Return-Path: X-Original-To: apmail-couchdb-commits-archive@www.apache.org Delivered-To: apmail-couchdb-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3A54510D2C for ; Fri, 9 Aug 2013 12:17:09 +0000 (UTC) Received: (qmail 78702 invoked by uid 500); 9 Aug 2013 12:17:09 -0000 Delivered-To: apmail-couchdb-commits-archive@couchdb.apache.org Received: (qmail 78571 invoked by uid 500); 9 Aug 2013 12:17:08 -0000 Mailing-List: contact commits-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list commits@couchdb.apache.org Received: (qmail 78564 invoked by uid 99); 9 Aug 2013 12:17:07 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 09 Aug 2013 12:17:07 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id A52C08BAD0F; Fri, 9 Aug 2013 12:17:07 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: kxepal@apache.org To: commits@couchdb.apache.org Message-Id: <0551b378a0d74629bc417d3057e2fa25@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: git commit: updated refs/heads/1781-reorganize-and-improve-docs to cb78447 Date: Fri, 9 Aug 2013 12:17:07 +0000 (UTC) Updated Branches: refs/heads/1781-reorganize-and-improve-docs f2a0c9369 -> cb7844722 Add CVE information. Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/cb784472 Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/cb784472 Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/cb784472 Branch: refs/heads/1781-reorganize-and-improve-docs Commit: cb7844722e53f6cbb8fe234b8d2b4e6370a9566a Parents: f2a0c93 Author: Alexander Shorin Authored: Fri Aug 9 16:16:43 2013 +0400 Committer: Alexander Shorin Committed: Fri Aug 9 16:16:43 2013 +0400 ---------------------------------------------------------------------- share/doc/build/Makefile.am | 21 ++++++++++ share/doc/src/cve/2010-0009.rst | 54 ++++++++++++++++++++++++ share/doc/src/cve/2010-2234.rst | 64 +++++++++++++++++++++++++++++ share/doc/src/cve/2010-3854.rst | 57 ++++++++++++++++++++++++++ share/doc/src/cve/2012-5641.rst | 77 +++++++++++++++++++++++++++++++++++ share/doc/src/cve/2012-5649.rst | 50 +++++++++++++++++++++++ share/doc/src/cve/2012-5650.rst | 69 +++++++++++++++++++++++++++++++ share/doc/src/cve/index.rst | 73 +++++++++++++++++++++++++++++++++ share/doc/src/index.rst | 1 + share/doc/src/whatsnew/0.10.rst | 8 +++- share/doc/src/whatsnew/0.11.rst | 7 +++- share/doc/src/whatsnew/1.0.rst | 14 ++++--- share/doc/src/whatsnew/1.1.rst | 20 ++++++--- share/doc/src/whatsnew/1.2.rst | 14 ++++--- share/doc/src/whatsnew/index.rst | 2 + 15 files changed, 511 insertions(+), 20 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/build/Makefile.am ---------------------------------------------------------------------- diff --git a/share/doc/build/Makefile.am b/share/doc/build/Makefile.am index ad10df9..a4d1c06 100644 --- a/share/doc/build/Makefile.am +++ b/share/doc/build/Makefile.am @@ -94,6 +94,13 @@ html_files = \ html/_sources/couchapp/views/intro.txt \ html/_sources/couchapp/views/joins.txt \ html/_sources/couchapp/views/nosql.txt \ + html/_sources/cve/2010-0009.txt \ + html/_sources/cve/2010-2234.txt \ + html/_sources/cve/2010-3854.txt \ + html/_sources/cve/2012-5641.txt \ + html/_sources/cve/2012-5649.txt \ + html/_sources/cve/2012-5650.txt \ + html/_sources/cve/index.txt \ html/_sources/fauxton/addons.txt \ html/_sources/fauxton/index.txt \ html/_sources/fauxton/install.txt \ @@ -195,6 +202,13 @@ html_files = \ html/couchapp/views/intro.html \ html/couchapp/views/joins.html \ html/couchapp/views/nosql.html \ + html/cve/2010-0009.html \ + html/cve/2010-2234.html \ + html/cve/2010-3854.html \ + html/cve/2012-5641.html \ + html/cve/2012-5649.html \ + html/cve/2012-5650.html \ + html/cve/index.html \ html/fauxton/addons.html \ html/fauxton/index.html \ html/fauxton/install.html \ @@ -294,6 +308,13 @@ src_files = \ ../src/couchapp/views/intro.rst \ ../src/couchapp/views/joins.rst \ ../src/couchapp/views/nosql.rst \ + ../src/cve/2010-0009.rst \ + ../src/cve/2010-2234.rst \ + ../src/cve/2010-3854.rst \ + ../src/cve/2012-5641.rst \ + ../src/cve/2012-5649.rst \ + ../src/cve/2012-5650.rst \ + ../src/cve/index.rst \ ../src/fauxton/addons.rst \ ../src/fauxton/index.rst \ ../src/fauxton/install.rst \ http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/cve/2010-0009.rst ---------------------------------------------------------------------- diff --git a/share/doc/src/cve/2010-0009.rst b/share/doc/src/cve/2010-0009.rst new file mode 100644 index 0000000..99d409f --- /dev/null +++ b/share/doc/src/cve/2010-0009.rst @@ -0,0 +1,54 @@ +.. Licensed under the Apache License, Version 2.0 (the "License"); you may not +.. use this file except in compliance with the License. You may obtain a copy of +.. the License at +.. +.. http://www.apache.org/licenses/LICENSE-2.0 +.. +.. Unless required by applicable law or agreed to in writing, software +.