Release notes 7.0.37-20

docs/release_notes/7.0.37-20.md

@@ -0,0 +1,63 @@
+---
+version: 7.0.37-20
+---
+
+# Percona Server for MongoDB {{ page.meta.version }} ({{date.7_0_37}})
+
+[Installation](../install/index.md){.md-button}
+[Upgrade from MongoDB Community](../install/upgrade-from-mongodb.md){.md-button}
+
+Percona Server for MongoDB {{ page.meta.version }} is an enhanced, source-available, and highly-scalable database that is a fully-compatible, drop-in replacement for MongoDB Community Edition.
+
+Percona Server for MongoDB **{{ page.meta.version }}** includes the improvements and bug fixes of:
+
+- [MongoDB 7.0.37 Community Edition :octicons-link-external-16:](https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.37---june-11--2026){:target="_blank"}
+
+- Supports protocols and drivers of MongoDB Community **7.0.37**.
+
+## Security updates: CVE fixes from upstream MongoDB
+
+This release includes upstream MongoDB security fixes for the following vulnerabilities:
+
+### High severity
+
+- [SERVER-125063 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-125063){:target="_blank"} **(CVE-2026-9740):** A vulnerability in the `BSON` validator allows an unauthenticated user to supply a specially crafted message. Improper handling of nested BSON binary data structures can trigger uncontrolled recursion during validation. This can cause the `mongod` process to terminate, resulting in a denial of service condition.
+
+- [SERVER-124959 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-124959){:target="_blank"} **(CVE-2026-9753):** A vulnerability in the `$_internalApplyOplogUpdate` aggregation pipeline stage allows an authenticated user with access to the aggregate command to supply a specially crafted document diff. A malformed binary diff can trigger out-of-bounds memory access and cause the server to crash.
+
+- [SERVER-123440 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-123440){:target="_blank"} **(CVE-2026-9752):** Inserting a document into a collection with a `2dsphere` index can cause a server crash if the indexed field is a `GeoJSON GeometryCollection` containing a Polygon with a strict-winding CRS. During index key generation, the internal guard that rejects top-level strict-winding geometry is bypassed because the server fails to inspect individual collection members. This results in a null pointer being pushed to the region vector and subsequently dereferenced, terminating the server process.
+
+- [SERVER-123633 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-123633){:target="_blank"} **(CVE-2026-9750):** A vulnerability in query execution allows an authenticated user to create specially crafted documents that interfere with internal metadata processing. This can cause the server process to terminate unexpectedly and may result in incorrect query results.
+
+- [SERVER-124031 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-124031){:target="_blank"} **(CVE-2026-9749):** Aggregation pipelines that use the internal `$exchange` stage with key-range partitioning can trigger an unexpected condition when processing large numbers of documents for a single key range. This can cause the server process to terminate unexpectedly.
+
+- [SERVER-123951 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-123951){:target="_blank"} **(CVE-2026-9748):** Under specific conditions, using the internal `$_internalConvertBucketIndexStats` stage together with `$facet` can cause the mongod process to terminate unexpectedly.
+
+- [SERVER-123918 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-123918){:target="_blank"} **(CVE-2026-9747):** A vulnerability triggered by using `fromRouter: true` together with `runtimeConstants.userRoles` can cause the mongod process to terminate unexpectedly.
+
+- [SERVER-124190 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-124190){:target="_blank"} **(CVE-2026-9746):** A vulnerability in the use of `$changeStream`, `$_requestReshardingResumeToken`, and the exchange option can cause the `mongod` process to terminate unexpectedly. An authenticated user can trigger this behavior without requiring any special privileges.
+
+- [SERVER-123507 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-123507){:target="_blank"} **(CVE-2026-9741):** Queries using `$vectorSearch` with **Queryable Encryption (QE)** or **Client-Side Field Level Encryption (CSFLE)** can expose sensitive data. Encrypted field values in filter expressions might be transmitted as plaintext, compromising confidentiality.
+
+### Medium severity
+
+- [SERVER-123370 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-123370){:target="_blank"} **(CVE-2026-9751):** When the `ldapQueryPassword` parameter is set using the runtime `setParameter` command, the new password value is written to `mongod.log` in plain text. This can expose sensitive credentials in log files.
+
+### Affected versions
+
+These vulnerabilities affect the following versions of MongoDB Community Edition and Percona Server for MongoDB:
+
+- All Percona Server for MongoDB 7.0.x versions
+- MongoDB Community 7.0 versions prior to 7.0.37
+
+## Bugs fixed
+
+- [PSMDB-1977](https://perconadev.atlassian.net/browse/PSMDB-1977): Resolved an issue where Docker-based MongoDB instances could fail to start when replication settings were defined in `mongod.conf`.
+
+## Tools packaged with this release
+
+Percona Server for MongoDB packages the following MongoDB tools:
+
+- MongoDB Shell (mongosh): 2.8.3 — [upstream release notes :octicons-link-external-16:](https://www.mongodb.com/docs/mongodb-shell/changelog/#v2.8.3){:target="_blank"}
+
+- MongoDB Database Tools: 100.17.0 — [upstream release notes :octicons-link-external-16:](https://www.mongodb.com/docs/database-tools/release-notes/dbtools-100.17.0-changelog/){:target="_blank"}

docs/release_notes/index.md

@@ -1,6 +1,8 @@
 
 # Percona Server for MongoDB 7.0 release notes
 
+* [Percona Server for MongoDB 7.0.37-20 ({{date.7_0_37}})](7.0.37-20.md)
+
 * [Percona Server for MongoDB 7.0.34-19 ({{date.7_0_34}})](7.0.34-19.md)
 
 * [Percona Server for MongoDB 7.0.32-18 ({{date.7_0_32}})](7.0.32-18.md)

mkdocs-base.yml

@@ -240,6 +240,7 @@ nav:
       - install/uninstall.md
   - Release notes:
       - "Release notes index": "release_notes/index.md"
+      - release_notes/7.0.37-20.md
       - release_notes/7.0.34-19.md
       - release_notes/7.0.32-18.md
       - release_notes/7.0.31-17.md

variables.yml

@@ -2,7 +2,7 @@
 # See also mkdocs.yml plugins.with-pdf.cover_subtitle and output_path
 
 
-release: '7.0.34-19'
+release: '7.0.37-20'
 version: '7.0'
 mongosh: '2.8.3'
 
@@ -12,6 +12,7 @@ product:
   psmdb_full_name:  Percona Server for MongoDB
 
 date:
+  7_0_37: '2026-06-23'
   7_0_34: '2026-05-20'
   7_0_32: '2026-05-07'
   7_0_31: '2026-03-30'