From: http://archives.neohapsis.com/archives/fulldisclosure/2010-08/0200.html CVE-2010-2234: Apache CouchDB Cross Site Request Forgery Attack Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache CouchDB 0.8.0 to 0.11.0 Description: Apache CouchDB versions prior to version 0.11.1 are vulnerable to cross site request forgery (CSRF) attacks. Mitigation: All users should upgrade to CouchDB 0.11.2 or 1.0.1. Upgrades from the 0.11.x and 0.10.x series should be seamless. Users on earlier versions should consult http://wiki.apache.org/couchdb/Breaking_changes Example: A malicious website can POST arbitrary JavaScript code to well known CouchDB installation URLs (like http://localhost:5984/) and make the browser execute the injected JavaScript in the security context of CouchDB's admin interface Futon. Unrelated, but in addition the JSONP API has been turned off by default to avoid potential information leakage. Credit: This CSRF issue was discovered by a source that wishes to stay anonymous. References: http://couchdb.apache.org/downloads.html http://wiki.apache.org/couchdb/Breaking_changes http://en.wikipedia.org/wiki/Cross-site_request_forgery
Should we fast-track 1.0.1 for stabilization?
(In reply to comment #1) > Should we fast-track 1.0.1 for stabilization? > If that is possible w/o causing too much migration pain for users. [1] mentions quite some things. [1] http://wiki.apache.org/couchdb/Breaking_changes
(In reply to comment #2) > (In reply to comment #1) > > Should we fast-track 1.0.1 for stabilization? > > > > If that is possible w/o causing too much migration pain for users. > [1] mentions quite some things. > > [1] http://wiki.apache.org/couchdb/Breaking_changes > Dirkjan, are you comfortable with stabilizing 1.0.1 based on the information from the URL above? Thanks!
Yeah, that would be great. Thanks!
(Sorry, I should have properly acknowledged this earlier, last week was pretty crazy. In any case, the breaking changes listed for 0.11 -> 1.0.x are really pretty minor, they shouldn't cause much breakage in practice.)
Thanks, Dirkjan. Arches, please test and mark stable: =dev-db/couchdb-1.0.1 Target keywords : "amd64 ppc x86"
x86 stable
amd64 done
*** Bug 335881 has been marked as a duplicate of this bug. ***
Marked ppc stable.
Security guys: I think this one can be closed.
GLSA vote: NO.
No too, closing, kthxbye.