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +.. License for the specific language governing permissions and limitations under +.. the License. + + +.. _cve/2010-0009: + +========================================================= +CVE-2010-0009: Apache CouchDB Timing Attack Vulnerability +========================================================= + +:Date: 31.03.2010 + +:Affected: Apache CouchDB 0.8.0 to 0.10.1 + +:Severity: Important + +:Vendor: The Apache Software Foundation + +Description +=========== + +Apache CouchDB versions prior to version :ref:`0.11.0 ` are +vulnerable to timing attacks, also known as side-channel information leakage, +due to using simple break-on-inequality string comparisons when verifying hashes +and passwords. + +Mitigation +========== + +All users should upgrade to CouchDB :ref:`0.11.0 `. +Upgrades from the :ref:`0.10.x ` series should be seamless. +Users on earlier versions should consult with +:ref:`upgrade notes `. + +Example +======= + +A canonical description of the attack can be found in +http://codahale.com/a-lesson-in-timing-attacks/ + +Credit +====== + +This issue was discovered by *Jason Davies* of the Apache CouchDB development +team. http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/cve/2010-2234.rst ---------------------------------------------------------------------- diff --git a/share/doc/src/cve/2010-2234.rst b/share/doc/src/cve/2010-2234.rst new file mode 100644 index 0000000..799780f --- /dev/null +++ b/share/doc/src/cve/2010-2234.rst @@ -0,0 +1,64 @@ +.. Licensed under the Apache License, Version 2.0 (the "License"); you may not +.. use this file except in compliance with the License. You may obtain a copy of +.. the License at +.. +.. http://www.apache.org/licenses/LICENSE-2.0 +.. +.. Unless required by applicable law or agreed to in writing, software +.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +.. License for the specific language governing permissions and limitations under +.. the License. + + +.. _cve/2010-2234: + +=============================================================== +CVE-2010-2234: Apache CouchDB Cross Site Request Forgery Attack +=============================================================== + +:Date: 21.02.2010 + +:Affected: Apache CouchDB 0.8.0 to 0.11.1 + +:Severity: Important + +:Vendor: The Apache Software Foundation + + +Description +=========== + +Apache CouchDB versions prior to version :ref:`0.11.1 ` are +vulnerable to `Cross Site Request Forgery`_ (CSRF) attacks. + +.. _Cross Site Request Forgery: http://en.wikipedia.org/wiki/Cross-site_request_forgery + +Mitigation +========== + +All users should upgrade to CouchDB :ref:`0.11.2 ` +or :ref:`1.0.1 `. + +Upgrades from the :ref:`0.11.x ` and +:ref:`0.10.x ` series should be seamless. + +Users on earlier versions should consult with upgrade notes. + +Example +======= + +A malicious website can `POST` arbitrary JavaScript code to well +known CouchDB installation URLs (like http://localhost:5984/) +and make the browser execute the injected JavaScript in the +security context of CouchDB's admin interface Futon. + +Unrelated, but in addition the JSONP API has been turned off +by default to avoid potential information leakage. + +Credit +====== + +This CSRF issue was discovered by a source that wishes to stay +anonymous. + http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/cve/2010-3854.rst ---------------------------------------------------------------------- diff --git a/share/doc/src/cve/2010-3854.rst b/share/doc/src/cve/2010-3854.rst new file mode 100644 index 0000000..3d59060 --- /dev/null +++ b/share/doc/src/cve/2010-3854.rst @@ -0,0 +1,57 @@ +.. Licensed under the Apache License, Version 2.0 (the "License"); you may not +.. use this file except in compliance with the License. You may obtain a copy of +.. the License at +.. +.. http://www.apache.org/licenses/LICENSE-2.0 +.. +.. Unless required by applicable law or agreed to in writing, software +.