[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Security update of mongodb

Hi Jérémy, Laszlo and LTS team

You have probably seen my latest emails about "Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling".

I have now prepared a security update of this CVE-2016-6494 and in addition to that TEMP-0833087-C5410D.

For https://security-tracker.debian.org/tracker/CVE-2016-6494 you can find the patch in bug 832908.

For https://security-tracker.debian.org/tracker/TEMP-0833087-C5410D I could not easily backport the fix for sid as the code was considerably different. So I made a simpler solution. The upstream fix was to mangle only the the sensitive data. In wheezy I replaced the whole sensitive string with XXX. This means that the logging is not that good anymore but this should not impact any application functionality. I do not think most people will notive this anyway so I think it is safe.

Upstream fix looks something like this in the logs:
Tue Aug  2 11:41:13 [conn4]  authenticate: { authenticate: 1.0, user: "foo", nonce: "XXXX", key: "XXXX" }

My fix looks like this:
Wed Aug  3 21:18:52 [conn1]  authenticate: XXXX

I made the short-cut as I do not think it is worth the effort to do a full back-port.

You can find the debdiff here:

And the prepared package here:

Regarding testing I have done a simple regression test bu installing the new packages, checking that the database is there and that I can access the server.

I have also been able to reproduce both issues and been able to verify that both fixes do really solve the problem.

If I do not hear any objections I will upload the corrected packages in four (4) days, that is on Sunday (maybe on monday after).

Best regards

// Ola

 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

Reply to: