Debian Bug report logs -
#710597
pymongo: CVE-2013-2132: null pointer when decoding invalid DBRef
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 1 Jun 2013 08:57:01 UTC
Severity: grave
Tags: patch, security, upstream
Found in versions 2.2-4, 2.5-1
Fixed in versions 2.2-4+deb7u1, 2.5.2-1, pymongo/2.5.2-1
Done: Federico Ceratto <federico.ceratto@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Federico Ceratto <federico.ceratto@gmail.com>
:
Bug#710597
; Package pymongo
.
(Sat, 01 Jun 2013 08:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Federico Ceratto <federico.ceratto@gmail.com>
.
(Sat, 01 Jun 2013 08:57:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: pymongo
Severity: grave
Tags: security upstream patch
Hi,
the following vulnerability was published for pymongo.
CVE-2013-2132[0]:
null pointer when decoding invalid DBRef
See [1] for details and upstream bugreport including reproducer for
the issue. A patch was applied upstream in [2].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2132
http://security-tracker.debian.org/tracker/CVE-2013-2132
[1] https://jira.mongodb.org/browse/PYTHON-532
[2] https://github.com/mongodb/mongo-python-driver/commit/a060c15ef87e0f0e72974c7c0e57fe811bbd06a2
I have checked 2.2-4, which seem affected. Please adjust the affected
versions in the BTS as needed.
Thanks for your work and regards,
Salvatore
Marked as found in versions 2.2-4.
Request was from Federico Ceratto <federico.ceratto@gmail.com>
to control@bugs.debian.org
.
(Sat, 01 Jun 2013 17:18:04 GMT) (full text, mbox, link).
Marked as found in versions 1.7-1.
Request was from Federico Ceratto <federico.ceratto@gmail.com>
to control@bugs.debian.org
.
(Sat, 01 Jun 2013 17:18:08 GMT) (full text, mbox, link).
Marked as found in versions 2.5-1.
Request was from Federico Ceratto <federico.ceratto@gmail.com>
to control@bugs.debian.org
.
(Sat, 01 Jun 2013 17:18:12 GMT) (full text, mbox, link).
No longer marked as found in versions 1.7-1.
Request was from Federico Ceratto <federico.ceratto@gmail.com>
to control@bugs.debian.org
.
(Sun, 02 Jun 2013 10:36:04 GMT) (full text, mbox, link).
Reply sent
to Federico Ceratto <federico.ceratto@gmail.com>
:
You have taken responsibility.
(Sun, 02 Jun 2013 11:51:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 02 Jun 2013 11:51:09 GMT) (full text, mbox, link).
Message #18 received at 710597-close@bugs.debian.org (full text, mbox, reply):
Source: pymongo
Source-Version: 2.5.2-1
We believe that the bug you reported is fixed in the latest version of
pymongo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 710597@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Federico Ceratto <federico.ceratto@gmail.com> (supplier of updated pymongo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 02 Jun 2013 11:11:10 +0100
Source: pymongo
Binary: python-pymongo python3-pymongo python-pymongo-ext python-pymongo-doc python-gridfs python3-gridfs python-bson python3-bson python-bson-ext
Architecture: source amd64 all
Version: 2.5.2-1
Distribution: unstable
Urgency: high
Maintainer: Federico Ceratto <federico.ceratto@gmail.com>
Changed-By: Federico Ceratto <federico.ceratto@gmail.com>
Description:
python-bson - Python implementation of BSON for MongoDB
python-bson-ext - C-coded extension to the python-bson package
python-gridfs - Python implementation of GridFS for MongoDB
python-pymongo - Python interface to the MongoDB document-oriented database
python-pymongo-doc - Python interface to the MongoDB document-oriented database (docum
python-pymongo-ext - C-coded extension to the python-pymongo package
python3-bson - Python3 implementation of BSON for MongoDB
python3-gridfs - Python3 implementation of GridFS for MongoDB
python3-pymongo - Python3 interface to the MongoDB document-oriented database
Closes: 710597
Changes:
pymongo (2.5.2-1) unstable; urgency=high
.
* New upstream release. (Closes: #710597)
* Releasing to unstable.
Checksums-Sha1:
0f4919a56f10793834e9f49e8f8f08e6c7298d21 1793 pymongo_2.5.2-1.dsc
2ef234fcae46328e95d8dfbc9fb08fbe50893a68 305155 pymongo_2.5.2.orig.tar.gz
4c0507a78a33052b4a5459002545a52066682c39 4317 pymongo_2.5.2-1.debian.tar.gz
8d22a8fcfe77eb48a116a6f49a4bded1be00685c 110042 python-pymongo_2.5.2-1_amd64.deb
adaee6b08f05f8d7efe27f89e7afb41a6c9d5d3e 107872 python3-pymongo_2.5.2-1_amd64.deb
18fdf1c9beb6519909efb7548d6d67bf84864f50 25086 python-pymongo-ext_2.5.2-1_amd64.deb
bc83719c0ba9ff9cd3e57caec7ff54fe0b8a507e 1096406 python-pymongo-doc_2.5.2-1_all.deb
77192b0e1e63040c4f73737df5df6a4f6834c3f5 24364 python-gridfs_2.5.2-1_all.deb
a5010c16c5512cfd4392831ed6f7fcad453c6372 24618 python3-gridfs_2.5.2-1_all.deb
40f21c96e6fb26c65abc8768914479941800d780 32964 python-bson_2.5.2-1_amd64.deb
d169dfe1f7bbbb652c0ef5385bac15d1cbdb5ca9 33058 python3-bson_2.5.2-1_amd64.deb
7b37dc6d7714dbba75912a802acf1c2baf12e561 66524 python-bson-ext_2.5.2-1_amd64.deb
Checksums-Sha256:
0b299aea8393351379319fc1b58c6dca2dc19b74fffdd9ce2e0269fde1b127ed 1793 pymongo_2.5.2-1.dsc
641e8e7d19abdd43d5e8ee2f14b82632d7d1deb6cb1b05a82b68b0711b31c307 305155 pymongo_2.5.2.orig.tar.gz
73fe1a84731bf72fb4674cda0fa9ab455ab3bd2c96a29780ee73205ed62cd787 4317 pymongo_2.5.2-1.debian.tar.gz
cbdc82781d2e00dafc55e0bac1c5cb22601570b5bc3db7d242e5a32f69569d2b 110042 python-pymongo_2.5.2-1_amd64.deb
70c26f80d25ca8ef73c18f41d5aba71ecc0b771bcb3893f50b019e9679a061b5 107872 python3-pymongo_2.5.2-1_amd64.deb
789978a34d07ae4c66ad2b0560e324e0f9aedce76a41eed3e5716268eeebdf94 25086 python-pymongo-ext_2.5.2-1_amd64.deb
a61dcb5e75c72e7fda7d8b4cc486329de662413d21c7a24f093cca35db5c30b7 1096406 python-pymongo-doc_2.5.2-1_all.deb
3212514ca0c0b4e45fa7eaa44094413863cd2b21e9f2e615fb328bb36e471217 24364 python-gridfs_2.5.2-1_all.deb
d3b5637b6b8851ff4983319b74ed86787d8e24f2af239ce096fcf5608f7ae3ef 24618 python3-gridfs_2.5.2-1_all.deb
260e6c7b9b20f9aef45e8dcb48009c8f0c0a38bd0f3b90f24a71dfbe8a54aca4 32964 python-bson_2.5.2-1_amd64.deb
55aa77e5e6a9cd8e9b8c4ccb4bcfc220e9583fb3a83540d4bd8332d5197267c1 33058 python3-bson_2.5.2-1_amd64.deb
ae994fe52b2a330cf7867b9212ad3f9219038836fe64cf9c412c888b6803e844 66524 python-bson-ext_2.5.2-1_amd64.deb
Files:
90ca4bfd7f2e6089e10338a8fad6ba8a 1793 python optional pymongo_2.5.2-1.dsc
7f5b74383acc00119b492e1a48568be6 305155 python optional pymongo_2.5.2.orig.tar.gz
5e635aa19174ac8a65a718d9359c2fa9 4317 python optional pymongo_2.5.2-1.debian.tar.gz
4b962188da381fdbee388c21d9150b23 110042 python optional python-pymongo_2.5.2-1_amd64.deb
267f93c76692639830a74e393b6310d5 107872 python optional python3-pymongo_2.5.2-1_amd64.deb
3e5526de8af4cfba5ae124e5b77d1a0e 25086 python optional python-pymongo-ext_2.5.2-1_amd64.deb
17e7eed270b53cac8368fdae9c3f87c5 1096406 doc optional python-pymongo-doc_2.5.2-1_all.deb
ddbfd74487d6fb902f8a0c969723744a 24364 python optional python-gridfs_2.5.2-1_all.deb
edc3a029b3dea09b591d440d3dca5043 24618 python optional python3-gridfs_2.5.2-1_all.deb
59775bef3b43456ce842ce071c3975a1 32964 python optional python-bson_2.5.2-1_amd64.deb
1c7f4eb56dcac30936aa777d41fce4b5 33058 python optional python3-bson_2.5.2-1_amd64.deb
52266b6a53c345fd96c10227b1abe7ad 66524 python optional python-bson-ext_2.5.2-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlGrLSQACgkQXjJjA8mLXV3iIQCfRWf2/XPmimJumjS/NskxnDld
x6sAn1p76Je9B6fbZCb+uhsEkpPnOjRC
=KcSW
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Federico Ceratto <federico.ceratto@gmail.com>
:
Bug#710597
; Package pymongo
.
