[Secure-testing-commits] r34595 - data/CVE

Guido Guenther agx at moszumanska.debian.org
Sat May 30 13:49:00 UTC 2015


Author: agx
Date: 2015-05-30 13:49:00 +0000 (Sat, 30 May 2015)
New Revision: 34595

Modified:
   data/CVE/list
Log:
Mark CVE-2015-1609/mongodb as not affected in squeeze

BSONElement::validate() in this version properly checks if the
string length is > 0 in:

  ...
  case String: {
            int x = valuestrsize();
            if ( x > 0 && valuestr()[x-1] == 0 )
                return;

  ...

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2015-05-30 13:44:10 UTC (rev 34594)
+++ data/CVE/list	2015-05-30 13:49:00 UTC (rev 34595)
@@ -6741,6 +6741,7 @@
 	RESERVED
 CVE-2015-1609 (MongoDB before 2.4.13 and 2.6.x before 2.6.8 allows remote attackers ...)
 	- mongodb 1:2.4.10-5 (bug #780129)
+	[squeeze] - mongodb <not-affected> (BSONElement::validate() checks length (db/jsobj.cpp +589))
 	NOTE: https://jira.mongodb.org/browse/SERVER-17264
 CVE-2015-1608 (Topline Opportunity Form (aka XLS Opp form) before 2015-02-15 does not ...)
 	NOT-FOR-US: Topline Opportunity Form




More information about the Secure-testing-commits mailing list