[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling


I'm member of the Long Term Security team in Debian and I'm following this as I plan to backport the correction to wheezy.

I have a few questions:
1) When do you think you will have a correction available that I can have a look at?
2) How do you plan to handle the "upgrade case" that is will you try to change the permission on already created history file or will you just handle the creation case?
3) If you plan to handle the "upgrade case" will you just change it in case the file is world readable? I mean some may want this group readable for some reason.
4) Or do you plan to just change the umask from the default?
5) In case you just handle the creation case do you think it should be handled in upgrade in some way, or should we document this in the security advisory?

Thanks in advance

// Ola

 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

Reply to: