mongodb: CVE-2015-1609: BSON Handling Remote Denial of Service

Debian Bug report logs - #780129
mongodb: CVE-2015-1609: BSON Handling Remote Denial of Service

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: submit@bugs.debian.org

Subject: mongodb: CVE-2015-1609: BSON Handling Remote Denial of Service

Date: Mon, 9 Mar 2015 16:54:43 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: mongodb
Version: 1:2.4.10-4
Severity: important
Tags: security, fixed-upstream, upstream

Please see for more details:
  https://jira.mongodb.org/browse/SERVER-17264

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJU/bQzAAoJECet96ROqnV0PuMQAMqLAT2o3dqYqV+WVqsDuQsw
oGZpqrqEjMHjZbo0vpd8fXR1YMWrp1YhVs0OsUmPUdsGggCyqNFKTH3zcie1yx5z
J8ybBiUU0KuNSeEV5jpVfhXM88Db22GWsx+kvmscYfXN/WcD27MIyfbiDAiG2WWY
cqpX3gcPLlis3VLkFDoBbS0mwvYDDldwtos3DLw0c2Ym+Dq4DYqnTLov97l1uqrW
qyq06EPXeOcTztw0yM0rnWgP6Fo/S6nAEuSXKjIziT7CAQGHn6ocv17PyzD+6bEx
vL9uFfxVyIgbOOIVb3PKkrt+P6bLfH9ttlkVuHcdtL9PFMiBrPT6gfuUBR7hkcd9
hK5EyqD1gjEZ6nVotw9OMnZfFEnlo+PB3d05cCHG2qyIF7bhSKkolKH/dCweHpja
57/xn1I6bYcMRR1mKIQ0DbyvwfXIgop3zMT4TAMqnqXDKLKbjWgtNMPVtsE7TKow
L2F4hYoFWhGzOJQcLX/sdqELInt9Go9vNQGtoGDGJ8EzPQdXOM9DsLDTKEIhmW1f
BwxuzxvzAI8QiRQsPmPPMBStbTeBnLNKU+5VWCvvg5d1PUmzMev6y1oOjYg7fUNr
hx/KhIjLD/lf2vBr/UQ/PvtkFL3Sw7l7jaYxR7ZN4+VsvrYxqL3m6mn/GLxR3Izh
1G+GvTGZNfvN0u3YimrR
=uj/l
-----END PGP SIGNATURE-----

Message #10 received at 780129-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.org>

To: 780129-close@bugs.debian.org

Subject: Bug#780129: fixed in mongodb 1:2.4.10-5

Date: Tue, 10 Mar 2015 06:34:05 +0000

Source: mongodb
Source-Version: 1:2.4.10-5

We believe that the bug you reported is fixed in the latest version of
mongodb, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 780129@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated mongodb package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 09 Mar 2015 21:21:24 +0000
Source: mongodb
Binary: mongodb mongodb-server mongodb-clients mongodb-dev
Architecture: source amd64
Version: 1:2.4.10-5
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
 mongodb    - object/document-oriented database (metapackage)
 mongodb-clients - object/document-oriented database (client apps)
 mongodb-dev - object/document-oriented database (development)
 mongodb-server - object/document-oriented database (server package)
Closes: 780129
Changes:
 mongodb (1:2.4.10-5) unstable; urgency=high
 .
   * Use upstream backported fix for CVE-2015-1609 (closes: #780129).
Checksums-Sha1:
 956489a5084f1e288a58375362edd07e3df345c5 2715 mongodb_2.4.10-5.dsc
 7c0a2d7c6ba46eacaab6479b463a1b4672e6b3a9 56336 mongodb_2.4.10-5.debian.tar.xz
 f4719596cbd9f6410c3c0d74fd29dd68e7bc05de 12120 mongodb_2.4.10-5_amd64.deb
 969e429e2502562eda860aa25140a4493d1567b1 4030712 mongodb-server_2.4.10-5_amd64.deb
 ed0532968d6c423afb86067dd8fa7719bb2c238f 31760572 mongodb-clients_2.4.10-5_amd64.deb
 c88e8b8c5d7e37d4770e65cdb15e9476f63c8fb1 1091388 mongodb-dev_2.4.10-5_amd64.deb
Checksums-Sha256:
 d46de3749f62df3c676b47108e8fdf8352c83f7727dc8cbbfbd537ea15319b9c 2715 mongodb_2.4.10-5.dsc
 35d62a3fc15e2a3a70172d62b5e899685950c7ea1eb3d6b901f20dff73f5f88b 56336 mongodb_2.4.10-5.debian.tar.xz
 c027f6fca50b92348d5d6cc3f60e5afd9a9813d5c3c0b9b6eba2b40e1f4413e0 12120 mongodb_2.4.10-5_amd64.deb
 95076f57f59eafa20b636cc45c6467482e75753218a86d44c90230bd91793a97 4030712 mongodb-server_2.4.10-5_amd64.deb
 b6988cfd42737634277314ebdc884e79ed35ffc52191b91eddb901a1c9201783 31760572 mongodb-clients_2.4.10-5_amd64.deb
 203d4fea8df137832f79814643e5d2a46bd0831c4d86e024e7a193922dbae3cc 1091388 mongodb-dev_2.4.10-5_amd64.deb
Files:
 8736de18ec2650f0cfe240e1811b1277 2715 database optional mongodb_2.4.10-5.dsc
 eabdf02433fa9f5ff0ad8145e5a44223 56336 database optional mongodb_2.4.10-5.debian.tar.xz
 142e13adb70d90c2abe1749702463599 12120 database optional mongodb_2.4.10-5_amd64.deb
 bdab259935f2ff9b8cff863a75c09fb4 4030712 database optional mongodb-server_2.4.10-5_amd64.deb
 132e8e42db946ad091a49f77e76cfefd 31760572 database optional mongodb-clients_2.4.10-5_amd64.deb
 f89655b0e62610511cfc0d161b422298 1091388 libdevel optional mongodb-dev_2.4.10-5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJU/ouuAAoJENzjEOeGTMi/FZkP/i0Qw5Efb1hI3GLf3qGTZmJb
IFuJW3QtfXMHkLNPDia4tLhzyhul2lM5W/7t5P9HWH5DJuJJywj57gxTmY9Ly3Kh
IO7QCOuqFXmGmaoD0lRYHHp55PymZnzz4UShOwfW3o4kgZ9hzXZ0oh7pe2jjeT4G
tLdjiy+mHRTfeRizw+IyY0poesewNBOXpRWFcznRvhZseF1UzKFsOhHPs/9Xcrx1
Fz0FVbTn5XRajDivp68Zr/Ye65ZTE+2doj4KJt9cib5cp9e7i56UdUGQq1hh5OAC
Fm3RUY0JqJasm68Y8MbwDXz0Zc7yRutjW9vYIeP345o/QGO1LU2vWPYsrKnu1R/d
F4LyBu4/vMcC+RW/OX9RTAButZN5NNtOvjy1+6NQU6PSbs6ahsStm8ma5cpn77nq
wlRhkAASfwIABITBgcO/mBxQGrt80saeYqTrHVNWsDUxjy/LvSZq8uG013CixI2Q
qbdahQKJwiU+NK67H73C47TqaCwfqcuQjJuoFz6o2ACBIzW6MgVHMvOpx09nWBW2
7Tx2GsMxiKoeyxQpaJ0cjK1tEbfggeWfiad1BaW7lLI2n5AOE3qWDVeM+VWHGMp9
Fey5mzSpHfz/ZL0RZHL9T8srjb0tW/Sj7xscs9UY58nAoK9VbbZi4pjjJw2J3TPl
Y8yonRXvb8JHHZ9NU8jW
=RB9F
-----END PGP SIGNATURE-----

