[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#850931: marked as done (jessie-pu: package mongodb/1:2.4.10-5)

Your message dated Sat, 06 May 2017 14:44:18 +0100
with message-id <1494078258.26551.13.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 8.8
has caused the Debian Bug report #850931,
regarding jessie-pu: package mongodb/1:2.4.10-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
850931: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850931
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Dear SRMs,

I would like to update MongoDB in stable to fix two low-impact security 
issues:

 - CVE-2016-6494[1] is fixed by backporting the patch already applied to 
   2.6 (once in sid).

 - TEMP-0833087-C5410D[2] is fixed by reimplementing upstream's fix for 
   2.6[3] using the infrastructure available in MongoDB 2.4.  
   Unfortunately the mutable BSON infrastructure used in 2.6 is 
   incomplete and unusable in 2.4. I benchmarked my own version and 
   found no measurable performance impact.

Full source debdiff attached.

Regards,
Apollon

[1] https://security-tracker.debian.org/tracker/CVE-2016-6494
[2] https://security-tracker.debian.org/tracker/TEMP-0833087-C5410D
[3] https://github.com/mongodb/mongo/commit/f85ceb17b37210eef71e8113162c41368bfd5c12

diff -Nru mongodb-2.4.10/debian/changelog mongodb-2.4.10/debian/changelog
--- mongodb-2.4.10/debian/changelog	2015-03-09 23:25:16.000000000 +0200
+++ mongodb-2.4.10/debian/changelog	2017-01-11 11:17:56.000000000 +0200
@@ -1,3 +1,10 @@
+mongodb (1:2.4.10-5+deb8u1) jessie; urgency=medium
+
+  * Redact key and nonce from auth attempt logs (Closes: #833087)
+  * Backport patch for CVE-2016-6494 from 2.6 (Closes: #832908)
+
+ -- Apollon Oikonomopoulos <apoikos@debian.org>  Wed, 11 Jan 2017 11:17:56 +0200
+
 mongodb (1:2.4.10-5) unstable; urgency=high
 
   * Use upstream backported fix for CVE-2015-1609 (closes: #780129).
diff -Nru mongodb-2.4.10/debian/patches/CVE-2016-6494.patch mongodb-2.4.10/debian/patches/CVE-2016-6494.patch
--- mongodb-2.4.10/debian/patches/CVE-2016-6494.patch	1970-01-01 02:00:00.000000000 +0200
+++ mongodb-2.4.10/debian/patches/CVE-2016-6494.patch	2017-01-11 11:17:09.000000000 +0200
@@ -0,0 +1,39 @@
+Description: prevent group and other access on .dbshell
+ Use umask on file creation and chmod on existing file load.
+Forwarded: no
+Bug-Debian: https://bugs.debian.org/832908
+Author: Laszlo Boszormenyi (GCS) <gcs@debian.org>
+Last-Update: 2016-08-04
+
+---
+
+--- mongodb-2.4.10.orig/src/mongo/shell/linenoise.cpp
++++ mongodb-2.4.10/src/mongo/shell/linenoise.cpp
+@@ -103,6 +103,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <sys/types.h>
++#include <sys/stat.h>
+ #include <sys/ioctl.h>
+ #include <cctype>
+ #include <wctype.h>
+@@ -2626,7 +2627,10 @@ int linenoiseHistorySetMaxLen( int len )
+ /* Save the history in the specified file. On success 0 is returned
+  * otherwise -1 is returned. */
+ int linenoiseHistorySave( const char* filename ) {
++    mode_t old_umask;
++    old_umask = umask(S_IRWXG | S_IRWXO);
+     FILE* fp = fopen( filename, "wt" );
++    umask(old_umask);
+     if ( fp == NULL ) {
+         return -1;
+     }
+@@ -2651,6 +2655,8 @@ int linenoiseHistoryLoad( const char* fi
+         return -1;
+     }
+ 
++    chmod(filename, 00600);
++
+     char buf[LINENOISE_MAX_LINE];
+     while ( fgets( buf, LINENOISE_MAX_LINE, fp ) != NULL ) {
+         char* p = strchr( buf, '\r' );
diff -Nru mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch
--- mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch	1970-01-01 02:00:00.000000000 +0200
+++ mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch	2017-01-11 11:17:09.000000000 +0200
@@ -0,0 +1,42 @@
+From 1d44ca172befd6ad6d3a6cb410ddf7a0e31b6f81 Mon Sep 17 00:00:00 2001
+From: Apollon Oikonomopoulos <apoikos@debian.org>
+Date: Tue, 10 Jan 2017 17:39:57 +0200
+Subject: [PATCH] Redact key and nonce from auth attempt logs
+
+This fixes TEMP-0833087-C5410D and closes #833087.
+---
+ src/mongo/db/commands/authentication_commands.cpp | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp
+index bcc5a2f..538e9a0 100644
+--- a/src/mongo/db/commands/authentication_commands.cpp
++++ b/src/mongo/db/commands/authentication_commands.cpp
+@@ -93,8 +93,23 @@ namespace mongo {
+     } cmdGetNonce;
+ 
+     bool CmdAuthenticate::run(const string& dbname , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl) {
++        // Debian #833087: redact key and nonce from authentication attempts
++        BSONObjBuilder cmdToLog;
++        BSONObjIterator it = cmdObj.begin();
++        const StringData kKey = "key";
++        const StringData kNonce = "nonce";
++
++        while (it.more()) {
++            BSONElement e = it.next();
++            const char *fname = e.fieldName();
++            if (fname == kKey || fname == kNonce) {
++                cmdToLog.append(fname, "xxx");
++            } else {
++                cmdToLog.append(e);
++            }
++        }
+ 
+-        log() << " authenticate db: " << dbname << " " << cmdObj << endl;
++        log() << " authenticate db: " << dbname << " " << cmdToLog.obj() << endl;
+ 
+         string user = cmdObj.getStringField("user");
+ 
+-- 
+2.10.2
+
diff -Nru mongodb-2.4.10/debian/patches/series mongodb-2.4.10/debian/patches/series
--- mongodb-2.4.10/debian/patches/series	2015-03-09 23:21:17.000000000 +0200
+++ mongodb-2.4.10/debian/patches/series	2017-01-11 11:17:09.000000000 +0200
@@ -18,3 +18,5 @@
 8b9242837510e6410ddcf4f19969da4c7b01b2f7.patch
 656f78711632a5dc37221422c99e3c4619bcc58f.patch
 3a7e85ea1f672f702660e5472566234b1d19038e.patch
+Redact-key-and-nonce-from-auth-attempt-logs.patch
+CVE-2016-6494.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 8.8

Hi,

Each of these bugs refers to an update that was included in today's
jessie point release. Thanks!

Regards,

Adam

--- End Message ---
Reply to: