MongoDB version 1.4.10 represents a minor update to the Node.js driver for MongoDB, succeeding version 1.4.9. Released on September 4th, 2014, it builds upon the foundation of its predecessor, offering incremental improvements and refinements for developers interacting with MongoDB databases through Node.js. While both versions share a common core functionality, several key distinctions warrant examination.
The most notable difference lies in the dependencies. Version 1.4.10 updates the kerberos dependency to version 0.0.4, from 0.0.3 in the older version, potentially incorporating bug fixes, enhanced security, or feature additions related to Kerberos authentication. Similarly, BSON, the binary JSON serialization format, experiences a change, though the specific version is expressed as "~0.2" which means anything greater than 0.2 and less than 1.0, rather than the fixed "0.2.12" on the previous stable version which introduces some uncertainty. Developers leveraging Kerberos authentication should pay close attention to associated changes and potential compatibility considerations.
Other than dependency updates, the core development dependencies remain consistent between the two versions, showcasing tools like dox, ejs, step, async, gleak, integra, request, markdown, nodeunit,optimist, and uglify-js that are used for documentation, templating, asynchronous control flow, memory leak detection, integration testing, HTTP requests, markdown parsing, unit testing, argument parsing, and JavaScript minification, respectively. The optional dependencies remain identical.
For developers, upgrading to version 1.4.10 primarily entails assessing the implications of the kerberos and bson dependency updates within their applications. A thorough review of the change logs and relevant documentation for these dependencies is recommended to ensure seamless integration and avoid unforeseen issues. The update promises a potentially more robust and secure experience, especially in environments utilizing Kerberos authentication.
All the vulnerabilities related to the version 1.4.10 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
DLL Injection in kerberos
Version of kerberos prior to 1.0.0 are vulnerable to DLL Injection. The package loads DLLs without specifying a full path. This may allow attackers to create a file with the same name in a folder that precedes the intended file in the DLL path search. Doing so would allow attackers to execute arbitrary code in the machine.
Upgrade to version 1.0.0 or later.
