Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 312439 (CVE-2010-0009)

Summary: <dev-db/couchdb-0.11.0: Timing attacks/Information Disclosure (CVE-2010-0009)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: caleb, djc
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/bugtraq/2010/Mar/254
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 321437, 327877    
Bug Blocks:    

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-31 15:34:27 UTC
Versions Affected:
Apache CouchDB 0.8.0 to 0.10.1

Description:
Apache CouchDB versions prior to version 0.11.0 are vulnerable to
timing attacks, also known as side-channel information leakage,
due to using simple break-on-inequality string comparisons when
verifying hashes and passwords.

Mitigation:
All users should upgrade to CouchDB 0.11.0. Upgrades from the 0.10.x
series should be seamless.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-31 15:34:47 UTC
Can we go stable with 0.11.0?
Comment 2 Dirkjan Ochtman (RETIRED) gentoo-dev 2010-03-31 16:06:30 UTC
I'd prefer to wait a few days or so, I ran into some issues after upgrading that I'd like to figure out first (upstream bugs, though, so maybe those don't count).
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-31 16:20:07 UTC
OK, let's wait seven days.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-06 04:04:59 UTC
CVE-2010-0009 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0009):
  Apache CouchDB 0.8.0 through 0.10.1 allows remote attackers to obtain
  sensitive information by measuring the completion time of operations
  that verify (1) hashes or (2) passwords.

Comment 5 Dirkjan Ochtman (RETIRED) gentoo-dev 2010-04-07 08:01:27 UTC
There will be a quick 0.10.2 that just solves the security problem. I'd prefer to go stable with that first.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-11 14:02:42 UTC
CVE-2010-0009 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0009):
  Apache CouchDB 0.8.0 through 0.10.1 allows remote attackers to obtain
  sensitive information by measuring the completion time of operations
  that verify (1) hashes or (2) passwords.

Comment 7 Caleb Tennis (RETIRED) gentoo-dev 2010-04-11 14:42:03 UTC
feel free to bump the package, or take over its maintenance.
Comment 8 Dirkjan Ochtman (RETIRED) gentoo-dev 2010-04-11 14:54:53 UTC
Caleb: huh? I am a maintainer already.
Comment 9 Caleb Tennis (RETIRED) gentoo-dev 2010-04-11 15:07:19 UTC
ah, sorry.  I was cc'd, thinking it was mine.
Comment 10 Dirkjan Ochtman (RETIRED) gentoo-dev 2010-04-11 15:09:58 UTC
Yeah, AFAIK you and I are both listed as maintainers.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2010-07-18 21:38:35 UTC
Vote: NO
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2010-08-14 14:55:40 UTC
NO too, closing.