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +.. License for the specific language governing permissions and limitations under +.. the License. + + +.. _cve/2010-3854: + +======================================================== +CVE-2010-3854: Apache CouchDB Cross Site Scripting Issue +======================================================== + +:Date: 28.01.2011 + +:Affected: Apache CouchDB 0.8.0 to 1.0.1 + +:Severity: Important + +:Vendor: The Apache Software Foundation + + +Description +=========== + +Apache CouchDB versions prior to version :ref:`1.0.2 ` are +vulnerable to `Cross Site Scripting`_ (XSS) attacks. + +.. _Cross Site Scripting: http://en.wikipedia.org/wiki/Cross-site_scripting + +Mitigation +========== + +All users should upgrade to CouchDB :ref:`1.0.2 `. + +Upgrades from the :ref:`0.11.x ` and +:ref:`0.10.x ` series should be seamless. + +Users on earlier versions should consult with upgrade notes. + +Example +======= + +Due to inadequate validation of request parameters and cookie data in Futon, +CouchDB's web-based administration UI, a malicious site can execute arbitrary +code in the context of a user's browsing session. + +Credit +====== + +This XSS issue was discovered by a source that wishes to stay anonymous. http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/cve/2012-5641.rst ---------------------------------------------------------------------- diff --git a/share/doc/src/cve/2012-5641.rst b/share/doc/src/cve/2012-5641.rst new file mode 100644 index 0000000..7400b2f --- /dev/null +++ b/share/doc/src/cve/2012-5641.rst @@ -0,0 +1,77 @@ +.. Licensed under the Apache License, Version 2.0 (the "License"); you may not +.. use this file except in compliance with the License. You may obtain a copy of +.. the License at +.. +.. http://www.apache.org/licenses/LICENSE-2.0 +.. +.. Unless required by applicable law or agreed to in writing, software +.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +.. License for the specific language governing permissions and limitations under +.. the License. + + +.. _cve/2012-5641: + +================================================================================== +CVE-2012-5641: Information disclosure via unescaped backslashes in URLs on Windows +================================================================================== + +:Date: 14.01.2013 + +:Affected: All Windows-based releases of Apache CouchDB, up to and including + 1.0.3, 1.1.1, and 1.2.0 are vulnerable. + +:Severity: Moderate + +:Vendor: The Apache Software Foundation + +Description +=========== + +A specially crafted request could be used to access content directly that +would otherwise be protected by inbuilt CouchDB security mechanisms. This +request could retrieve in binary form any CouchDB database, including the +`_users` or `_replication` databases, or any other file that the user account +used to run CouchDB might have read access to on the local filesystem. This +exploit is due to a vulnerability in the included MochiWeb HTTP library. + +Mitigation +========== + +Upgrade to a supported CouchDB release that includes this fix, such as: + +- :ref:`1.0.4 ` +- :ref:`1.1.2 ` +- :ref:`1.2.1 ` +- :ref:`1.3.x ` + +All listed releases have included a specific fix for the MochiWeb component. + +Work-Around +=========== + +Users may simply exclude any file-based web serving components directly +within their configuration file, typically in `local.ini`. On a default +CouchDB installation, this requires amending the +:ref:`config/httpd_global_handlers/favicon.ico` and +:ref:`config/httpd_global_handlers/_utils` lines within +``[httpd_global_handlers]``:: + + [httpd_global_handlers] + favicon.ico = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>} + _utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>} + +If additional handlers have been added, such as to support Adobe's Flash +`crossdomain.xml` files, these would also need to be excluded. + +Acknowledgement +=============== + +The issue was found and reported by Sriram Melkote to the upstream MochiWeb +project. + +References +========== + +- https://github.com/melkote/mochiweb/commit/ac2bf http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/cve/2012-5649.rst ---------------------------------------------------------------------- diff --git a/share/doc/src/cve/2012-5649.rst b/share/doc/src/cve/2012-5649.rst new file mode 100644 index 0000000..af48ff2 --- /dev/null +++ b/share/doc/src/cve/2012-5649.rst @@ -0,0 +1,50 @@ +.. Licensed under the Apache License, Version 2.0 (the "License"); you may not +.. use this file except in compliance with the License. You may obtain a copy of +.. the License at +.. +.. http://www.apache.org/licenses/LICENSE-2.0 +.. +.. Unless required by applicable law or agreed to in writing, software +.