29 points | by plorkyeran 2 hours ago
9 comments
Why did it take them 4 days between publishing a CVE for the vulnerability (Dec 19th) and posting a public patch (Dec 23rd)?
Had their hands full getting sued the same day: https://news.ycombinator.com/item?id=46403128
In the US, the last two weeks of December can be slow due to the holiday season. I wouldn’t be surprised if Mongo wasn’t as staffed as usual.
That's a good question. I suppose that posting the commit makes it incredibly obvious how to exploit the issue, so maybe they wanted to wait a little bit longer for their on-prem users who were slow to patch?
Posting the CVE and then the patch is the reverse of this.
By "patch" I am talking about the public commit. Updated binaries were made available when the CVE was published.
1 day ago, 116 comments: https://news.ycombinator.com/item?id=46414475
Who has mongo open to the internet?
Ubisoft does
Why did it take them 4 days between publishing a CVE for the vulnerability (Dec 19th) and posting a public patch (Dec 23rd)?
Had their hands full getting sued the same day: https://news.ycombinator.com/item?id=46403128
In the US, the last two weeks of December can be slow due to the holiday season. I wouldn’t be surprised if Mongo wasn’t as staffed as usual.
That's a good question. I suppose that posting the commit makes it incredibly obvious how to exploit the issue, so maybe they wanted to wait a little bit longer for their on-prem users who were slow to patch?
Posting the CVE and then the patch is the reverse of this.
By "patch" I am talking about the public commit. Updated binaries were made available when the CVE was published.
1 day ago, 116 comments: https://news.ycombinator.com/item?id=46414475
Who has mongo open to the internet?
Ubisoft does