Bug#710597: marked as done (pymongo: CVE-2013-2132: null pointer when decoding invalid DBRef)

[Debian Bug Tracking System]

Your message dated Sun, 02 Jun 2013 11:48:19 +0000
with message-id <e1uj6ln-0007my...@franck.debian.org>
and subject line Bug#710597: fixed in pymongo 2.5.2-1
has caused the Debian Bug report #710597,
regarding pymongo: CVE-2013-2132: null pointer when decoding invalid DBRef
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
710597: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710597
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: pymongo
Severity: grave
Tags: security upstream patch

Hi,

the following vulnerability was published for pymongo.

CVE-2013-2132[0]:
null pointer when decoding invalid DBRef

See [1] for details and upstream bugreport including reproducer for
the issue. A patch was applied upstream in [2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2132
    http://security-tracker.debian.org/tracker/CVE-2013-2132
[1] https://jira.mongodb.org/browse/PYTHON-532
[2] 
https://github.com/mongodb/mongo-python-driver/commit/a060c15ef87e0f0e72974c7c0e57fe811bbd06a2

I have checked 2.2-4, which seem affected. Please adjust the affected
versions in the BTS as needed.

Thanks for your work and regards,

Salvatore

--- End Message ---

--- Begin Message ---

Source: pymongo
Source-Version: 2.5.2-1

We believe that the bug you reported is fixed in the latest version of
pymongo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 710...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Federico Ceratto <federico.cera...@gmail.com> (supplier of updated pymongo 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 02 Jun 2013 11:11:10 +0100
Source: pymongo
Binary: python-pymongo python3-pymongo python-pymongo-ext python-pymongo-doc 
python-gridfs python3-gridfs python-bson python3-bson python-bson-ext
Architecture: source amd64 all
Version: 2.5.2-1
Distribution: unstable
Urgency: high
Maintainer: Federico Ceratto <federico.cera...@gmail.com>
Changed-By: Federico Ceratto <federico.cera...@gmail.com>
Description: 
 python-bson - Python implementation of BSON for MongoDB
 python-bson-ext - C-coded extension to the python-bson package
 python-gridfs - Python implementation of GridFS for MongoDB
 python-pymongo - Python interface to the MongoDB document-oriented database
 python-pymongo-doc - Python interface to the MongoDB document-oriented 
database (docum
 python-pymongo-ext - C-coded extension to the python-pymongo package
 python3-bson - Python3 implementation of BSON for MongoDB
 python3-gridfs - Python3 implementation of GridFS for MongoDB
 python3-pymongo - Python3 interface to the MongoDB document-oriented database
Closes: 710597
Changes: 
 pymongo (2.5.2-1) unstable; urgency=high
 .
   * New upstream release. (Closes: #710597)
   * Releasing to unstable.
Checksums-Sha1: 
 0f4919a56f10793834e9f49e8f8f08e6c7298d21 1793 pymongo_2.5.2-1.dsc
 2ef234fcae46328e95d8dfbc9fb08fbe50893a68 305155 pymongo_2.5.2.orig.tar.gz
 4c0507a78a33052b4a5459002545a52066682c39 4317 pymongo_2.5.2-1.debian.tar.gz
 8d22a8fcfe77eb48a116a6f49a4bded1be00685c 110042 
python-pymongo_2.5.2-1_amd64.deb
