry.
  * Updated to Standards-Version 3.9.8 (no changes)

  [ Ondřej Surý ]
  * Remove -dbg package and add a simple BC compatible dbgsym support

 -- A. Jesse Jiryu Davis <jesse@mongodb.com>  Tue, 17 May 2016 12:12:28 -0400

libbson (1.3.1-1) experimental; urgency=low

  * New upstream release
  * Add symbols file for stable ABI, thanks to Ondřej Surý

 -- A. Jesse Jiryu Davis <jesse@mongodb.com>  Tue, 19 Jan 2016 19:29:33 +0000

libbson (1.2.1-1) experimental; urgency=low

  * Initial release (Closes: #798695)

 -- A. Jesse Jiryu Davis <jesse@mongodb.com>  Fri, 16 Oct 2015 14:52:26 -0400
