[Pkg-mongodb-maintainers] Bug#850931: jessie-pu: package mongodb/1:2.4.10-5

Apollon Oikonomopoulos apoikos at debian.org
Wed Jan 11 10:46:11 UTC 2017

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org at packages.debian.org
Usertags: pu

Dear SRMs,

I would like to update MongoDB in stable to fix two low-impact security 

 - CVE-2016-6494[1] is fixed by backporting the patch already applied to 
   2.6 (once in sid).

 - TEMP-0833087-C5410D[2] is fixed by reimplementing upstream's fix for 
   2.6[3] using the infrastructure available in MongoDB 2.4.  
   Unfortunately the mutable BSON infrastructure used in 2.6 is 
   incomplete and unusable in 2.4. I benchmarked my own version and 
   found no measurable performance impact.

Full source debdiff attached.


[1] https://security-tracker.debian.org/tracker/CVE-2016-6494
[2] https://security-tracker.debian.org/tracker/TEMP-0833087-C5410D
[3] https://github.com/mongodb/mongo/commit/f85ceb17b37210eef71e8113162c41368bfd5c12
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mongodb_2.4.10-5+deb8u1.diff
Type: text/x-diff
Size: 4727 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mongodb-maintainers/attachments/20170111/6a9895f8/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mongodb-maintainers/attachments/20170111/6a9895f8/attachment.sig>

More information about the Pkg-mongodb-maintainers mailing list