couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joan Touzet <>
Subject Manual Pull Request: COUCHDB-2221
Date Sun, 06 Apr 2014 02:37:21 GMT
I wasn't able to get this branch show up under the GitHub interface for requesting a PR, so
here it is in email.;a=shortlog;h=refs/heads/COUCHDB-2221

Isaac w/ NPM has a big _users DB from 1.5.x where they have managed to get "iterations":"10"
into a lot of users' records instead of "iterations":10. Giving the wrong password for the
user will send couch into an infinite loop, and can act as a DDOS against the server.

To fix we should backport 98d0890 to 1.5.x, but we should also degrade gracefully for databases
where this incorrect data format is already extant.

I don't know what the right process is here so I am looking for:

  +1 on this for master
  +1 to pull this and 98d0890 to 1.5.x

Given the severity of this issue I am also recommending this get pushed out to 1.5 ASAP; I
don't believe we can stop 1.5.1 going out without it, but we should probably issue 1.5.2.

I am still up in the air as to whether this deserves a CVE or not.


View raw message