Your message dated Sat, 06 May 2017 14:44:18 +0100
with message-id <[email protected]>
and subject line Closing bugs for updates included in 8.8
has caused the Debian Bug report #850931,
regarding jessie-pu: package mongodb/1:2.4.10-5
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
850931: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850931
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu
Dear SRMs,
I would like to update MongoDB in stable to fix two low-impact security
issues:
- CVE-2016-6494[1] is fixed by backporting the patch already applied to
2.6 (once in sid).
- TEMP-0833087-C5410D[2] is fixed by reimplementing upstream's fix for
2.6[3] using the infrastructure available in MongoDB 2.4.
Unfortunately the mutable BSON infrastructure used in 2.6 is
incomplete and unusable in 2.4. I benchmarked my own version and
found no measurable performance impact.
Full source debdiff attached.
Regards,
Apollon
[1] https://security-tracker.debian.org/tracker/CVE-2016-6494
[2] https://security-tracker.debian.org/tracker/TEMP-0833087-C5410D
[3]
https://github.com/mongodb/mongo/commit/f85ceb17b37210eef71e8113162c41368bfd5c12
diff -Nru mongodb-2.4.10/debian/changelog mongodb-2.4.10/debian/changelog
--- mongodb-2.4.10/debian/changelog 2015-03-09 23:25:16.000000000 +0200
+++ mongodb-2.4.10/debian/changelog 2017-01-11 11:17:56.000000000 +0200
@@ -1,3 +1,10 @@
+mongodb (1:2.4.10-5+deb8u1) jessie; urgency=medium
+
+ * Redact key and nonce from auth attempt logs (Closes: #833087)
+ * Backport patch for CVE-2016-6494 from 2.6 (Closes: #832908)
+
+ -- Apollon Oikonomopoulos <[email protected]> Wed, 11 Jan 2017 11:17:56 +0200
+
mongodb (1:2.4.10-5) unstable; urgency=high
* Use upstream backported fix for CVE-2015-1609 (closes: #780129).
diff -Nru mongodb-2.4.10/debian/patches/CVE-2016-6494.patch mongodb-2.4.10/debian/patches/CVE-2016-6494.patch
--- mongodb-2.4.10/debian/patches/CVE-2016-6494.patch 1970-01-01 02:00:00.000000000 +0200
+++ mongodb-2.4.10/debian/patches/CVE-2016-6494.patch 2017-01-11 11:17:09.000000000 +0200
@@ -0,0 +1,39 @@
+Description: prevent group and other access on .dbshell
+ Use umask on file creation and chmod on existing file load.
+Forwarded: no
+Bug-Debian: https://bugs.debian.org/832908
+Author: Laszlo Boszormenyi (GCS) <[email protected]>
+Last-Update: 2016-08-04
+
+---
+
+--- mongodb-2.4.10.orig/src/mongo/shell/linenoise.cpp
++++ mongodb-2.4.10/src/mongo/shell/linenoise.cpp
+@@ -103,6 +103,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <sys/types.h>
++#include <sys/stat.h>
+ #include <sys/ioctl.h>
+ #include <cctype>
+ #include <wctype.h>
+@@ -2626,7 +2627,10 @@ int linenoiseHistorySetMaxLen( int len )
+ /* Save the history in the specified file. On success 0 is returned
+ * otherwise -1 is returned. */
+ int linenoiseHistorySave( const char* filename ) {
++ mode_t old_umask;
++ old_umask = umask(S_IRWXG | S_IRWXO);
+ FILE* fp = fopen( filename, "wt" );
++ umask(old_umask);
+ if ( fp == NULL ) {
+ return -1;
+ }
+@@ -2651,6 +2655,8 @@ int linenoiseHistoryLoad( const char* fi
+ return -1;
+ }
+
++ chmod(filename, 00600);
++
+ char buf[LINENOISE_MAX_LINE];
+ while ( fgets( buf, LINENOISE_MAX_LINE, fp ) != NULL ) {
+ char* p = strchr( buf, '\r' );
diff -Nru mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch
--- mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch 1970-01-01 02:00:00.000000000 +0200
+++ mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch 2017-01-11 11:17:09.000000000 +0200
@@ -0,0 +1,42 @@
+From 1d44ca172befd6ad6d3a6cb410ddf7a0e31b6f81 Mon Sep 17 00:00:00 2001
+From: Apollon Oikonomopoulos <[email protected]>
+Date: Tue, 10 Jan 2017 17:39:57 +0200
+Subject: [PATCH] Redact key and nonce from auth attempt logs
+
+This fixes TEMP-0833087-C5410D and closes #833087.
+---
+ src/mongo/db/commands/authentication_commands.cpp | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp
+index bcc5a2f..538e9a0 100644
+--- a/src/mongo/db/commands/authentication_commands.cpp
++++ b/src/mongo/db/commands/authentication_commands.cpp
+@@ -93,8 +93,23 @@ namespace mongo {
+ } cmdGetNonce;
+
+ bool CmdAuthenticate::run(const string& dbname , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl) {
++ // Debian #833087: redact key and nonce from authentication attempts
++ BSONObjBuilder cmdToLog;
++ BSONObjIterator it = cmdObj.begin();
++ const StringData kKey = "key";
++ const StringData kNonce = "nonce";
++
++ while (it.more()) {
++ BSONElement e = it.next();
++ const char *fname = e.fieldName();
++ if (fname == kKey || fname == kNonce) {
++ cmdToLog.append(fname, "xxx");
++ } else {
++ cmdToLog.append(e);
++ }
++ }
+
+- log() << " authenticate db: " << dbname << " " << cmdObj << endl;
++ log() << " authenticate db: " << dbname << " " << cmdToLog.obj() << endl;
+
+ string user = cmdObj.getStringField("user");
+
+--
+2.10.2
+
diff -Nru mongodb-2.4.10/debian/patches/series mongodb-2.4.10/debian/patches/series
--- mongodb-2.4.10/debian/patches/series 2015-03-09 23:21:17.000000000 +0200
+++ mongodb-2.4.10/debian/patches/series 2017-01-11 11:17:09.000000000 +0200
@@ -18,3 +18,5 @@
8b9242837510e6410ddcf4f19969da4c7b01b2f7.patch
656f78711632a5dc37221422c99e3c4619bcc58f.patch
3a7e85ea1f672f702660e5472566234b1d19038e.patch
+Redact-key-and-nonce-from-auth-attempt-logs.patch
+CVE-2016-6494.patch
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 8.8
Hi,
Each of these bugs refers to an update that was included in today's
jessie point release. Thanks!
Regards,
Adam
--- End Message ---
