Hi Federico
On Sat, Jun 01, 2013 at 10:54:49AM +0200, Salvatore Bonaccorso wrote:
Package: pymongo
Severity: grave
Tags: security upstream patch
Hi,
the following vulnerability was published for pymongo.
CVE-2013-2132[0]:
null pointer when decoding invalid DBRef
See [1] for details and upstream bugreport including reproducer for
the issue. A patch was applied upstream in [2].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2132
http://security-tracker.debian.org/tracker/CVE-2013-2132
[1] https://jira.mongodb.org/browse/PYTHON-532
[2]
https://github.com/mongodb/mongo-python-driver/commit/a060c15ef87e0f0e72974c7c0e57fe811bbd06a2
I have checked 2.2-4, which seem affected. Please adjust the affected
versions in the BTS as needed.
Thanks for having fixed that quickly already by the upload to
unstable. Could you also prepare a fix for wheezy to be included
trough a stable-proposed-update? (Note: Please contact stable release
managers in advance before uploading, preferably via bugreport against
release.debian.org with the debdiff).
(Side note to what Adam wrote already: Adding the CVE in changelog
helps us furthermore a lot to track the issues fixed; apart having
documented the security fix in changelog).
Thank you for your work!
Regards,
Salvatore
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