(Mon, 03 Jun 2013 18:06:15 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>
:
Extra info received and forwarded to list. Copy sent to Federico Ceratto <federico.ceratto@gmail.com>
.
(Mon, 03 Jun 2013 18:06:15 GMT) (full text, mbox, link).
Message #23 received at 710597@bugs.debian.org (full text, mbox, reply):
On Sun, 2013-06-02 at 11:51 +0000, Debian Bug Tracking System wrote:
> > pymongo (2.5.2-1) unstable; urgency=high
> > .
> > * New upstream release. (Closes: #710597)
> > * Releasing to unstable.
Please use more descriptive changelog entries in future. #710597 was not
about a request for a new upstream release.
Regards,
Adam
Information forwarded
to debian-bugs-dist@lists.debian.org, Federico Ceratto <federico.ceratto@gmail.com>
:
Bug#710597
; Package pymongo
.
(Wed, 05 Jun 2013 08:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Federico Ceratto <federico.ceratto@gmail.com>
.
(Wed, 05 Jun 2013 08:33:04 GMT) (full text, mbox, link).
Message #28 received at 710597@bugs.debian.org (full text, mbox, reply):
Hi Federico
On Sat, Jun 01, 2013 at 10:54:49AM +0200, Salvatore Bonaccorso wrote:
> Package: pymongo
> Severity: grave
> Tags: security upstream patch
>
> Hi,
>
> the following vulnerability was published for pymongo.
>
> CVE-2013-2132[0]:
> null pointer when decoding invalid DBRef
>
> See [1] for details and upstream bugreport including reproducer for
> the issue. A patch was applied upstream in [2].
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2132
> http://security-tracker.debian.org/tracker/CVE-2013-2132
> [1] https://jira.mongodb.org/browse/PYTHON-532
> [2] https://github.com/mongodb/mongo-python-driver/commit/a060c15ef87e0f0e72974c7c0e57fe811bbd06a2
>
> I have checked 2.2-4, which seem affected. Please adjust the affected
> versions in the BTS as needed.
Thanks for having fixed that quickly already by the upload to
unstable. Could you also prepare a fix for wheezy to be included
trough a stable-proposed-update? (Note: Please contact stable release
managers in advance before uploading, preferably via bugreport against
release.debian.org with the debdiff).
(Side note to what Adam wrote already: Adding the CVE in changelog
helps us furthermore a lot to track the issues fixed; apart having
documented the security fix in changelog).
Thank you for your work!
Regards,
Salvatore
Marked as fixed in versions 2.2-4+deb7u1.
Request was from Federico Ceratto <federico.ceratto@gmail.com>
to control@bugs.debian.org
.
(Mon, 10 Jun 2013 22:54:05 GMT) (full text, mbox, link).
Marked as fixed in versions 2.5.2-1.
Request was from Federico Ceratto <federico.ceratto@gmail.com>
to control@bugs.debian.org
.
(Mon, 10 Jun 2013 22:54:08 GMT) (full text, mbox, link).
Reply sent
to Federico Ceratto <federico.ceratto@gmail.com>
:
You have taken responsibility.
(Sun, 16 Jun 2013 18:36:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 16 Jun 2013 18:36:12 GMT) (full text, mbox, link).
Message #37 received at 710597-close@bugs.debian.org (full text, mbox, reply):
Source: pymongo
Source-Version: 2.2-4+deb7u1
We believe that the bug you reported is fixed in the latest version of
pymongo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 710597@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Federico Ceratto <federico.ceratto@gmail.com> (supplier of updated pymongo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 01 Jun 2013 18:38:42 +0100
Source: pymongo
Binary: python-pymongo python-pymongo-ext python-pymongo-doc python-gridfs python-bson python-bson-ext
Architecture: source amd64 all
Version: 2.2-4+deb7u1
Distribution: stable-security
Urgency: high
Maintainer: Federico Ceratto <federico.ceratto@gmail.com>
Changed-By: Federico Ceratto <federico.ceratto@gmail.com>
Description:
python-bson - Python implementation of BSON for MongoDB
python-bson-ext - C-coded extension to the python-bson package
python-gridfs - Python implementation of GridFS for MongoDB
python-pymongo - Python interface to the MongoDB document-oriented database
python-pymongo-doc - Python interface to the MongoDB document-oriented database (docum
python-pymongo-ext - C-coded extension to the python-pymongo package
Closes: 710597
Changes:
pymongo (2.2-4+deb7u1) stable-security; urgency=high
.
