Hi Jérémy, Laszlo and LTS team You have probably seen my latest emails about "Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling".
I have now prepared a security update of this CVE-2016-6494 and in addition to that TEMP-0833087-C5410D. For https://security-tracker.debian.org/tracker/CVE-2016-6494 you can find the patch in bug 832908. For https://security-tracker.debian.org/tracker/TEMP-0833087-C5410D I could not easily backport the fix for sid as the code was considerably different. So I made a simpler solution. The upstream fix was to mangle only the the sensitive data. In wheezy I replaced the whole sensitive string with XXX. This means that the logging is not that good anymore but this should not impact any application functionality. I do not think most people will notive this anyway so I think it is safe. Upstream fix looks something like this in the logs: Tue Aug 2 11:41:13 [conn4] authenticate: { authenticate: 1.0, user: "foo", nonce: "XXXX", key: "XXXX" } My fix looks like this: Wed Aug 3 21:18:52 [conn1] authenticate: XXXX I made the short-cut as I do not think it is worth the effort to do a full back-port. You can find the debdiff here: http://apt.inguza.net/wheezy-security/mongodb/mongodb.debdiff And the prepared package here: http://apt.inguza.net/wheezy-security/mongodb/ Regarding testing I have done a simple regression test bu installing the new packages, checking that the database is there and that I can access the server. I have also been able to reproduce both issues and been able to verify that both fixes do really solve the problem. If I do not hear any objections I will upload the corrected packages in four (4) days, that is on Sunday (maybe on monday after). Best regards // Ola -- --- Inguza Technology AB --- MSc in Information Technology ---- / o...@inguza.com Folkebogatan 26 \ | o...@debian.org 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
