Re: [SECURITY] [DLA 588-1] mongodb security update
On Mon, 2016-08-08 at 11:52 +0200, Ola Lundqvist wrote: > Package: mongodb > Version: 2.0.6-1+deb7u1 > CVE ID : CVE-2016-6494 > Debian Bug : 832908, 833087 > > Two security related problems have been found in the mongodb > package, related to logging. > > CVE-2016-6494 > World-readable .dbshell history file > > TEMP-0833087-C5410D > Bruteforcable challenge responses in unprotected logfile [...] This temporary ID is not stable and shouldn't be used in a DLA or DSA. The Debian bug number, which you already included, is more useful. Ben. -- Ben Hutchings Beware of bugs in the above code; I have only proved it correct, not tried it. - Donald Knuth signature.asc Description: This is a digitally signed message part
Re: [SECURITY] [DLA 588-1] mongodb security update
Hi Ben Thank you for this information. Very good to know. / Ola Sent from a phone Den 8 aug 2016 23:29 skrev "Ben Hutchings" : > On Mon, 2016-08-08 at 11:52 +0200, Ola Lundqvist wrote: > > Package: mongodb > > Version: 2.0.6-1+deb7u1 > > CVE ID : CVE-2016-6494 > > Debian Bug : 832908, 833087 > > > > Two security related problems have been found in the mongodb > > package, related to logging. > > > > CVE-2016-6494 > > World-readable .dbshell history file > > > > TEMP-0833087-C5410D > > Bruteforcable challenge responses in unprotected logfile > [...] > > This temporary ID is not stable and shouldn't be used in a DLA or DSA. > The Debian bug number, which you already included, is more useful. > > Ben. > > -- > Ben Hutchings > Beware of bugs in the above code; > I have only proved it correct, not tried it. - Donald Knuth >
Re: [SECURITY] [DLA 588-1] mongodb security update
On 2016-08-08 10:52, Ola Lundqvist wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: mongodb Version: 2.0.6-1+deb7u1 wheezy already has 2.0.6-1.1, which is a higher version. Regards, Adam
Re: [SECURITY] [DLA 588-1] mongodb security update
Oh. I was not aware . had precedence over +. I'll make a new upload and a new DLA. Sent from a phone Den 9 aug 2016 18:47 skrev "Adam D. Barratt" : > On 2016-08-08 10:52, Ola Lundqvist wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> Package: mongodb >> Version: 2.0.6-1+deb7u1 >> > > wheezy already has 2.0.6-1.1, which is a higher version. > > Regards, > > Adam >