juju-core

disable mongodb javascript

Bug #1241763 reported by Kapil Thangavelu on 2013-10-18

8

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Canonical Juju	Fix Released	Medium	Unassigned	Canonical Juju 2.1-rc2
	juju-core	Won't Fix	Medium	Unassigned

Bug Description

we're not using mongodb server side evaluation of javascript, it would be sensible to disable it to avoid the attack surface area. ie pass --noscripting on the cli or via config.b

Tags:

Revision history for this message

Dave Cheney (dave-cheney) wrote on 2013-10-18: Re: [Bug 1241763] [NEW] disable mongodb javascript

#1

Probably useful as the javascript interpreter was the first thing to
break during the 1.10 load testing.

On Sat, Oct 19, 2013 at 5:32 AM, Kapil Thangavelu
<email address hidden> wrote:
> Public bug reported:
>
> we're not using mongodb server side evaluation of javascript, it would
> be sensible to disable it to avoid the attack surface area. ie pass
> --noscripting on the cli or via config.b
>
> ** Affects: juju-core
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are subscribed to juju-
> core.
> Matching subscriptions: MOAR JUJU SPAM!
> https://bugs.launchpad.net/bugs/1241763
>
> Title:
> disable mongodb javascript
>
> Status in juju-core:
> New
>
> Bug description:
> we're not using mongodb server side evaluation of javascript, it would
> be sensible to disable it to avoid the attack surface area. ie pass
> --noscripting on the cli or via config.b
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/juju-core/+bug/1241763/+subscriptions

Revision history for this message

Curtis Hovey (sinzui) wrote on 2013-10-22:

#2

Fixing this will implicitly fix a cluster of charm bugs caused by libv8 in the cloud-archive.

Changed in juju-core:
status:	New → Triaged
importance:	Undecided → High
tags:	added: cloud-archive packaging
Changed in juju-core:
milestone:	none → 2.0

Canonical Juju QA Bot (juju-qa-bot) on 2014-05-12

Changed in juju-core:
importance:	High → Medium

Revision history for this message

Anastasia (anastasia-macmood) wrote on 2016-10-19:

#3

Re-targeting for Juju 2.x

Changed in juju:
status:	New → Triaged
importance:	Undecided → Medium
milestone:	none → 2.1.0
Changed in juju-core:
status:	Triaged → Won't Fix

Revision history for this message

Curtis Hovey (sinzui) wrote on 2017-02-13:

#4

This might be fixed. The juju-mongo packages do not have JS enabled for the client. The 3.2 server requires it to run wiredtiger.

Revision history for this message

Anastasia (anastasia-macmood) wrote on 2017-02-13:

#5

Marking this as Fix Committed based on the comment # 4.

Feel free to re-open if you know otherwise and provide relevant information.

Changed in juju:
status:	Triaged → Fix Committed

Curtis Hovey (sinzui) on 2017-02-17

tags:

added: tech-debt

Curtis Hovey (sinzui) on 2017-02-22

Changed in juju:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.