Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-4216

[SECURITY] mongodb 10gen debian package listens on all interfaces by default

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical - P2 Critical - P2
    • 2.6.0-rc0
    • None
    • Packaging, Security
    • None
    • Debian Testing
    • Fully Compatible
    • Linux
    • Security [00-02-20-15]

    Description

      The default install of mongodb from the repo:
      http://downloads-distro.mongodb.org/repo/debian-sysvinit

      Does not have a "bind_ip 127.0.0.1" option set in the mongodb.conf. This leaves a users server vulnerable if they are not aware of this setting. The default should be to lockdown as much as possible and only expose if the user requests it.

      Attachments

        Activity

          People

            andreas.nilsson Andreas Nilsson
            shtylman Roman Shtylman
            Votes:
            2 Vote for this issue
            Watchers:
            12 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: