Subject: Bug#850931: jessie-pu: package mongodb/1:2.4.10-5



Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@xxxxxxxxxxxxxxxxxxx
Usertags: pu

Dear SRMs,

I would like to update MongoDB in stable to fix two low-impact security
issues:

- CVE-2016-6494[1] is fixed by backporting the patch already applied to
2.6 (once in sid).

- TEMP-0833087-C5410D[2] is fixed by reimplementing upstream's fix for
2.6[3] using the infrastructure available in MongoDB 2.4.
Unfortunately the mutable BSON infrastructure used in 2.6 is
incomplete and unusable in 2.4. I benchmarked my own version and
found no measurable performance impact.

Full source debdiff attached.

Regards,
Apollon

[1] https://security-tracker.debian.org/tracker/CVE-2016-6494
[2] https://security-tracker.debian.org/tracker/TEMP-0833087-C5410D
[3]
https://github.com/mongodb/mongo/commit/f85ceb17b37210eef71e8113162c41368bfd5c12

Attachment: mongodb_2.4.10-5+deb8u1.diff
Description: Text Data

Attachment: signature.asc
Description: PGP signature



Programming list archiving by: Enterprise Git Hosting