couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From deathb...@apache.org
Subject [07/13] couchdb commit: updated refs/heads/Update-Sidebar-Ui to abaa8e9
Date Wed, 16 Apr 2014 20:51:20 GMT
Add documentation for CVE-2014-2668


Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/a5489a7e
Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/a5489a7e
Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/a5489a7e

Branch: refs/heads/Update-Sidebar-Ui
Commit: a5489a7e4771693974f8190710a7d074aa206f26
Parents: 4924567
Author: Alexander Shorin <kxepal@apache.org>
Authored: Tue Apr 15 09:11:00 2014 +0200
Committer: Jan Lehnardt <jan@apache.org>
Committed: Wed Apr 16 16:43:10 2014 +0200

----------------------------------------------------------------------
 share/doc/src/cve/2014-2668.rst | 54 ++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb/blob/a5489a7e/share/doc/src/cve/2014-2668.rst
----------------------------------------------------------------------
diff --git a/share/doc/src/cve/2014-2668.rst b/share/doc/src/cve/2014-2668.rst
new file mode 100644
index 0000000..5ccd2a4
--- /dev/null
+++ b/share/doc/src/cve/2014-2668.rst
@@ -0,0 +1,54 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+
+.. _cve/2014-2668:
+
+==================================================================================
+CVE-2014-2668: DoS (CPU and memory consumption) via the count parameter to /_uuids
+==================================================================================
+
+:Date: 26.03.2014
+
+:Affected: Apache CouchDB releases up to and including 1.3.1, 1.4.0,
+           and 1.5.0 are vulnerable.
+
+:Severity: Moderate
+
+:Vendor: The Apache Software Foundation
+
+Description
+===========
+
+The :ref:`api/server/uuids` resource's `count` query parameter is able to take
+unreasonable huge numeric value which leads to exhaustion of server resources
+(CPU and memory) and to DoS as the result.
+
+Mitigation
+==========
+
+Upgrade to a supported CouchDB release that includes this fix, such as:
+
+- :ref:`1.5.1 <release/1.5.1>`
+- :ref:`1.6.0 <release/1.6.0>`
+
+All listed releases have included a specific fix to
+
+Work-Around
+===========
+
+Disable the :ref:`api/server/uuids` handler completely, by adapting
+`local.ini` and restarting CouchDB::
+
+  [httpd_global_handlers]
+  _uuids =
+


Mime
View raw message