[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Does CVE-2015-1609 apply to squeeze's version of mongodb?

Hi Raphaël, others,

On Tue, Mar 10, 2015 at 4:24 PM, Raphael Hertzog <hertzog@debian.org> wrote:
> I'm wondering whether CVE-2015-1609 is affecting the squeeze version. The
> code base is vastly different between 1.4.4 and the current supported
> releases.
 I think it's not affected, but I'm not a security expert and don't
have the exploit to test it against 1.4.x versions. I think neither
the Wheezy version (v2.0) is affected. BSON support is modularized in
it, but can't find the affected file nor the function in the source.
It would be much better if someone with more security knowledge
approve or refute me in this matter.

> The upstream announces mentions that it affects all "production releases"
> but 1.4.4 is not part of the current production releases AFAIU.
 Sure, 1.4.4 is way too old, released in June, 2010. As I know, 2.4 to
3.0 versions are supported. But to answer your question, BSON support
was already part of MongoDB that time. It was integrated and was not a
separate part of the project that it's now. I think the modularity
came somewhere before the 2.0 versions (it was incremental in between,
1.5, 1.6 to 1.9 and so on).

> I don't have any specific knowledge of that codebase and would like to
> have your analysis on this issue.
 Beware, me neither have knowledge of the source in detail as I'm in
no affiliate with MongoDB, Inc. in any way.


Reply to: