couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rnew...@apache.org
Subject [32/50] documentation commit: updated refs/heads/import-master to fe7f7bf
Date Thu, 10 Jul 2014 09:47:31 GMT
Add documentation for CVE-2014-2668


Project: http://git-wip-us.apache.org/repos/asf/couchdb-documentation/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-documentation/commit/86ae5c82
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-documentation/tree/86ae5c82
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-documentation/diff/86ae5c82

Branch: refs/heads/import-master
Commit: 86ae5c82edf59031455d6982fd7a8f8c7ef3b0ad
Parents: d0ccbb5
Author: Alexander Shorin <kxepal@apache.org>
Authored: Tue Apr 15 09:11:00 2014 +0200
Committer: Jan Lehnardt <jan@apache.org>
Committed: Wed Apr 16 16:43:10 2014 +0200

----------------------------------------------------------------------
 src/cve/2014-2668.rst | 54 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb-documentation/blob/86ae5c82/src/cve/2014-2668.rst
----------------------------------------------------------------------
diff --git a/src/cve/2014-2668.rst b/src/cve/2014-2668.rst
new file mode 100644
index 0000000..5ccd2a4
--- /dev/null
+++ b/src/cve/2014-2668.rst
@@ -0,0 +1,54 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+
+.. _cve/2014-2668:
+
+==================================================================================
+CVE-2014-2668: DoS (CPU and memory consumption) via the count parameter to /_uuids
+==================================================================================
+
+:Date: 26.03.2014
+
+:Affected: Apache CouchDB releases up to and including 1.3.1, 1.4.0,
+           and 1.5.0 are vulnerable.
+
+:Severity: Moderate
+
+:Vendor: The Apache Software Foundation
+
+Description
+===========
+
+The :ref:`api/server/uuids` resource's `count` query parameter is able to take
+unreasonable huge numeric value which leads to exhaustion of server resources
+(CPU and memory) and to DoS as the result.
+
+Mitigation
+==========
+
+Upgrade to a supported CouchDB release that includes this fix, such as:
+
+- :ref:`1.5.1 <release/1.5.1>`
+- :ref:`1.6.0 <release/1.6.0>`
+
+All listed releases have included a specific fix to
+
+Work-Around
+===========
+
+Disable the :ref:`api/server/uuids` handler completely, by adapting
+`local.ini` and restarting CouchDB::
+
+  [httpd_global_handlers]
+  _uuids =
+


Mime
View raw message