RN-6.0.29-23

docs/release_notes/6.0.29-23.md

@@ -0,0 +1,66 @@
+---
+version: 6.0.29-23
+---
+
+# Percona Server for MongoDB {{ page.meta.version }} ({{date.6_0_29}})
+
+[Installation](../install/index.md){.md-button}
+[Upgrade from MongoDB Community](../install/upgrade-from-mongodb.md){.md-button}
+
+Percona Server for MongoDB {{ page.meta.version }} is an enhanced, source-available, and highly-scalable database that is a fully-compatible, drop-in replacement for MongoDB Community Edition.
+
+Percona Server for MongoDB **{{ page.meta.version }}** includes the improvements and bug fixes of:
+
+- Supports protocols and drivers of MongoDB Community **6.0.29**.
+
+## Upgrade recommendation
+
+This release contains multiple high-severity security fixes affecting all Percona Server for MongoDB 7.0.x versions. We strongly recommend upgrading to version {{ page.meta.version }} as soon as possible.
+
+## Improvements
+
+- [PSMDB-2038](https://perconadev.atlassian.net/browse/PSMDB-2038): Percona Server for MongoDB now exposes LDAP `userToDN` cache statistics through the serverStatus command. These metrics provide visibility into cache utilization and effectiveness, helping administrators troubleshoot LDAP authentication latency, validate cache behavior after configuration changes, and optimize cache sizing for their workloads. The new `ldap.userToDNCache` section reports runtime information such as cache usage, hits, misses, and invalidations, making LDAP authentication performance easier to monitor and tune.
+
+## Security updates: CVE fixes from upstream MongoDB
+
+### Affected versions
+
+These vulnerabilities affect the following versions:
+
+- All Percona Server for MongoDB 6.0.x versions
+
+### High severity
+
+- [SERVER-128125 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-128125){:target="_blank"} **(CVE-2026-11933):** A **use-after-free** vulnerability was identified in MongoDB Server’s server-side JavaScript engine when converting `BSON` documents to JavaScript arrays. An authenticated user with read privileges who can execute server-side JavaScript (e.g., via `$where` or `$function`) may trigger access to freed memory, which could result in information disclosure from the `mongod` process memory or a denial of service through a server crash.
+
+- [SERVER-125063 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-125063){:target="_blank"} **(CVE-2026-9740):** A vulnerability in the `BSON` validator allows an unauthenticated user to supply specially crafted input that could cause the `mongod` process to terminate unexpectedly, resulting in a denial-of-service condition.
+
+- [SERVER-124959 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-124959){:target="_blank"} **(CVE-2026-9753):** A vulnerability in the `$_internalApplyOplogUpdate` aggregation stage allows an authenticated user to supply specially crafted input that could cause the server process to terminate unexpectedly.
+
+- [SERVER-123440 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-123440){:target="_blank"} **(CVE-2026-9752):** Inserting specially crafted documents into a collection with a `2dsphere` index could cause the `mongod` process to terminate unexpectedly, leading to a server crash.
+
+- [SERVER-123633 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-123633){:target="_blank"} **(CVE-2026-9750):** A vulnerability in query execution allows an authenticated user to create specially crafted documents that interfere with internal metadata processing. This can cause the server process to terminate unexpectedly and may result in incorrect query results.
+
+- [SERVER-124031 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-124031){:target="_blank"} **(CVE-2026-9749):** Aggregation pipelines that use the internal `$exchange` stage with key-range partitioning can trigger an unexpected condition when processing large numbers of documents for a single key range. This can cause the server process to terminate unexpectedly.
+
+- [SERVER-123951 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-123951){:target="_blank"} **(CVE-2026-9748):** Under specific conditions, using the internal `$_internalConvertBucketIndexStats` stage together with `$facet` can cause the `mongod` process to terminate unexpectedly.
+
+- [SERVER-123918 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-123918){:target="_blank"} **(CVE-2026-9747):** A vulnerability triggered by using `fromRouter: true` together with `runtimeConstants.userRoles` can cause the `mongod` process to terminate unexpectedly.
+
+- [SERVER-124190 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-124190){:target="_blank"} **(CVE-2026-9746):** A vulnerability in the use of `$changeStream`, `$_requestReshardingResumeToken`, and the exchange option can cause the `mongod` process to terminate unexpectedly. An authenticated user can trigger this behavior without requiring any special privileges.
+
+### Medium severity
+
+- [SERVER-123370 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-123370){:target="_blank"} **(CVE-2026-9751):** When the `ldapQueryPassword` parameter is set using the runtime `setParameter` command, the new password value is written to `mongod.log` in plain text. This can expose sensitive credentials in log files.
+
+## Bugs fixed
+
+- [PSMDB-1977](https://perconadev.atlassian.net/browse/PSMDB-1977): Resolved an issue where Docker-based MongoDB instances could fail to start when replication settings were defined in `mongod.conf`.
+
+## Tools packaged with this release
+
+Percona Server for MongoDB packages the following MongoDB tools:
+
+- MongoDB Shell (mongosh): 2.8.3 — [upstream release notes :octicons-link-external-16:](https://www.mongodb.com/docs/mongodb-shell/changelog/#v2.8.3){:target="_blank"}
+
+- MongoDB Database Tools: 100.17.0 — [upstream release notes :octicons-link-external-16:](https://www.mongodb.com/docs/database-tools/release-notes/dbtools-100.17.0-changelog/){:target="_blank"}