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +.. License for the specific language governing permissions and limitations under +.. the License. + + +.. _cve/2012-5649: + +============================================================== +CVE-2012-5649: JSONP arbitrary code execution with Adobe Flash +============================================================== + +:Date: 14.01.2013 + +:Affected: Releases up to and including 1.0.3, 1.1.1, and 1.2.0 are vulnerable, + if administrators have enabled JSONP. + +:Severity: Moderate + +:Vendor: The Apache Software Foundation + +Description +=========== + +A hand-crafted JSONP callback and response can be used to run arbitrary code +inside client-side browsers via Adobe Flash. + +Mitigation +========== + +Upgrade to a supported CouchDB release that includes this fix, such as: + +- :ref:`1.0.4 ` +- :ref:`1.1.2 ` +- :ref:`1.2.1 ` +- :ref:`1.3.x ` + +All listed releases have included a specific fix. + +Work-Around +=========== + +Disable JSONP or don't enable it since it's disabled by default. http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/cve/2012-5650.rst ---------------------------------------------------------------------- diff --git a/share/doc/src/cve/2012-5650.rst b/share/doc/src/cve/2012-5650.rst new file mode 100644 index 0000000..1e8bc50 --- /dev/null +++ b/share/doc/src/cve/2012-5650.rst @@ -0,0 +1,69 @@ +.. Licensed under the Apache License, Version 2.0 (the "License"); you may not +.. use this file except in compliance with the License. You may obtain a copy of +.. the License at +.. +.. http://www.apache.org/licenses/LICENSE-2.0 +.. +.. Unless required by applicable law or agreed to in writing, software +.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +.. License for the specific language governing permissions and limitations under +.. the License. + + +.. _cve/2012-5650: + +========================================================== +CVE-2012-5650: DOM based Cross-Site Scripting via Futon UI +========================================================== + +:Date: 14.01.2013 + +:Affected: Apache CouchDB releases up to and including 1.0.3, 1.1.1, + and 1.2.0 are vulnerable. + +:Severity: Moderate + +:Vendor: The Apache Software Foundation + +Description +=========== + +Query parameters passed into the browser-based test suite are not sanitised, +and can be used to load external resources. An attacker may execute JavaScript +code in the browser, using the context of the remote user. + +Mitigation +========== + +Upgrade to a supported CouchDB release that includes this fix, such as: + +- :ref:`1.0.4 ` +- :ref:`1.1.2 ` +- :ref:`1.2.1 ` +- :ref:`1.3.x ` + +All listed releases have included a specific fix. + +Work-Around +=========== + +Disable the Futon user interface completely, by adapting `local.ini` and +restarting CouchDB:: + + [httpd_global_handlers] + _utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>} + +Or by removing the UI test suite components: + +- share/www/verify_install.html +- share/www/couch_tests.html +- share/www/custom_test.html + +Acknowledgement +=============== + +This vulnerability was discovered & reported to the Apache Software Foundation +by `Frederik Braun`_. + +.. _Frederik Braun: https://frederik-braun.com/ http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/cve/index.rst ---------------------------------------------------------------------- diff --git a/share/doc/src/cve/index.rst b/share/doc/src/cve/index.rst new file mode 100644 index 0000000..3af7ab9 --- /dev/null +++ b/share/doc/src/cve/index.rst @@ -0,0 +1,73 @@ +.. Licensed under the Apache License, Version 2.0 (the "License"); you may not +.. use this file except in compliance with the License. You may obtain a copy of +.. the License at +.. +.. http://www.apache.org/licenses/LICENSE-2.0 +.. +.. Unless required by applicable law or agreed to in writing, software +.