|
| 1 | +version: 6.0.29-23 |
| 2 | +--- |
| 3 | + |
| 4 | +# Percona Server for MongoDB {{ page.meta.version }} ({{date.6_0_29}}) |
| 5 | + |
| 6 | +[Installation](../install/index.md){.md-button} |
| 7 | +[Upgrade from MongoDB Community](../install/upgrade-from-mongodb.md){.md-button} |
| 8 | + |
| 9 | +Percona Server for MongoDB {{ page.meta.version }} is an enhanced, source-available, and highly-scalable database that is a fully-compatible, drop-in replacement for MongoDB Community Edition. |
| 10 | + |
| 11 | +Percona Server for MongoDB **{{ page.meta.version }}** includes the updates from [MongoDB 6.0.29 Community Edition :octicons-link-external-16:](https://www.mongodb.com/docs/v6.0/release-notes/6.0-changelog/#6.0.29-changelog){:target="_blank"}. It also supports the protocols and drivers of MongoDB Community **6.0.29**. |
| 12 | + |
| 13 | +## Upgrade recommendation |
| 14 | + |
| 15 | +This release contains a **high-severity security fix** affecting all Percona Server for MongoDB 6.0.x versions. We strongly recommend **upgrading to version {{ page.meta.version }}** as soon as possible. |
| 16 | + |
| 17 | +## Security update |
| 18 | + |
| 19 | +- [SERVER-128125 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-128125){:target="_blank"} **(CVE-2026-11933):** A **use-after-free** vulnerability was identified in MongoDB Server’s server-side JavaScript engine when converting `BSON` documents to JavaScript arrays. An authenticated user with read privileges who can execute server-side JavaScript (e.g., via `$where` or `$function`) may trigger access to freed memory, which could result in information disclosure from the `mongod` process memory or a denial of service through a server crash. |
| 20 | + |
| 21 | +## Tools packaged with this release |
| 22 | + |
| 23 | +Percona repackages the upstream MongoDB Shell (`mongosh`) as `percona-mongodb-mongosh`, updating all copyright, authorship, and branding under the full product name "Percona MongoDB Shell." |
| 24 | + |
| 25 | +Percona also repackages and patches Mongo Tools. In this release, we've updated embedded Go libraries in the `mongodump` binary to address 15 security (severity from medium to critical) vulnerabilities: |
| 26 | + |
| 27 | +- `golang.org/x/crypto` updated from **v0.45.0** to **v0.52.0** — fixes [CVE-2026-39827 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-39827){:target="_blank"}, [CVE-2026-39828 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-39828){:target="_blank"}, [CVE-2026-39829 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-39829){:target="_blank"}, [CVE-2026-39830 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-39830){:target="_blank"}, [CVE-2026-39835 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-39835){:target="_blank"}, [CVE-2026-42508 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-42508){:target="_blank"}, [CVE-2026-46595 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-46595){:target="_blank"}, [CVE-2026-46597 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-46597){:target="_blank"} |
| 28 | +- `golang.org/x/net` updated from **v0.47.0** to **v0.55.0** — fixes [CVE-2026-25680 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-25680){:target="_blank"}, [CVE-2026-25681 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-25681){:target="_blank"}, [CVE-2026-27136 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-27136){:target="_blank"}, [CVE-2026-33814 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-33814){:target="_blank"}, [CVE-2026-39821 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-39821){:target="_blank"}, [CVE-2026-42502 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-42502){:target="_blank"}, [CVE-2026-42506 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-42506){:target="_blank"} |
| 29 | + |
| 30 | +| **Tool** | **Base version** | **Release notes** | |
| 31 | +|---|---|---| |
| 32 | +| MongoDB Shell (`mongosh`) | 2.8.3 | [upstream release notes :octicons-link-external-16:](https://www.mongodb.com/docs/mongodb-shell/changelog/#v2.8.3){:target="_blank"} | |
| 33 | +| Mongo Tools | 100.17.0 | [upstream release notes :octicons-link-external-16:](https://www.mongodb.com/docs/database-tools/release-notes/dbtools-100.17.0-changelog/){:target="_blank"} | |
0 commit comments