Bug#832908: marked as done (mongodb: CVE-2016-6494: world-readable .dbshell history file)

[Debian Bug Tracking System]

Your message dated Tue, 09 Aug 2016 22:26:49 +0000
with message-id <e1bxfu1-0008fh...@franck.debian.org>
and subject line Bug#832908: fixed in mongodb 1:2.6.12-3
has caused the Debian Bug report #832908,
regarding mongodb: CVE-2016-6494: world-readable .dbshell history file
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
832908: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832908
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: mongodb-clients
Version: 2.4.10-5
Severity: grave
Tags: security

During the report on redis-tools
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832460), lamby@
linked to a codesearch and the same bug was found in mongodb-clients.

mongodb-clients stores its history in ~/.dbshell, this file is created
with permissions 0644. Home folders are world readable as well in
debian, so any user can access other users mongodb history, even though
db.auth commands don't appear to be logged like redis did.

I filed a bug on upstream as well:
https://jira.mongodb.org/browse/SERVER-25335

Demo: `cat /home/*/.dbshell`

--- End Message ---

--- Begin Message ---

Source: mongodb
Source-Version: 1:2.6.12-3

We believe that the bug you reported is fixed in the latest version of
mongodb, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 832...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated mongodb package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 08 Aug 2016 21:56:32 +0000
Source: mongodb
Binary: mongodb mongodb-server mongodb-clients
Architecture: source amd64
Version: 1:2.6.12-3
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org>
Description:
 mongodb    - object/document-oriented database (metapackage)
 mongodb-clients - object/document-oriented database (client apps)
 mongodb-server - object/document-oriented database (server package)
Closes: 832908
Changes:
 mongodb (1:2.6.12-3) unstable; urgency=high
 .
   * Fix CVE-2016-6494 , prevent group and other access to .dbshell
     (closes: #832908).
Checksums-Sha1:
 15971b52c299b7c6ee59d9944d22262388b0c999 2738 mongodb_2.6.12-3.dsc
 d19c2e03cf445e197e0bd2bc28f9b08be3309c47 53000 mongodb_2.6.12-3.debian.tar.xz
 2859ad4ca521169e02035c52386d0d7a9ab2ce9b 1255815488 
mongodb-clients-dbgsym_2.6.12-3_amd64.deb
 8fdfe5a132d4ac364a93943e8422a3a311fbea98 47043808 
mongodb-clients_2.6.12-3_amd64.deb
 3427389cd93143fa5d1ff812d60832c1746bfc84 178246036 
mongodb-server-dbgsym_2.6.12-3_amd64.deb
 1681cb59efc82a229a7359967023193a215d440f 7216400 
mongodb-server_2.6.12-3_amd64.deb
 514b73f0cffcb910e60f378a5750ba094dd72238 16994 mongodb_2.6.12-3_amd64.deb
Checksums-Sha256:
 fbb0c2ef8b3c151d6e6f67cc97b2ad0501499386b5b62aa08468373ff26566b5 2738 
mongodb_2.6.12-3.dsc
 b534195da23b96936c1d702f4fac9edc516ac83737b9ec9bdce7324ac3b08c0d 53000 
mongodb_2.6.12-3.debian.tar.xz
 7017bcdadda0f32af1ee6ce1b7fada5c81a6397d997631c0c6d9fdd3d6557023 1255815488 
mongodb-clients-dbgsym_2.6.12-3_amd64.deb
 c757867ad5b391e7088d0be5c018b7b4cbef20900c59fc835e92a27faa4be0ff 47043808 
mongodb-clients_2.6.12-3_amd64.deb
 5bbf4005b5ca3be8a321d185dde5de72d1d9ca7fa90819ba64e5d62702266c21 178246036 
mongodb-server-dbgsym_2.6.12-3_amd64.deb
 2ce9e01a4747e06f3b160c9a0c52464613faf6102bb88e88d6e7808ddd676233 7216400 
mongodb-server_2.6.12-3_amd64.deb
 df480f6ca6c22409bd1dc6c2120be02e9726793f94773a0fa2baf70df1aac241 16994 
mongodb_2.6.12-3_amd64.deb
Files:
 bf33b695c54c99b71c92345ff5181d1e 2738 database optional mongodb_2.6.12-3.dsc
 c1bf57240f0a679bf96c0696ae4b4841 53000 database optional 
mongodb_2.6.12-3.debian.tar.xz
 40d2974b66c2a9b1c7859f71a660716b 1255815488 debug extra 
mongodb-clients-dbgsym_2.6.12-3_amd64.deb
 36a9205c8fe7c9e75df8c7a82314118f 47043808 database optional 
mongodb-clients_2.6.12-3_amd64.deb
 1a50e5879ebbbd7fe6ecaae0d15e0217 178246036 debug extra 
mongodb-server-dbgsym_2.6.12-3_amd64.deb
 3206ea83f7b1e367d935740a64a5f6ec 7216400 database optional 
mongodb-server_2.6.12-3_amd64.deb
 6f08aa96f355e8272ab10c906c471953 16994 database optional 
mongodb_2.6.12-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXqf46AAoJENzjEOeGTMi/UVgQAJZdrSSYjbxjuLKbtY2O97hH
dA3NpRdiGQhq0J5MmL3h+tiyA7NqTnqssWOHtHZfmqhW422FeRTpOL/AE1L6OWmy
LyBQ/zLMVHJcIlJdzMJvY9BKBTzJegLPsdZlNJGE5xwQtHo3PxQnfsAFILJwXv1K
jmw2eTy/0hps0IVISpxWdvlaRODkuJcQbClVyrNKVI1iG/ib0CU+QcmnOk/5T1ba
fj0ZzD4pahccxLf88pUV3f2uURM2WLbqYZpTNf0k+dzXcLkW+qsEW/TZnUq4SnZT
sNkspM5yWmFHnKm8hZdRwmKqQb3FEAylDl428k088p4YhXJusils3lVh1m09xmSA
ij+UgJLx2atiNYO5lXV7Ti4/MSVpm9BdcHHjwsY/GgZ59A5+Py9HzUPUt+QEVTQF
bVZHyHAnhwV6ProayiqQirGCsndUP+HFNM3AjOQXThJbGdS5HcMin5aRWga6TiFu
s5RSp21cxZUdTB1LYLohqPeaPnW+PKAfUrvs+YqIM9p9TwFpSAgMW8J3jQCNuX4r
yHR11NZjxhXdBSLF+Kjvduxi4LPhkEn4kkeQ7A4LfHGBsy6J0CTOmJzj6hsTBwoD
uD1Zmon/nnxT2C8tjYEF6kKlmJ3+lvQ4jkBwSBopw+tVMK7zKFLtFhGFEpyOx+uU
okqsefq+mEoFkBs2GLhh
=kFkF
-----END PGP SIGNATURE-----

--- End Message ---