Hi Jérémy, Laszlo and LTS team
You have probably seen my latest emails about "Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling".
I have now prepared a security update of this CVE-2016-6494 and in addition to that TEMP-0833087-C5410D.
For
https://security-tracker.debian.org/tracker/TEMP-0833087-C5410D I could not easily backport the fix for sid as the code was considerably different. So I made a simpler solution. The upstream fix was to mangle only the the sensitive data. In wheezy I replaced the whole sensitive string with XXX. This means that the logging is not that good anymore but this should not impact any application functionality. I do not think most people will notive this anyway so I think it is safe.
Upstream fix looks something like this in the logs:
Tue Aug 2 11:41:13 [conn4] authenticate: { authenticate: 1.0, user: "foo", nonce: "XXXX", key: "XXXX" }
My fix looks like this:
Wed Aug 3 21:18:52 [conn1] authenticate: XXXX
I made the short-cut as I do not think it is worth the effort to do a full back-port.
You can find the debdiff here:
And the prepared package here:
Regarding testing I have done a simple regression test bu installing the new packages, checking that the database is there and that I can access the server.
I have also been able to reproduce both issues and been able to verify that both fixes do really solve the problem.
If I do not hear any objections I will upload the corrected packages in four (4) days, that is on Sunday (maybe on monday after).
Best regards
// Ola
--
--- Inguza Technology AB --- MSc in Information Technology ----
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------