Skip to navigation

Security Advisory Important: mongodb and pymongo security and enhancement update

Advisory: RHSA-2013:1170-1
Type: Security Advisory
Severity: Important
Issued on: 2013-08-21
Last updated on: 2013-08-21
Affected Products: Red Hat Enterprise MRG v2 for Red Hat Enterprise Linux (version 6)
CVEs (cve.mitre.org): CVE-2013-1892
CVE-2013-2132

Details

Updated mongodb and pymongo packages that fix two security issues and add
one enhancement are now available for Red Hat Enterprise MRG 2.3 for Red
Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

MongoDB is a NoSQL database. PyMongo provides tools for working with
MongoDB.

A flaw was found in the run() function implementation in MongoDB. A
database user permitted to send database queries to a MongoDB server could
use this flaw to crash the server or, possibly, execute arbitrary code with
the privileges of the mongodb user. (CVE-2013-1892)

A NULL pointer dereference flaw was found in PyMongo. An invalid DBRef
record received from a MongoDB server could cause an application using
PyMongo to crash. (CVE-2013-2132)

Note: In Red Hat Enterprise MRG Grid, MongoDB is not accessed by users
directly and is only accessed by other Grid services, such as Condor and
Cumin.

This update also adds the following enhancement:

* Previously, MongoDB was configured to listen for connections on all
network interfaces. This could allow remote users to access the database if
the firewall was configured to allow access to the MongoDB port (access is
blocked by the default firewall configuration in Red Hat Enterprise Linux).
This update changes the configuration to only listen on the loopback
interface by default. (BZ#892767)

Users of Red Hat Enterprise MRG 2.3 for Red Hat Enterprise Linux 6 are
advised to upgrade to these updated packages, which contain backported
patches to resolve these issues and add this enhancement. After installing
this update, MongoDB will be restarted automatically.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

Red Hat Enterprise MRG v2 for Red Hat Enterprise Linux (version 6)

SRPMS:
mongodb-1.6.4-6.el6.src.rpm     MD5: 315dcdb1573b54d6af4c03919c20291d
SHA-256: 276d6f91546190d0eda1c1674583a75e65b0829c271d1c95ad7e18eaec64519b
pymongo-1.9-11.el6.src.rpm     MD5: 13ea3b7165ec8377a6df7484e09ce9f2
SHA-256: a621fe12fb3f7f03e6e0777071d99047e64ed11e3871ef466cd73c796eb798cc
 
IA-32:
mongodb-1.6.4-6.el6.i686.rpm     MD5: 7c06ab991c652c448efd0a2dd27436a6
SHA-256: ae6719baaafd28cd8541945a7ca343369b966bb5450d852c9054badfdb37da87
mongodb-debuginfo-1.6.4-6.el6.i686.rpm     MD5: 3dd14b962e5668e25f0e81ac636e25b1
SHA-256: 512032941b41e5ee64b8a98efbf78f258f896ed966353b7fa3309f51debdd2e7
mongodb-server-1.6.4-6.el6.i686.rpm     MD5: bffa299abcf38ee73d685558c8aa063e
SHA-256: a7768410ecdf59b3f6ad7a7d8cd4e7fd04c5e4ac04efdf8759839b6846bdd810
pymongo-1.9-11.el6.i686.rpm     MD5: 3c3d9aa664fc215007306e0c413d7794
SHA-256: 8e7076b39c677b1697459d3df7bf33b19b6e0bc05b9da94f988fa7a691e8e254
pymongo-debuginfo-1.9-11.el6.i686.rpm     MD5: 946cf8a886b1243e7e03a36562976d31
SHA-256: 6cb2ba6eb3b9eb4057d937c77535ae6b7b31cd9d22da0ef4714816c4e9c2315e
python-bson-1.9-11.el6.i686.rpm     MD5: eaf8a598fa79d7e2413f6a284c69a79a
SHA-256: 24036b4e311ed60773e7f790a0d7efc7d03425e164238d182abb0c56bd19d831
 
x86_64:
mongodb-1.6.4-6.el6.x86_64.rpm     MD5: 73d88e141d27990b4d8f75cbe173af57
SHA-256: 9dd3227628260ae444a7cefd7a451ce947b01d802bc911315fb096c8c92334f3
mongodb-debuginfo-1.6.4-6.el6.x86_64.rpm     MD5: 52b1a0913563b6c0e0e85ddd62d82be1
SHA-256: 5774d85b8e322fbcabdd350f3dd30b1ddadc4ad656ec1a8ace56d2127d3e3a15
mongodb-server-1.6.4-6.el6.x86_64.rpm     MD5: 734457ed8fe83815970c92855fd3e7a3
SHA-256: 77a1fab515d7091d5cf6d2a06cadc67e663f3bf9dd38338080b0c407928b37ac
pymongo-1.9-11.el6.x86_64.rpm     MD5: 3561d4c40177add307ac99af0e9e8248
SHA-256: b5df7d07c025e85d9a3737189b0bd9672e4c21684b5e087ba4731d8964d2c97a
pymongo-debuginfo-1.9-11.el6.x86_64.rpm     MD5: a25ccfa5dd4a4c2c5ebdf2b651013a9a
SHA-256: a9cd9155e175a48562745d87d6af52c055cc1f337f36f65bb6c9c0b7f40ff0b6
python-bson-1.9-11.el6.x86_64.rpm     MD5: f0e4cdcb4dfbc307e78395306fa61246
SHA-256: d7e99e88c6667e795309c929c453083b60e2c037fc91d93429ddbfb0f204daf8
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

927536 - CVE-2013-1892 MongoDB: Server Side JavaScript Includes allow Remote Code Execution
969560 - CVE-2013-2132 pymongo: null pointer when decoding invalid DBRef


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/