Versions Affected: Apache CouchDB 0.8.0 to 0.10.1 Description: Apache CouchDB versions prior to version 0.11.0 are vulnerable to timing attacks, also known as side-channel information leakage, due to using simple break-on-inequality string comparisons when verifying hashes and passwords. Mitigation: All users should upgrade to CouchDB 0.11.0. Upgrades from the 0.10.x series should be seamless.
Can we go stable with 0.11.0?
I'd prefer to wait a few days or so, I ran into some issues after upgrading that I'd like to figure out first (upstream bugs, though, so maybe those don't count).
OK, let's wait seven days.
CVE-2010-0009 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0009): Apache CouchDB 0.8.0 through 0.10.1 allows remote attackers to obtain sensitive information by measuring the completion time of operations that verify (1) hashes or (2) passwords.
There will be a quick 0.10.2 that just solves the security problem. I'd prefer to go stable with that first.
feel free to bump the package, or take over its maintenance.
Caleb: huh? I am a maintainer already.
ah, sorry. I was cc'd, thinking it was mine.
Yeah, AFAIK you and I are both listed as maintainers.
Vote: NO
NO too, closing.