Control: tags -1 + confirmed On Wed, 2017-01-11 at 12:46 +0200, Apollon Oikonomopoulos wrote: > - CVE-2016-6494[1] is fixed by backporting the patch already applied to > 2.6 (once in sid). > > - TEMP-0833087-C5410D[2] is fixed by reimplementing upstream's fix for > 2.6[3] using the infrastructure available in MongoDB 2.4. > Unfortunately the mutable BSON infrastructure used in 2.6 is > incomplete and unusable in 2.4. I benchmarked my own version and > found no measurable performance impact.
Please go ahead. fwiw: +This fixes TEMP-0833087-C5410D and closes #833087. The Security Team have previously requested that TEMP-* identifiers not be used in changelogs at least; I'm not sure how far that extends to things like patch headers. Regards, Adam
