Astro - Hacker News

freakynit 8 minutes ago ago

Gemini generated explanation and simulation of MongoBleed: https://gemini.google.com/share/3529c5bb7d38

gberger 2 hours ago ago

Why did it take them 4 days between publishing a CVE for the vulnerability (Dec 19th) and posting a public patch (Dec 23rd)?

[-]

joecool1029 an hour ago ago

Had their hands full getting sued the same day: https://news.ycombinator.com/item?id=46403128
cebert 2 hours ago ago

In the US, the last two weeks of December can be slow due to the holiday season. I wouldn’t be surprised if Mongo wasn’t as staffed as usual.
computerfan494 2 hours ago ago

That's a good question. I suppose that posting the commit makes it incredibly obvious how to exploit the issue, so maybe they wanted to wait a little bit longer for their on-prem users who were slow to patch?
[-]
- philipwhiuk an hour ago ago
  
  Posting the CVE and then the patch is the reverse of this.
  [-]
  - computerfan494 an hour ago ago
    
    By "patch" I am talking about the public commit. Updated binaries were made available when the CVE was published.

macintux 2 hours ago ago

bethekidyouwant 2 hours ago ago

Who has mongo open to the internet?

[-]