Message #15 received at 780129@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Laszlo Boszormenyi <gcs@debian.org>, 780129@bugs.debian.org

Cc: debian-lts@lists.debian.org, kapouer@melix.org

Subject: Does CVE-2015-1609 apply to squeeze's version of mongodb?

Date: Tue, 10 Mar 2015 16:24:37 +0100

Hello Laszlo,

I'm wondering whether CVE-2015-1609 is affecting the squeeze version. The
code base is vastly different between 1.4.4 and the current supported
releases.

The upstream announces mentions that it affects all "production releases"
but 1.4.4 is not part of the current production releases AFAIU.

I don't have any specific knowledge of that codebase and would like to
have your analysis on this issue.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #20 received at 780129@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: Raphael Hertzog <hertzog@debian.org>, 780129@bugs.debian.org, debian-lts@lists.debian.org, Jérémy Lal <kapouer@melix.org>, Debian Security Team <team@security.debian.org>

Subject: Re: Does CVE-2015-1609 apply to squeeze's version of mongodb?

Date: Tue, 10 Mar 2015 18:18:38 +0100

Hi Raphaël, others,

On Tue, Mar 10, 2015 at 4:24 PM, Raphael Hertzog <hertzog@debian.org> wrote:
> I'm wondering whether CVE-2015-1609 is affecting the squeeze version. The
> code base is vastly different between 1.4.4 and the current supported
> releases.
 I think it's not affected, but I'm not a security expert and don't
have the exploit to test it against 1.4.x versions. I think neither
the Wheezy version (v2.0) is affected. BSON support is modularized in
it, but can't find the affected file nor the function in the source.
It would be much better if someone with more security knowledge
approve or refute me in this matter.

> The upstream announces mentions that it affects all "production releases"
> but 1.4.4 is not part of the current production releases AFAIU.
 Sure, 1.4.4 is way too old, released in June, 2010. As I know, 2.4 to
3.0 versions are supported. But to answer your question, BSON support
was already part of MongoDB that time. It was integrated and was not a
separate part of the project that it's now. I think the modularity
came somewhere before the 2.0 versions (it was incremental in between,
1.5, 1.6 to 1.9 and so on).

> I don't have any specific knowledge of that codebase and would like to
> have your analysis on this issue.
 Beware, me neither have knowledge of the source in detail as I'm in
no affiliate with MongoDB, Inc. in any way.

Regards,
Laszlo/GCS

Message #25 received at 780129@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: László Böszörményi (GCS) <gcs@debian.org>

Cc: 780129@bugs.debian.org, debian-lts@lists.debian.org, Jérémy Lal <kapouer@melix.org>, Debian Security Team <team@security.debian.org>

Subject: Re: Does CVE-2015-1609 apply to squeeze's version of mongodb?

Date: Mon, 23 Mar 2015 15:39:03 +0100

Hi,

On Tue, 10 Mar 2015, László Böszörményi (GCS) wrote:
> On Tue, Mar 10, 2015 at 4:24 PM, Raphael Hertzog <hertzog@debian.org> wrote:
> > I'm wondering whether CVE-2015-1609 is affecting the squeeze version. The
> > code base is vastly different between 1.4.4 and the current supported
> > releases.
>  I think it's not affected, but I'm not a security expert and don't
> have the exploit to test it against 1.4.x versions. I think neither
> the Wheezy version (v2.0) is affected. BSON support is modularized in
> it, but can't find the affected file nor the function in the source.
> It would be much better if someone with more security knowledge
> approve or refute me in this matter.

Do you know some upstream developers who could confirm/infirm this?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Send a report that this bug log contains spam.