Bug#832908: Security update of mongodb

Thu, 04 Aug 2016 05:48:59 -0700 

Please try to persuade upstream for the fix in https://groups.google.co
m/forum/#!topic/mongodb-dev/-QR4B7PJ9YY

Thanks,
Marek

On Wed, 3 Aug 2016 23:32:02 +0200 Ola Lundqvist <o...@inguza.com> wrote:
> Hi Jérémy, Laszlo and LTS team
> 
> You have probably seen my latest emails about "Bug#832908: mongodb:
> CVE-2016-6494: world-readable .dbshell history file: LTS update and
upgrade
> handling".
> 
> I have now prepared a security update of this CVE-2016-6494 and in
addition
> to that TEMP-0833087-C5410D.
> 
> For https://security-tracker.debian.org/tracker/CVE-2016-6494 you can
find
> the patch in bug 832908.
> 
> For https://security-tracker.debian.org/tracker/TEMP-0833087-C5410D I
could
> not easily backport the fix for sid as the code was considerably
different.
> So I made a simpler solution. The upstream fix was to mangle only the
the
> sensitive data. In wheezy I replaced the whole sensitive string with
XXX.
> This means that the logging is not that good anymore but this should
not
> impact any application functionality. I do not think most people will
> notive this anyway so I think it is safe.
> 
> Upstream fix looks something like this in the logs:
> Tue Aug  2 11:41:13 [conn4]  authenticate: { authenticate: 1.0, user:
> "foo", nonce: "XXXX", key: "XXXX" }
> 
> My fix looks like this:
> Wed Aug  3 21:18:52 [conn1]  authenticate: XXXX
> 
> I made the short-cut as I do not think it is worth the effort to do a
full
> back-port.
> 
> You can find the debdiff here:
> http://apt.inguza.net/wheezy-security/mongodb/mongodb.debdiff
> 
> And the prepared package here:
> http://apt.inguza.net/wheezy-security/mongodb/
> 
> Regarding testing I have done a simple regression test bu installing
the
> new packages, checking that the database is there and that I can
access the
> server.
> 
> I have also been able to reproduce both issues and been able to
verify that
> both fixes do really solve the problem.
> 
> If I do not hear any objections I will upload the corrected packages
in
> four (4) days, that is on Sunday (maybe on monday after).
> 
> Best regards
> 
> // Ola
> 
> -- 
>  --- Inguza Technology AB --- MSc in Information Technology ----
> /  o...@inguza.com                    Folkebogatan 26            \
> |  o...@debian.org                   654 68 KARLSTAD            |
> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
> \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>  ---------------------------------------------------------------

Reply via email to