Bug#850931: jessie-pu: package mongodb/1:2.4.10-5

To: Apollon Oikonomopoulos <apoikos@debian.org>, 850931@bugs.debian.org
Subject: Bug#850931: jessie-pu: package mongodb/1:2.4.10-5
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 28 Jan 2017 16:36:31 +0000
Message-id: <[🔎] 1485621391.1797.19.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 850931@bugs.debian.org
In-reply-to: <[🔎] 20170111104610.rlv6vweacbhq6eux@marvin.dmesg.gr>
References: <[🔎] 20170111104610.rlv6vweacbhq6eux@marvin.dmesg.gr>

Control: tags -1 + confirmed

On Wed, 2017-01-11 at 12:46 +0200, Apollon Oikonomopoulos wrote:
>  - CVE-2016-6494[1] is fixed by backporting the patch already applied to 
>    2.6 (once in sid).
> 
>  - TEMP-0833087-C5410D[2] is fixed by reimplementing upstream's fix for 
>    2.6[3] using the infrastructure available in MongoDB 2.4.  
>    Unfortunately the mutable BSON infrastructure used in 2.6 is 
>    incomplete and unusable in 2.4. I benchmarked my own version and 
>    found no measurable performance impact.

Please go ahead.

fwiw:

+This fixes TEMP-0833087-C5410D and closes #833087.

The Security Team have previously requested that TEMP-* identifiers not
be used in changelogs at least; I'm not sure how far that extends to
things like patch headers.

Regards,

Adam

Reply to:

Follow-Ups:
- Bug#850931: jessie-pu: package mongodb/1:2.4.10-5
  - From: Apollon Oikonomopoulos <apoikos@debian.org>

References:
- Bug#850931: jessie-pu: package mongodb/1:2.4.10-5
  - From: Apollon Oikonomopoulos <apoikos@debian.org>

Prev by Date: Processed: tagging 852435
Next by Date: Processed: Re: Bug#851105: jessie-pu: package ndoutils/1.4b9-1.1+deb8u1
Previous by thread: Bug#850931: jessie-pu: package mongodb/1:2.4.10-5
Next by thread: Bug#850931: jessie-pu: package mongodb/1:2.4.10-5
Index(es):
- Date
- Thread