[SERVER-4216] [SECURITY] mongodb 10gen debian package listens on all interfaces by default - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical - P2
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.6.0-rc0
Component/s: Packaging, Security
Labels:
None
Environment:
Debian Testing

Backwards Compatibility:
Fully Compatible
Operating System:
Linux
Sprint:
Security [00-02-20-15]

Description

The default install of mongodb from the repo:
http://downloads-distro.mongodb.org/repo/debian-sysvinit

Does not have a "bind_ip 127.0.0.1" option set in the mongodb.conf. This leaves a users server vulnerable if they are not aware of this setting. The default should be to lockdown as much as possible and only expose if the user requests it.

Attachments

Issue Links

is related to

SERVER-792 Bind to localhost by default in RPM and debs only

Closed

Activity

People

Assignee:: Andreas Nilsson

Reporter:: Roman Shtylman

Participants:: Andreas Nilsson, Eliot Horowitz, Roman Shtylman

Votes:: 2 Vote for this issue

Watchers:: 12 Start watching this issue

Dates

Created:: Nov 04 2011 05:55:10 PM UTC

Updated:: Jul 11 2016 06:35:26 PM UTC

Resolved:: Apr 08 2014 02:49:26 AM UTC