* SECURITY UPDATE: nine CVE backports - debian/patches/CVE-2025-6710.patch: bound JSON parser recursion depth in src/mongo/bson/json.{cpp,h} (kMaxDepth=200) to prevent stack overflow on deeply nested input. - CVE-2025-6710 - debian/patches/CVE-2025-6711.patch: wrap user-supplied filter payloads with redact() in find/distinct/getMore/aggregate/findAndModify and query-plan logging to avoid leaking sensitive data through diagnostic logs. - CVE-2025-6711 - debian/patches/CVE-2025-6713.patch: register $mergeCursors as REGISTER_INTERNAL_DOCUMENT_SOURCE so non-internal clients cannot invoke the stage and bypass authorization. - CVE-2025-6713 - debian/patches/CVE-2025-10059.patch: replace invariant with tassert(100901) in ShardingTaskExecutor::scheduleRemoteCommandOnAny to avoid mongos abort on lsid uid mismatch. - CVE-2025-10059 - debian/patches/CVE-2025-10061.patch: introduce assertMergingInputType helper (uassert 9961600) in five accumulators to reject mismatched merging-pass input instead of crashing. - CVE-2025-10061 - debian/patches/CVE-2025-13643.patch: tighten killCursors auth check against TOCTOU race in commands/killcursors_cmd.cpp, cursor_manager, and the mongos sibling path. - CVE-2025-13643 - debian/patches/CVE-2025-14345.patch: guard apiParameters preservation in TransactionParticipant::getAPIParameters() to block cross-API-version prepared-txn smuggling. - CVE-2025-14345 - debian/patches/CVE-2025-14847.patch: fix MessageCompressorZlib to return the actual decompressed length (MongoBleed memory disclosure via undersized output reuse). - CVE-2025-14847 - debian/patches/CVE-2026-25609.patch: require the profile filter parameter to be unset for the {profile:-1} auth shortcut in ProfileCmdBase::checkAuthForCommand, closing a missing-auth gap on profile filter installation. - CVE-2026-25609