| Summary: | python-pymongo new security issue CVE-2013-2132 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | guillomovitch, sysadmin-bugs |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/553815/ | ||
| Whiteboard: | has_procedure mga3-64-ok mga3-32-ok | ||
| Source RPM: | python-pymongo-2.5-1.mga3.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-06-11 21:11:34 CEST
David Walser
2013-06-11 21:11:41 CEST
Whiteboard:
(none) =>
MGA3TOO Fixed in cauldron. Indeed, I missed that. Fixed in python-pymongo-2.5.2-1.mga4 in Cauldron. Version:
Cauldron =>
3 I applied the patch linked at the bottom of this page: https://security-tracker.debian.org/tracker/CVE-2013-2132 It's actually the first of 4 commits mentioned on the upstream bug: https://jira.mongodb.org/browse/PYTHON-532 So hopefully the one patch is sufficient. We can update to 2.5.2 if anyone thinks that's more appropriate. Note to QA: reproducers in the second comment on the upstream bug. Advisory: ======================== Updated python-pymongo packages fix security vulnerability: PyMongo before 2.5.2 is prone to a denial-of-service vulnerability. An attacker can remotely trigger a NULL pointer dereference causing MongoDB to crash (CVE-2013-2132). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2132 http://www.debian.org/security/2013/dsa-2705 ======================== Updated packages in core/updates_testing: ======================== python-pymongo-2.5-1.1.mga3 python-pymongo-gridfs-2.5-1.1.mga3 python-bson-2.5-1.1.mga3 from python-pymongo-2.5-1.1.mga3.src.rpm CC:
(none) =>
guillomovitch Testing complete mga3 64
# urpmi mongodb mongodb-server
# service mongod start
$ mongo
MongoDB shell version: 2.2.2
connecting to: test
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
http://docs.mongodb.org/
Questions? Try the support group
http://groups.google.com/group/mongodb-user
> db.python532.insert({x : {"$ref" : "whatever"} });
Before
------
$ idle
Python 2.7.3 (default, Jan 13 2013, 20:09:12)
[GCC 4.7.2] on linux2
Type "copyright", "credits" or "license()" for more information.
>>> import pymongo
>>> pymongo.MongoClient().test.python532.find_one()
>>> ================================ RESTART ================================
>>>
After
-----
$ idle
Python 2.7.3 (default, Jan 13 2013, 20:09:12)
[GCC 4.7.2] on linux2
Type "copyright", "credits" or "license()" for more information.
>>> import pymongo
>>> pymongo.MongoClient().test.python532.find_one()
{u'x': DBRef(u'whatever', None), u'_id': ObjectId('51d2d0e6046554d4cf9caf66')}
>>>Whiteboard:
(none) =>
has_procedure mga3-64-ok Testing complete mga3 32 Using python interactively.. Before ------ $ python Python 2.7.3 (default, Jan 13 2013, 20:10:21) [GCC 4.7.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import pymongo >>> pymongo.MongoClient().test.python532.find_one() Segmentation fault After ----- $ python Python 2.7.3 (default, Jan 13 2013, 20:10:21) [GCC 4.7.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import pymongo >>> pymongo.MongoClient().test.python532.find_one() {u'x': DBRef(u'whatever', None), u'_id': ObjectId('51d2d5b890a3ef1f5962359b')} >>> Whiteboard:
has_procedure mga3-64-ok =>
has_procedure mga3-64-ok mga3-32-ok Bug 10679 created for a mongodb bug found while removing mongodb-server Validating. Advisory from comment 3 uploaded. Could sysadmin please push from 3 core/updates_testing to core/updates Thanks Keywords:
(none) =>
validated_update http://advisories.mageia.org/MGASA-2013-0201.html Status:
NEW =>
RESOLVED
Nicolas Vigier
2014-05-08 18:04:29 CEST
CC:
boklm =>
(none) |