Your message dated Sun, 12 Feb 2017 22:47:09 +0000
with message-id <e1cd2vf-000fau...@fasolo.debian.org>
and subject line Bug#832908: fixed in mongodb 1:2.4.10-5+deb8u1
has caused the Debian Bug report #832908,
regarding mongodb: CVE-2016-6494: world-readable .dbshell history file
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
832908: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832908
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: mongodb-clients
Version: 2.4.10-5
Severity: grave
Tags: security
During the report on redis-tools
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832460), lamby@
linked to a codesearch and the same bug was found in mongodb-clients.
mongodb-clients stores its history in ~/.dbshell, this file is created
with permissions 0644. Home folders are world readable as well in
debian, so any user can access other users mongodb history, even though
db.auth commands don't appear to be logged like redis did.
I filed a bug on upstream as well:
https://jira.mongodb.org/browse/SERVER-25335
Demo: `cat /home/*/.dbshell`
--- End Message ---
--- Begin Message ---
Source: mongodb
Source-Version: 1:2.4.10-5+deb8u1
We believe that the bug you reported is fixed in the latest version of
mongodb, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 832...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Apollon Oikonomopoulos <apoi...@debian.org> (supplier of updated mongodb
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 11 Jan 2017 11:17:56 +0200
Source: mongodb
Binary: mongodb mongodb-server mongodb-clients mongodb-dev
Architecture: source
Version: 1:2.4.10-5+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org>
Changed-By: Apollon Oikonomopoulos <apoi...@debian.org>
Description:
mongodb - object/document-oriented database (metapackage)
mongodb-clients - object/document-oriented database (client apps)
mongodb-dev - object/document-oriented database (development)
mongodb-server - object/document-oriented database (server package)
Closes: 832908 833087
Changes:
mongodb (1:2.4.10-5+deb8u1) jessie; urgency=medium
.
* Redact key and nonce from auth attempt logs (Closes: #833087)
* Backport patch for CVE-2016-6494 from 2.6 (Closes: #832908)
Checksums-Sha1:
6ed2b5928e8ed601c25fc19b3efee6dc77d9437a 2811 mongodb_2.4.10-5+deb8u1.dsc
0105e9282795ed9d780ae5efb6586c9108f0180b 57220
mongodb_2.4.10-5+deb8u1.debian.tar.xz
Checksums-Sha256:
7c5b1ec310c3167e8cb2f29b62ac625dc1f5432d0ecbe42d92d08aa496cf4a92 2811
mongodb_2.4.10-5+deb8u1.dsc
9db03eb4de977a690e679edac9a5c0810c11fd15865b3faa203fea3c6cd12b21 57220
mongodb_2.4.10-5+deb8u1.debian.tar.xz
Files:
f8ee704885bbc85b0ac04d76123c9d43 2811 database optional
mongodb_2.4.10-5+deb8u1.dsc
60bf0e4460a40674ecfd605f2f407381 57220 database optional
mongodb_2.4.10-5+deb8u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEPgL9ZlYpWVIRC6uZ9RsYxyAkgiQFAliOgIMTHGFwb2lrb3NA
ZGViaWFuLm9yZwAKCRD1GxjHICSCJFYFD/wJsjZgINOyyHkQstXNQfhtL0yLeG0s
xNAwwP1wAuU/UFkxI77F5yWzHV257Gt5ow/VqaYELkQtftjjjwZMG6LSCcE+Vzk/
yPKGZW2kvPk/K9wrrQiyRmgNc7+IZNdgtC0L68HiH4rZGGhh/E4b1OGgxubmxuBN
Af/aFm3/Yz/kPSkrFmxPm703zYvDrJMcnZA5fCA0WWHnTzA06icqDU6CNt/GM+nB
FjnVzqmewT0NFIFQtBdpPCrJOklYvu9qym2x5zo3rkX8CxVMIIJkFrAbFpVVxMDf
OHJrWtH76sstrgh72FETXnlwM4zbh0liHPgfeN+VuIewvOX8xlNZQvtrCrGLO+UH
4kP4Gaj2NaTcofdPE6cbHsV5HT26y/GwcSmRijyvViemsXrUSEcy8jcLwYwUu3YP
XWCxUNjkRBUwZ2OsqWznZGgKg3wr6WzjuGGYAF2o1GnwyjwGp+EYsfvAFLZZ2Eup
a/IebuSFIUVYbcPz9Z3keV/gIr9zaDCk5LdzXqnjtgfuGPnhIuP6dAblTSyue4q2
ZjiGiE1vAnP50Q0ZLkLSSEwxGLIowjm9j5IoX36JPwooZZ74rCDNH1rfaSYAgaMh
SgyVI71LB60nvgP6UKW3OLtOKnCridEcluCGxzwnLkUedHhBSoGzopLCS/H4TPhS
K1R5m7Nus8AR4A==
=Fa3Z
-----END PGP SIGNATURE-----
--- End Message ---
