couchdb-1.2.1 is in the tree, should we stabilize it quickly?
CVE-2012-5649 JSONP arbitrary code execution with Adobe Flash Severity: Moderate Vendor: The Apache Software Foundation Affected Versions: JSONP is supported but disabled by default in all currently supported releases of Apache CouchDB. Administrator access is required to enable it. Releases up to and including 1.0.3, 1.1.1, and 1.2.0 are vulnerable, if administrators have enabled JSONP. Description: A hand-crafted JSONP callback and response can be used to run arbitrary code inside client-side browsers via Adobe Flash. Mitigation: Upgrade to a supported release that includes this fix, such as CouchDB 1.0.4, 1.1.2, 1.2.1, and the future 1.3.x series, all of which include a specific fix. Work-Around: Disable JSONP. -------- CVE-2012-5650 DOM based Cross-Site Scripting via Futon UI Affected Versions: Apache CouchDB releases up to and including 1.0.3, 1.1.1, and 1.2.0 are vulnerable. Description: Query parameters passed into the browser-based test suite are not sanitised, and can be used to load external resources. An attacker may execute JavaScript code in the browser, using the context of the remote user. Mitigation: Upgrade to a supported release that includes this fix, such as Apache CouchDB 1.0.4, 1.1.2, 1.2.1, and the future 1.3.x series, all of which include a specific fix. Work-Around: Disable the Futon user interface completely, by adapting `local.ini` and restarting CouchDB: [httpd_global_handlers] _utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>} Or by removing the UI test suite components: share/www/verify_install.html share/www/couch_tests.html share/www/custom_test.html Acknowledgement: This vulnerability was discovered & reported to the Apache Software Foundation by Frederik Braun https://frederik-braun.com/ -------- (In reply to comment #0) > couchdb-1.2.1 is in the tree, should we stabilize it quickly? Arches, please test and mark stable.
amd64 stable
ppc stable
x86 stable
Re-rating this as a B4: the description above neglected to mention that CVE-2012-5649 allows arbitrary execution of JSON code. GLSA vote: no.
GLSA vote: no Closing as noglsa