Your message dated Sat, 06 May 2017 14:44:18 +0100 with message-id <1494078258.26551.13.camel@adam-barratt.org.uk> and subject line Closing bugs for updates included in 8.8 has caused the Debian Bug report #850931, regarding jessie-pu: package mongodb/1:2.4.10-5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 850931: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850931 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package mongodb/1:2.4.10-5
- From: Apollon Oikonomopoulos <apoikos@debian.org>
- Date: Wed, 11 Jan 2017 12:46:11 +0200
- Message-id: <20170111104610.rlv6vweacbhq6eux@marvin.dmesg.gr>
Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Dear SRMs, I would like to update MongoDB in stable to fix two low-impact security issues: - CVE-2016-6494[1] is fixed by backporting the patch already applied to 2.6 (once in sid). - TEMP-0833087-C5410D[2] is fixed by reimplementing upstream's fix for 2.6[3] using the infrastructure available in MongoDB 2.4. Unfortunately the mutable BSON infrastructure used in 2.6 is incomplete and unusable in 2.4. I benchmarked my own version and found no measurable performance impact. Full source debdiff attached. Regards, Apollon [1] https://security-tracker.debian.org/tracker/CVE-2016-6494 [2] https://security-tracker.debian.org/tracker/TEMP-0833087-C5410D [3] https://github.com/mongodb/mongo/commit/f85ceb17b37210eef71e8113162c41368bfd5c12diff -Nru mongodb-2.4.10/debian/changelog mongodb-2.4.10/debian/changelog --- mongodb-2.4.10/debian/changelog 2015-03-09 23:25:16.000000000 +0200 +++ mongodb-2.4.10/debian/changelog 2017-01-11 11:17:56.000000000 +0200 @@ -1,3 +1,10 @@ +mongodb (1:2.4.10-5+deb8u1) jessie; urgency=medium + + * Redact key and nonce from auth attempt logs (Closes: #833087) + * Backport patch for CVE-2016-6494 from 2.6 (Closes: #832908) + + -- Apollon Oikonomopoulos <apoikos@debian.org> Wed, 11 Jan 2017 11:17:56 +0200 + mongodb (1:2.4.10-5) unstable; urgency=high * Use upstream backported fix for CVE-2015-1609 (closes: #780129). diff -Nru mongodb-2.4.10/debian/patches/CVE-2016-6494.patch mongodb-2.4.10/debian/patches/CVE-2016-6494.patch --- mongodb-2.4.10/debian/patches/CVE-2016-6494.patch 1970-01-01 02:00:00.000000000 +0200 +++ mongodb-2.4.10/debian/patches/CVE-2016-6494.patch 2017-01-11 11:17:09.000000000 +0200 @@ -0,0 +1,39 @@ +Description: prevent group and other access on .dbshell + Use umask on file creation and chmod on existing file load. +Forwarded: no +Bug-Debian: https://bugs.debian.org/832908 +Author: Laszlo Boszormenyi (GCS) <gcs@debian.org> +Last-Update: 2016-08-04 + +--- + +--- mongodb-2.4.10.orig/src/mongo/shell/linenoise.cpp ++++ mongodb-2.4.10/src/mongo/shell/linenoise.cpp +@@ -103,6 +103,7 @@ + #include <stdlib.h> + #include <string.h> + #include <sys/types.h> ++#include <sys/stat.h> + #include <sys/ioctl.h> + #include <cctype> + #include <wctype.h> +@@ -2626,7 +2627,10 @@ int linenoiseHistorySetMaxLen( int len ) + /* Save the history in the specified file. On success 0 is returned + * otherwise -1 is returned. */ + int linenoiseHistorySave( const char* filename ) { ++ mode_t old_umask; ++ old_umask = umask(S_IRWXG | S_IRWXO); + FILE* fp = fopen( filename, "wt" ); ++ umask(old_umask); + if ( fp == NULL ) { + return -1; + } +@@ -2651,6 +2655,8 @@ int linenoiseHistoryLoad( const char* fi + return -1; + } + ++ chmod(filename, 00600); ++ + char buf[LINENOISE_MAX_LINE]; + while ( fgets( buf, LINENOISE_MAX_LINE, fp ) != NULL ) { + char* p = strchr( buf, '\r' ); diff -Nru mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch --- mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch 1970-01-01 02:00:00.000000000 +0200 +++ mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch 2017-01-11 11:17:09.000000000 +0200 @@ -0,0 +1,42 @@ +From 1d44ca172befd6ad6d3a6cb410ddf7a0e31b6f81 Mon Sep 17 00:00:00 2001 +From: Apollon Oikonomopoulos <apoikos@debian.org> +Date: Tue, 10 Jan 2017 17:39:57 +0200 +Subject: [PATCH] Redact key and nonce from auth attempt logs + +This fixes TEMP-0833087-C5410D and closes #833087. +--- + src/mongo/db/commands/authentication_commands.cpp | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp +index bcc5a2f..538e9a0 100644 +--- a/src/mongo/db/commands/authentication_commands.cpp ++++ b/src/mongo/db/commands/authentication_commands.cpp +@@ -93,8 +93,23 @@ namespace mongo { + } cmdGetNonce; + + bool CmdAuthenticate::run(const string& dbname , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl) { ++ // Debian #833087: redact key and nonce from authentication attempts ++ BSONObjBuilder cmdToLog; ++ BSONObjIterator it = cmdObj.begin(); ++ const StringData kKey = "key"; ++ const StringData kNonce = "nonce"; ++ ++ while (it.more()) { ++ BSONElement e = it.next(); ++ const char *fname = e.fieldName(); ++ if (fname == kKey || fname == kNonce) { ++ cmdToLog.append(fname, "xxx"); ++ } else { ++ cmdToLog.append(e); ++ } ++ } + +- log() << " authenticate db: " << dbname << " " << cmdObj << endl; ++ log() << " authenticate db: " << dbname << " " << cmdToLog.obj() << endl; + + string user = cmdObj.getStringField("user"); + +-- +2.10.2 + diff -Nru mongodb-2.4.10/debian/patches/series mongodb-2.4.10/debian/patches/series --- mongodb-2.4.10/debian/patches/series 2015-03-09 23:21:17.000000000 +0200 +++ mongodb-2.4.10/debian/patches/series 2017-01-11 11:17:09.000000000 +0200 @@ -18,3 +18,5 @@ 8b9242837510e6410ddcf4f19969da4c7b01b2f7.patch 656f78711632a5dc37221422c99e3c4619bcc58f.patch 3a7e85ea1f672f702660e5472566234b1d19038e.patch +Redact-key-and-nonce-from-auth-attempt-logs.patch +CVE-2016-6494.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 841724-done@bugs.debian.org, 842929-done@bugs.debian.org, 850003-done@bugs.debian.org, 850931-done@bugs.debian.org, 851105-done@bugs.debian.org, 851151-done@bugs.debian.org, 851262-done@bugs.debian.org, 851397-done@bugs.debian.org, 851527-done@bugs.debian.org, 851528-done@bugs.debian.org, 851678-done@bugs.debian.org, 852040-done@bugs.debian.org, 852361-done@bugs.debian.org, 852624-done@bugs.debian.org, 852998-done@bugs.debian.org, 853162-done@bugs.debian.org, 853233-done@bugs.debian.org, 853235-done@bugs.debian.org, 853965-done@bugs.debian.org, 854621-done@bugs.debian.org, 854811-done@bugs.debian.org, 854812-done@bugs.debian.org, 855345-done@bugs.debian.org, 856171-done@bugs.debian.org, 856174-done@bugs.debian.org, 856627-done@bugs.debian.org, 856665-done@bugs.debian.org, 856832-done@bugs.debian.org, 856872-done@bugs.debian.org, 857041-done@bugs.debian.org, 857434-done@bugs.debian.org, 857468-done@bugs.debian.org, 857920-done@bugs.debian.org, 858028-done@bugs.debian.org, 858130-done@bugs.debian.org, 858547-done@bugs.debian.org, 858642-done@bugs.debian.org, 858680-done@bugs.debian.org, 858996-done@bugs.debian.org, 859475-done@bugs.debian.org, 859801-done@bugs.debian.org, 859846-done@bugs.debian.org, 859906-done@bugs.debian.org, 860017-done@bugs.debian.org, 860276-done@bugs.debian.org, 860289-done@bugs.debian.org, 860414-done@bugs.debian.org, 860577-done@bugs.debian.org, 860718-done@bugs.debian.org, 860798-done@bugs.debian.org, 861056-done@bugs.debian.org, 861110-done@bugs.debian.org, 861129-done@bugs.debian.org, 861200-done@bugs.debian.org, 861294-done@bugs.debian.org, 861389-done@bugs.debian.org, 861391-done@bugs.debian.org, 861392-done@bugs.debian.org, 861395-done@bugs.debian.org, 861397-done@bugs.debian.org, 861489-done@bugs.debian.org
- Subject: Closing bugs for updates included in 8.8
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 06 May 2017 14:44:18 +0100
- Message-id: <1494078258.26551.13.camel@adam-barratt.org.uk>
Version: 8.8 Hi, Each of these bugs refers to an update that was included in today's jessie point release. Thanks! Regards, Adam
--- End Message ---