Apache CouchDB 0.8.0 to 0.10.1
Apache CouchDB versions prior to version 0.11.0 are vulnerable to
timing attacks, also known as side-channel information leakage,
due to using simple break-on-inequality string comparisons when
verifying hashes and passwords.
All users should upgrade to CouchDB 0.11.0. Upgrades from the 0.10.x
series should be seamless.
Can we go stable with 0.11.0?
I'd prefer to wait a few days or so, I ran into some issues after upgrading that I'd like to figure out first (upstream bugs, though, so maybe those don't count).
OK, let's wait seven days.
Apache CouchDB 0.8.0 through 0.10.1 allows remote attackers to obtain
sensitive information by measuring the completion time of operations
that verify (1) hashes or (2) passwords.
There will be a quick 0.10.2 that just solves the security problem. I'd prefer to go stable with that first.
feel free to bump the package, or take over its maintenance.
Caleb: huh? I am a maintainer already.
ah, sorry. I was cc'd, thinking it was mine.
Yeah, AFAIK you and I are both listed as maintainers.
NO too, closing.