Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Done
Priority: Critical - P2
Fix Version/s: 2.6.0-rc0
Affects Version/s: None
Component/s: Packaging, Security
Labels:
None
Environment:
Debian Testing

Backwards Compatibility:
Fully Compatible
Operating System:
Linux
Sprint:
Security [00-02-20-15]
Confidence Status:
None
Work Order:
0

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name:
None
Goal Link:
None

The default install of mongodb from the repo:
http://downloads-distro.mongodb.org/repo/debian-sysvinit

Does not have a "bind_ip 127.0.0.1" option set in the mongodb.conf. This leaves a users server vulnerable if they are not aware of this setting. The default should be to lockdown as much as possible and only expose if the user requests it.

is related to

SERVER-792 Bind to localhost by default in RPM and debs only

Closed

Assignee:: Andreas Nilsson (Inactive)
Reporter:: Roman Shtylman
Participants:: Andreas Nilsson, Eliot Horowitz, Roman Shtylman
Votes:: 2 Vote for this issue
Watchers:: 12 Start watching this issue

Created:: Nov 04 2011 05:55:10 PM UTC
Updated:: Jul 11 2016 06:35:26 PM UTC
Resolved:: Apr 08 2014 02:49:26 AM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates