CVE-2013-6384: applied upstream patch mongodb, db2: do not print full URL in logs...

author Thomas Goirand <thomas@goirand.fr>

Wed, 4 Dec 2013 11:47:20 +0000 (19:47 +0800)

committer Thomas Goirand <thomas@goirand.fr>

Wed, 4 Dec 2013 11:47:20 +0000 (19:47 +0800)
author Thomas Goirand <thomas@goirand.fr>
Wed, 4 Dec 2013 11:47:20 +0000 (19:47 +0800)
committer Thomas Goirand <thomas@goirand.fr>
Wed, 4 Dec 2013 11:47:20 +0000 (19:47 +0800)
diff --git a/trusty/debian/changelog b/trusty/debian/changelog

index 5a3299bfc5c472c6d17e9c7f2bb9af84cb7cb498..ad961258525990939de4b85dd3bd36353a52e976 100644 (file)
--- a/trusty/debian/changelog
+++ b/trusty/debian/changelog
@@ -1,3 +1,10 @@
+ceilometer (2013.2-4) unstable; urgency=low
+
+  * CVE-2013-6384: applied upstream patch mongodb, db2: do not print full
+    URL in logs (Closes: #730227).
+
+ -- Thomas Goirand <zigo@debian.org>  Wed, 04 Dec 2013 19:41:05 +0800
+
  ceilometer (2013.2-3) unstable; urgency=medium
  
    * Added missing (build-)depends: python-six (>= 1.4.1).
diff --git a/trusty/debian/patches/CVE-2013-6384_mongodb_db2_do_not_print_full_URL_in_logs.patch b/trusty/debian/patches/CVE-2013-6384_mongodb_db2_do_not_print_full_URL_in_logs.patch

new file mode 100644 (file)

index 0000000..50b0fa0
--- /dev/null
+++ b/trusty/debian/patches/CVE-2013-6384_mongodb_db2_do_not_print_full_URL_in_logs.patch
@@ -0,0 +1,39 @@
+Description: mongodb, db2: do not print full URL in logs
+ The full URL used to connect to MongoDB or DB2 might contains sensitive
+ information such as username and password, so it's better to not print it at
+ all. Instead, just print the hosts that are being connected to.
+Author: Julien Danjou <julien@danjou.info>
+Date: Wed, 30 Oct 2013 14:49:33 +0000 (+0100)
+Origin: upstream, https://review.openstack.org/#/c/56396/
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fceilometer.git;a=commitdiff_plain;h=ef6c659588feff646343fd80ba3d420d9c06404b
+Bug-Ubuntu: Bug-Ubuntu: https://launchpad.net/bugs/1244476
+Bug-Debian: Bug-Debian: http://bugs.debian.org/730227
+
+diff --git a/ceilometer/storage/impl_db2.py b/ceilometer/storage/impl_db2.py
+index b44f424..5a72c1c 100644
+--- a/ceilometer/storage/impl_db2.py
++++ b/ceilometer/storage/impl_db2.py
+@@ -153,7 +153,8 @@ class ConnectionPool(object):
+             client = self._pool.get(pool_key)()
+             if client:
+                 return client
+-        LOG.info('connecting to MongoDB on %s', url)
++        LOG.info(_('Connecting to DB2 on %s'),
++                 connection_options['nodelist'])
+         client = pymongo.MongoClient(
+             url,
+             safe=True)
+diff --git a/ceilometer/storage/impl_mongodb.py b/ceilometer/storage/impl_mongodb.py
+index 9ca881c..9640ebe 100644
+--- a/ceilometer/storage/impl_mongodb.py
++++ b/ceilometer/storage/impl_mongodb.py
+@@ -155,7 +155,8 @@ class ConnectionPool(object):
+             client = self._pool.get(pool_key)()
+             if client:
+                 return client
+-        LOG.info('connecting to MongoDB on %s', url)
++        LOG.info(_('Connecting to MongoDB on %s'),
++                 connection_options['nodelist'])
+         client = pymongo.MongoClient(
+             url,
+             safe=True)
diff --git a/trusty/debian/patches/series b/trusty/debian/patches/series

index 31b8fb8193ce160eb2e74e71ab1cc813f4ed3dbb..4edfc30b56772907a276481699b6f540968f8d7a 100644 (file)
--- a/trusty/debian/patches/series
+++ b/trusty/debian/patches/series
@@ -1 +1,2 @@
  removes-sqlalchemy-restriction.patch
+CVE-2013-6384_mongodb_db2_do_not_print_full_URL_in_logs.patch
author	Thomas Goirand <thomas@goirand.fr>
	Wed, 4 Dec 2013 11:47:20 +0000 (19:47 +0800)
committer	Thomas Goirand <thomas@goirand.fr>
	Wed, 4 Dec 2013 11:47:20 +0000 (19:47 +0800)
trusty/debian/changelog		patch \| blob \| history
trusty/debian/patches/CVE-2013-6384_mongodb_db2_do_not_print_full_URL_in_logs.patch	[new file with mode: 0644]	patch \| blob
trusty/debian/patches/series		patch \| blob \| history