Hi Federico On Sat, Jun 01, 2013 at 10:54:49AM +0200, Salvatore Bonaccorso wrote: > Package: pymongo > Severity: grave > Tags: security upstream patch > > Hi, > > the following vulnerability was published for pymongo. > > CVE-2013-2132[0]: > null pointer when decoding invalid DBRef > > See [1] for details and upstream bugreport including reproducer for > the issue. A patch was applied upstream in [2]. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2132 > http://security-tracker.debian.org/tracker/CVE-2013-2132 > [1] https://jira.mongodb.org/browse/PYTHON-532 > [2] > https://github.com/mongodb/mongo-python-driver/commit/a060c15ef87e0f0e72974c7c0e57fe811bbd06a2 > > I have checked 2.2-4, which seem affected. Please adjust the affected > versions in the BTS as needed.
Thanks for having fixed that quickly already by the upload to unstable. Could you also prepare a fix for wheezy to be included trough a stable-proposed-update? (Note: Please contact stable release managers in advance before uploading, preferably via bugreport against release.debian.org with the debdiff). (Side note to what Adam wrote already: Adding the CVE in changelog helps us furthermore a lot to track the issues fixed; apart having documented the security fix in changelog). Thank you for your work! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org