* Fix "CVE-2013-2132: null pointer when decoding invalid DBRef"
Backported upstream patches from version 2.5 (Closes: #710597)
Checksums-Sha1:
deaea9acff70c0c078a4668df3e62b59037cf2b1 1630 pymongo_2.2-4+deb7u1.dsc
09afcc6ea6b19a908df07401215c7e2ed8f89523 228794 pymongo_2.2.orig.tar.gz
78b23576c8c560ea10917939b75ee580ae065da0 6871 pymongo_2.2-4+deb7u1.debian.tar.gz
23bdf36e7bc202a49bc49c297f5e4da4457d44b7 81840 python-pymongo_2.2-4+deb7u1_amd64.deb
ff470a6744460e35a94b896af057f95feda336c2 22900 python-pymongo-ext_2.2-4+deb7u1_amd64.deb
70f2fd4115c422edafb912700dff531058b49d66 846246 python-pymongo-doc_2.2-4+deb7u1_all.deb
e57ca38b8dc95094b9d9500c7be72d85c52c77bb 24908 python-gridfs_2.2-4+deb7u1_all.deb
0b5a57e90c275f8bd7eeecc806f660969d159909 32516 python-bson_2.2-4+deb7u1_amd64.deb
41d27a93cc94ce79c8b3d4c92d9f609145418f4c 49596 python-bson-ext_2.2-4+deb7u1_amd64.deb
Checksums-Sha256:
7913616323d2a9945a6db3263f491c495b6c365c4af62bc7adfd1536954293d3 1630 pymongo_2.2-4+deb7u1.dsc
ac7952896ecfd5d9b4b9d8bb0077c95a0296ea21374df85e2ca32c237c0be57f 228794 pymongo_2.2.orig.tar.gz
12c221843b77f81197a840404d6cc570c74a914f1cde7017619b9317ea493045 6871 pymongo_2.2-4+deb7u1.debian.tar.gz
1526aad8bcb8f3a28bc82cad487066b3dc1c0492984b49b6ddaafdaba8fc93e5 81840 python-pymongo_2.2-4+deb7u1_amd64.deb
1f9081e635cd384fa67c58aee0d2d271f25487d4bb01d9c4de2a751582a32965 22900 python-pymongo-ext_2.2-4+deb7u1_amd64.deb
4c324bb0e33a294d457f4cc58956896ff2156337e14b0e94274524af9971c026 846246 python-pymongo-doc_2.2-4+deb7u1_all.deb
e647a2e3e244c70251687542ba2cfc3f9a4f1a4fb7560c0bdc20fed85314f7c0 24908 python-gridfs_2.2-4+deb7u1_all.deb
ecd162175facce9aeac1dca1765bae255b0cdcb2743da00caa96c17104a338d0 32516 python-bson_2.2-4+deb7u1_amd64.deb
fc735e5c3aee20baaf268c290dff6dc1adbbcdad804a7d31762926d317f24b53 49596 python-bson-ext_2.2-4+deb7u1_amd64.deb
Files:
f9646eadab35807d3aed8deb9d0f024f 1630 python optional pymongo_2.2-4+deb7u1.dsc
101dd4ae59bdd487f67b3a3968a82c8c 228794 python optional pymongo_2.2.orig.tar.gz
9a14cbbfc4af120d54ce88b70435ea2e 6871 python optional pymongo_2.2-4+deb7u1.debian.tar.gz
53ccf5a7aadac01e65213184ec84ceaf 81840 python optional python-pymongo_2.2-4+deb7u1_amd64.deb
5f1729043d662bb4587a8a828a950b43 22900 python optional python-pymongo-ext_2.2-4+deb7u1_amd64.deb
e1081a9b82f15ace4abab2e7bfe2ef4c 846246 doc optional python-pymongo-doc_2.2-4+deb7u1_all.deb
47a164cba32e2cf778095f7e9ff66d89 24908 python optional python-gridfs_2.2-4+deb7u1_all.deb
7cead2b6c2a3085a7ee32efdcc57e73f 32516 python optional python-bson_2.2-4+deb7u1_amd64.deb
cc533d4b9ba1e7bd0be1cf0f65bb5bfe 49596 python optional python-bson-ext_2.2-4+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlGvMZQACgkQNxpp46476ap0iACfThdlk5ElUMSxrlDsZPYHy+yM
994An2ryaWl857C6KEHnjDBThn4MTCDV
=kWAi
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 31 Oct 2013 07:35:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:27:03 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.