On 16:36 Sat 28 Jan , Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Wed, 2017-01-11 at 12:46 +0200, Apollon Oikonomopoulos wrote:
> > - CVE-2016-6494[1] is fixed by backporting the patch already applied to
> > 2.6 (once in sid).
> >
> > - TEMP-0833087-C5410D[2] is fixed by reimplementing upstream's fix for
> > 2.6[3] using the infrastructure available in MongoDB 2.4.
> > Unfortunately the mutable BSON infrastructure used in 2.6 is
> > incomplete and unusable in 2.4. I benchmarked my own version and
> > found no measurable performance impact.
>
> Please go ahead.
>
> fwiw:
>
> +This fixes TEMP-0833087-C5410D and closes #833087.
>
> The Security Team have previously requested that TEMP-* identifiers not
> be used in changelogs at least; I'm not sure how far that extends to
> things like patch headers.
Uploaded with the following interdiff:
diff -u
mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch
mongodb-2.4.10/debian/patches/Redact-key-and-nonce-f
---
mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch
2017-01-11 11:17:09.000000000 +0200
+++
mongodb-2.4.10/debian/patches/Redact-key-and-nonce-from-auth-attempt-logs.patch
2017-01-11 11:17:56.000000000 +0200
@@ -1,9 +1,8 @@
From 1d44ca172befd6ad6d3a6cb410ddf7a0e31b6f81 Mon Sep 17 00:00:00 2001
From: Apollon Oikonomopoulos <apoi...@debian.org>
Date: Tue, 10 Jan 2017 17:39:57 +0200
+Bug-Debian: #833087
Subject: [PATCH] Redact key and nonce from auth attempt logs
-
-This fixes TEMP-0833087-C5410D and closes #833087.
---
src/mongo/db/commands/authentication_commands.cpp | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
Regards,
Apollon