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +.. License for the specific language governing permissions and limitations under +.. the License. + + +.. _cve: + +Security Issues Information +=========================== + +.. toctree:: + :maxdepth: 1 + :glob: + + * + +.. _cve/report: + +Reporting New Security Problems with Apache CouchDB +=================================================== + +The Apache Software Foundation takes a very active stance in eliminating +security problems and denial of service attacks against Apache CouchDB. + +We strongly encourage folks to report such problems to our private security +mailing list first, before disclosing them in a public forum. + +Please note that the security mailing list should only be used for reporting +undisclosed security vulnerabilities in Apache CouchDB and managing the +process of fixing such vulnerabilities. We cannot accept regular bug reports +or other queries at this address. All mail sent to this address that does not +relate to an undisclosed security problem in the Apache CouchDB source code +will be ignored. + +If you need to report a bug that isn't an undisclosed security vulnerability, +please use the `bug reporting page`_. + +Questions about: + +- How to configure CouchDB securely +- If a vulnerability applies to your particular application +- Obtaining further information on a published vulnerability +- Availability of patches and/or new releases + +should be address to the `users mailing list`_. Please see the `mailing +lists page`_ for details of how to subscribe. + +The private security mailing address is: `security@couchdb.apache.org`_ + +Please read `how the Apache Software Foundation handles security`_ reports to +know what to expect. + +Note that all networked servers are subject to denial of service attacks, +and we cannot promise magic workarounds to generic problems (such as a client +streaming lots of data to your server, or re-requesting the same URL +repeatedly). In general our philosophy is to avoid any attacks which can +cause the server to consume resources in a non-linear relationship to the +size of inputs. + +.. _bug reporting page: https://issues.apache.org/jira/browse/COUCHDB +.. _mailing lists page: http://couchdb.apache.org/#mailing-list +.. _how the Apache Software Foundation handles security: http://apache.org/security/committers.html +.. _security@couchdb.apache.org: mailto:security@couchdb.apache.org +.. _users mailing list: mailto:user@couchdb.apache.org + http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/index.rst ---------------------------------------------------------------------- diff --git a/share/doc/src/index.rst b/share/doc/src/index.rst index 0ad38b1..1262375 100644 --- a/share/doc/src/index.rst +++ b/share/doc/src/index.rst @@ -39,6 +39,7 @@ Contents json-structure contributing whatsnew/index + cve/index .. This is how you get a TM sign into a link. Haha. Seriously. .. |Apache CouchDB(TM)| unicode:: Apache U+0020 CouchDB U+2122 http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/whatsnew/0.10.rst ---------------------------------------------------------------------- diff --git a/share/doc/src/whatsnew/0.10.rst b/share/doc/src/whatsnew/0.10.rst index c628e1f..c68d152 100644 --- a/share/doc/src/whatsnew/0.10.rst +++ b/share/doc/src/whatsnew/0.10.rst @@ -27,6 +27,11 @@ Upgrade Notes ============= +.. warning:: + + :ref:`release/0.10.2` contains important security fixes. Previous `0.10.x` + releases are not recommended for regular usage. + Modular Configuration Directories --------------------------------- @@ -67,6 +72,7 @@ View query reduce parameter strictness CouchDB now considers the parameter ``reduce=false`` to be an error for queries of map-only views, and responds with status code 400. + .. _release/0.10.2: Version 0.10.2 @@ -80,7 +86,7 @@ Build and System Integration Security -------- -* Fixed CVE-2010-0009: Apache CouchDB Timing Attack Vulnerability +* Fixed :ref:`cve/2010-0009` Replicator ---------- http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/whatsnew/0.11.rst ---------------------------------------------------------------------- diff --git a/share/doc/src/whatsnew/0.11.rst b/share/doc/src/whatsnew/0.11.rst