[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 588-1] mongodb security update

Hi Ben

Thank you for this information. Very good to know.

/ Ola

Sent from a phone

Den 8 aug 2016 23:29 skrev "Ben Hutchings" <ben@decadent.org.uk>:
On Mon, 2016-08-08 at 11:52 +0200, Ola Lundqvist wrote:
> Package        : mongodb
> Version        : 2.0.6-1+deb7u1
> CVE ID         : CVE-2016-6494
> Debian Bug     : 832908, 833087
> Two security related problems have been found in the mongodb
> package, related to logging.
> CVE-2016-6494
>   World-readable .dbshell history file
> TEMP-0833087-C5410D
>   Bruteforcable challenge responses in unprotected logfile

This temporary ID is not stable and shouldn't be used in a DLA or DSA.
The Debian bug number, which you already included, is more useful.


Ben Hutchings
Beware of bugs in the above code;
I have only proved it correct, not tried it. - Donald Knuth

Reply to: