Re: [SECURITY] [DLA 588-1] mongodb security update

To: ola@inguza.com
Cc: debian-lts@lists.debian.org
Subject: Re: [SECURITY] [DLA 588-1] mongodb security update
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 08 Aug 2016 22:28:49 +0100
Message-id: <[🔎] 1470691729.4325.6.camel@decadent.org.uk>
In-reply-to: <20160808095203.GA18755@inguza.net>
References: <20160808095203.GA18755@inguza.net>

On Mon, 2016-08-08 at 11:52 +0200, Ola Lundqvist wrote:
> Package        : mongodb
> Version        : 2.0.6-1+deb7u1
> CVE ID         : CVE-2016-6494
> Debian Bug     : 832908, 833087
> 
> Two security related problems have been found in the mongodb
> package, related to logging.
> 
> CVE-2016-6494
>   World-readable .dbshell history file
> 
> TEMP-0833087-C5410D
>   Bruteforcable challenge responses in unprotected logfile
[...]

This temporary ID is not stable and shouldn't be used in a DLA or DSA.
The Debian bug number, which you already included, is more useful.

Ben.

-- 
Ben Hutchings
Beware of bugs in the above code;
I have only proved it correct, not tried it. - Donald Knuth

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Re: [SECURITY] [DLA 588-1] mongodb security update
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: find-work script no longer working on stable
Next by Date: Re: find-work script no longer working on stable
Previous by thread: Re: find-work script no longer working on stable
Next by thread: Re: [SECURITY] [DLA 588-1] mongodb security update
Index(es):
- Date
- Thread