index 6db258a..4e184c6 100644 --- a/share/doc/src/whatsnew/0.11.rst +++ b/share/doc/src/whatsnew/0.11.rst @@ -27,6 +27,11 @@ Upgrade Notes ============= +.. warning:: + + :ref:`release/0.11.2` contains important security fixes. Previous `0.11.x` + releases are not recommended for regular usage. + Changes Between 0.11.0 and 0.11.1 --------------------------------- @@ -149,7 +154,7 @@ Security -------- * Avoid potential DOS attack by guarding all creation of atoms. -* Fixed CVE-2010-2234: Apache CouchDB Cross Site Request Forgery Attack +* Fixed :ref:`cve/2010-2234` .. _release/0.11.1: http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/whatsnew/1.0.rst ---------------------------------------------------------------------- diff --git a/share/doc/src/whatsnew/1.0.rst b/share/doc/src/whatsnew/1.0.rst index 4ec9a2f..3d7fdc8 100644 --- a/share/doc/src/whatsnew/1.0.rst +++ b/share/doc/src/whatsnew/1.0.rst @@ -43,6 +43,11 @@ replicator to use the ``application/json`` content type. string. Previously, these properties contained strings which needed to be converted to JSON before using. +.. warning:: + + :ref:`release/1.0.4` contains important security fixes. Previous `1.0.x` + releases are not recommended for regular usage. + .. _release/1.0.4: @@ -68,12 +73,9 @@ Replicator Security -------- -* Fixed CVE-2012-5641: Apache CouchDB Information disclosure via unescaped - backslashes in URLs on Windows -* Fixed CVE-2012-5649: Apache CouchDB JSONP arbitrary code execution with - Adobe Flash -* Fixed CVE-2012-5650: Apache CouchDB DOM based Cross-Site Scripting via Futon - UI +* Fixed :ref:`cve/2012-5641` +* Fixed :ref:`cve/2012-5649` +* Fixed :ref:`cve/2012-5650` View System ----------- http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/whatsnew/1.1.rst ---------------------------------------------------------------------- diff --git a/share/doc/src/whatsnew/1.1.rst b/share/doc/src/whatsnew/1.1.rst index 4a78300..a376593 100644 --- a/share/doc/src/whatsnew/1.1.rst +++ b/share/doc/src/whatsnew/1.1.rst @@ -22,6 +22,17 @@ :local: +.. _release/1.1.x/upgrade: + +Upgrade Notes +============= + +.. warning:: + + :ref:`release/1.1.2` contains important security fixes. Previous `1.1.x` + releases are not recommended for regular usage. + + .. _release/1.1.2: Version 1.1.2 @@ -57,12 +68,9 @@ Replicator Security -------- -* Fixed CVE-2012-5641: Apache CouchDB Information disclosure via unescaped - backslashes in URLs on Windows -* Fixed CVE-2012-5649: Apache CouchDB JSONP arbitrary code execution with - Adobe Flash -* Fixed CVE-2012-5650: Apache CouchDB DOM based Cross-Site Scripting via Futon - UI +* Fixed :ref:`cve/2012-5641` +* Fixed :ref:`cve/2012-5649` +* Fixed :ref:`cve/2012-5650` View Server ----------- http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/whatsnew/1.2.rst ---------------------------------------------------------------------- diff --git a/share/doc/src/whatsnew/1.2.rst b/share/doc/src/whatsnew/1.2.rst index 3d6620d..ce228ba 100644 --- a/share/doc/src/whatsnew/1.2.rst +++ b/share/doc/src/whatsnew/1.2.rst @@ -33,6 +33,11 @@ Upgrade Notes version 0.9.0. Compact your older databases (that have not been compacted for a long time) before upgrading, or they will become inaccessible. +.. warning:: + + :ref:`release/1.2.1` contains important security fixes. Previous `1.2.x` + releases are not recommended for regular usage. + Security changes ---------------- @@ -114,12 +119,9 @@ HTTP Interface Security -------- -* Fixed CVE-2012-5641: Apache CouchDB Information disclosure via unescaped - backslashes in URLs on Windows -* Fixed CVE-2012-5649: Apache CouchDB JSONP arbitrary code execution with Adobe - Flash -* Fixed CVE-2012-5650: Apache CouchDB DOM based Cross-Site Scripting via Futon - UI +* Fixed :ref:`cve/2012-5641` +* Fixed :ref:`cve/2012-5649` +* Fixed :ref:`cve/2012-5650` Replication ----------- http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/whatsnew/index.rst ---------------------------------------------------------------------- diff --git a/share/doc/src/whatsnew/index.rst b/share/doc/src/whatsnew/index.rst index b5a1f91..a69a75e 100644 --- a/share/doc/src/whatsnew/index.rst +++ b/share/doc/src/whatsnew/index.rst @@ -19,6 +19,7 @@ Release History .. toctree:: :glob: + ../cve/index 1.4 1.3 1.2 @@ -28,3 +29,4 @@ Release History 0.10 0.9 0.8 +