From 324e6bd867a6f052aac3d868e0674ff67aa3d37c Mon Sep 17 00:00:00 2001
From: Thomas Goirand <thomas@goirand.fr>
Date: Wed, 4 Dec 2013 19:47:20 +0800
Subject: [PATCH] CVE-2013-6384: applied upstream patch mongodb, db2: do not
 print full URL in logs (Closes: #730227)

Change-Id: I5402521051b13f562f12ec62d1bb24adbddb5c87

Rewritten-From: f27e808692305912bb1b0903102e6d86dc9bda26
---
 xenial/debian/changelog                       |  7 ++++
 ...db_db2_do_not_print_full_URL_in_logs.patch | 39 +++++++++++++++++++
 xenial/debian/patches/series                  |  1 +
 3 files changed, 47 insertions(+)
 create mode 100644 xenial/debian/patches/CVE-2013-6384_mongodb_db2_do_not_print_full_URL_in_logs.patch

diff --git a/xenial/debian/changelog b/xenial/debian/changelog
index 5a3299b..ad96125 100644
--- a/xenial/debian/changelog
+++ b/xenial/debian/changelog
@@ -1,3 +1,10 @@
+ceilometer (2013.2-4) unstable; urgency=low
+
+  * CVE-2013-6384: applied upstream patch mongodb, db2: do not print full
+    URL in logs (Closes: #730227).
+
+ -- Thomas Goirand <zigo@debian.org>  Wed, 04 Dec 2013 19:41:05 +0800
+
 ceilometer (2013.2-3) unstable; urgency=medium
 
   * Added missing (build-)depends: python-six (>= 1.4.1).
diff --git a/xenial/debian/patches/CVE-2013-6384_mongodb_db2_do_not_print_full_URL_in_logs.patch b/xenial/debian/patches/CVE-2013-6384_mongodb_db2_do_not_print_full_URL_in_logs.patch
new file mode 100644
index 0000000..50b0fa0
--- /dev/null
+++ b/xenial/debian/patches/CVE-2013-6384_mongodb_db2_do_not_print_full_URL_in_logs.patch
@@ -0,0 +1,39 @@
+Description: mongodb, db2: do not print full URL in logs
+ The full URL used to connect to MongoDB or DB2 might contains sensitive
+ information such as username and password, so it's better to not print it at
+ all. Instead, just print the hosts that are being connected to.
+Author: Julien Danjou <julien@danjou.info>
+Date: Wed, 30 Oct 2013 14:49:33 +0000 (+0100)
+Origin: upstream, https://review.openstack.org/#/c/56396/
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fceilometer.git;a=commitdiff_plain;h=ef6c659588feff646343fd80ba3d420d9c06404b
+Bug-Ubuntu: Bug-Ubuntu: https://launchpad.net/bugs/1244476
+Bug-Debian: Bug-Debian: http://bugs.debian.org/730227
+
+diff --git a/ceilometer/storage/impl_db2.py b/ceilometer/storage/impl_db2.py
+index b44f424..5a72c1c 100644
+--- a/ceilometer/storage/impl_db2.py
++++ b/ceilometer/storage/impl_db2.py
+@@ -153,7 +153,8 @@ class ConnectionPool(object):
+             client = self._pool.get(pool_key)()
+             if client:
+                 return client
+-        LOG.info('connecting to MongoDB on %s', url)
++        LOG.info(_('Connecting to DB2 on %s'),
++                 connection_options['nodelist'])
+         client = pymongo.MongoClient(
+             url,
+             safe=True)
+diff --git a/ceilometer/storage/impl_mongodb.py b/ceilometer/storage/impl_mongodb.py
+index 9ca881c..9640ebe 100644
+--- a/ceilometer/storage/impl_mongodb.py
++++ b/ceilometer/storage/impl_mongodb.py
+@@ -155,7 +155,8 @@ class ConnectionPool(object):
+             client = self._pool.get(pool_key)()
+             if client:
+                 return client
+-        LOG.info('connecting to MongoDB on %s', url)
++        LOG.info(_('Connecting to MongoDB on %s'),
++                 connection_options['nodelist'])
+         client = pymongo.MongoClient(
+             url,
+             safe=True)
diff --git a/xenial/debian/patches/series b/xenial/debian/patches/series
index 31b8fb8..4edfc30 100644
--- a/xenial/debian/patches/series
+++ b/xenial/debian/patches/series
@@ -1 +1,2 @@
 removes-sqlalchemy-restriction.patch
+CVE-2013-6384_mongodb_db2_do_not_print_full_URL_in_logs.patch
-- 
2.32.3