 adaee6b08f05f8d7efe27f89e7afb41a6c9d5d3e 107872 
python3-pymongo_2.5.2-1_amd64.deb
 18fdf1c9beb6519909efb7548d6d67bf84864f50 25086 
python-pymongo-ext_2.5.2-1_amd64.deb
 bc83719c0ba9ff9cd3e57caec7ff54fe0b8a507e 1096406 
python-pymongo-doc_2.5.2-1_all.deb
 77192b0e1e63040c4f73737df5df6a4f6834c3f5 24364 python-gridfs_2.5.2-1_all.deb
 a5010c16c5512cfd4392831ed6f7fcad453c6372 24618 python3-gridfs_2.5.2-1_all.deb
 40f21c96e6fb26c65abc8768914479941800d780 32964 python-bson_2.5.2-1_amd64.deb
 d169dfe1f7bbbb652c0ef5385bac15d1cbdb5ca9 33058 python3-bson_2.5.2-1_amd64.deb
 7b37dc6d7714dbba75912a802acf1c2baf12e561 66524 
python-bson-ext_2.5.2-1_amd64.deb
Checksums-Sha256: 
 0b299aea8393351379319fc1b58c6dca2dc19b74fffdd9ce2e0269fde1b127ed 1793 
pymongo_2.5.2-1.dsc
 641e8e7d19abdd43d5e8ee2f14b82632d7d1deb6cb1b05a82b68b0711b31c307 305155 
pymongo_2.5.2.orig.tar.gz
 73fe1a84731bf72fb4674cda0fa9ab455ab3bd2c96a29780ee73205ed62cd787 4317 
pymongo_2.5.2-1.debian.tar.gz
 cbdc82781d2e00dafc55e0bac1c5cb22601570b5bc3db7d242e5a32f69569d2b 110042 
python-pymongo_2.5.2-1_amd64.deb
 70c26f80d25ca8ef73c18f41d5aba71ecc0b771bcb3893f50b019e9679a061b5 107872 
python3-pymongo_2.5.2-1_amd64.deb
 789978a34d07ae4c66ad2b0560e324e0f9aedce76a41eed3e5716268eeebdf94 25086 
python-pymongo-ext_2.5.2-1_amd64.deb
 a61dcb5e75c72e7fda7d8b4cc486329de662413d21c7a24f093cca35db5c30b7 1096406 
python-pymongo-doc_2.5.2-1_all.deb
 3212514ca0c0b4e45fa7eaa44094413863cd2b21e9f2e615fb328bb36e471217 24364 
python-gridfs_2.5.2-1_all.deb
 d3b5637b6b8851ff4983319b74ed86787d8e24f2af239ce096fcf5608f7ae3ef 24618 
python3-gridfs_2.5.2-1_all.deb
 260e6c7b9b20f9aef45e8dcb48009c8f0c0a38bd0f3b90f24a71dfbe8a54aca4 32964 
python-bson_2.5.2-1_amd64.deb
 55aa77e5e6a9cd8e9b8c4ccb4bcfc220e9583fb3a83540d4bd8332d5197267c1 33058 
python3-bson_2.5.2-1_amd64.deb
 ae994fe52b2a330cf7867b9212ad3f9219038836fe64cf9c412c888b6803e844 66524 
python-bson-ext_2.5.2-1_amd64.deb
Files: 
 90ca4bfd7f2e6089e10338a8fad6ba8a 1793 python optional pymongo_2.5.2-1.dsc
 7f5b74383acc00119b492e1a48568be6 305155 python optional 
pymongo_2.5.2.orig.tar.gz
 5e635aa19174ac8a65a718d9359c2fa9 4317 python optional 
pymongo_2.5.2-1.debian.tar.gz
 4b962188da381fdbee388c21d9150b23 110042 python optional 
python-pymongo_2.5.2-1_amd64.deb
 267f93c76692639830a74e393b6310d5 107872 python optional 
python3-pymongo_2.5.2-1_amd64.deb
 3e5526de8af4cfba5ae124e5b77d1a0e 25086 python optional 
python-pymongo-ext_2.5.2-1_amd64.deb
 17e7eed270b53cac8368fdae9c3f87c5 1096406 doc optional 
python-pymongo-doc_2.5.2-1_all.deb
 ddbfd74487d6fb902f8a0c969723744a 24364 python optional 
python-gridfs_2.5.2-1_all.deb
 edc3a029b3dea09b591d440d3dca5043 24618 python optional 
python3-gridfs_2.5.2-1_all.deb
 59775bef3b43456ce842ce071c3975a1 32964 python optional 
python-bson_2.5.2-1_amd64.deb
 1c7f4eb56dcac30936aa777d41fce4b5 33058 python optional 
python3-bson_2.5.2-1_amd64.deb
 52266b6a53c345fd96c10227b1abe7ad 66524 python optional 
python-bson-ext_2.5.2-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGrLSQACgkQXjJjA8mLXV3iIQCfRWf2/XPmimJumjS/NskxnDld
x6sAn1p76Je9B6fbZCb+uhsEkpPnOjRC
=KcSW
-----END PGP SIGNATURE-----

--- End Message ---