Bug 927536 (CVE-2013-1892)
Summary: | CVE-2013-1892 MongoDB: Server Side JavaScript Includes allow Remote Code Execution | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | admiller, bkearney, bleanhar, bressers, bretm, ccoleman, cpelland, dajohnso, dmcphers, esammons, iboverma, jeckersb, jialiu, jim, jlieskov, jslagle, katello-internal, lmeyer, mcressma, mjc, mmccune, mmcgrath, morazi, mrg-program-list, nathaniel, tdawson, whayutin |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-09-07 05:08:24 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 928192, 928193, 928194, 928195, 928639, 928640, 928641, 969587 | ||
Bug Blocks: | 928628 |
Description
Kurt Seifried
2013-03-26 07:19:51 UTC
Has this been tried on the Fedora's mongodb? I ask that because we use v8 instead of spidermonkey, but I'm not positive that our version of mongodb didn't get something slipped in. Created mongodb tracking bugs for this issue Affects: epel-all [bug 928192] Created mongodb tracking bugs for this issue Affects: fedora-all [bug 928193] References: http://www.openwall.com/lists/oss-security/2013/03/25/7 Relevant upstream tracker: https://jira.mongodb.org/browse/SERVER-9124 Removed due to typo. This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2013:1170 https://rhn.redhat.com/errata/RHSA-2013-1170.html Red Hat Update Infrastructure 2.1.3 is now in Production 2 Phase of the support and maintenance life cycle. This has been rated as having Important security impact, however as used in RHUI this issue is not exposed to untrusted users, as such it is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Update Infrastructure Life Cycle: https://access.redhat.com/support/policy/updates/rhui. |