couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <>
Subject Re: Manual pull request: COUCHDB-2221
Date Sun, 06 Apr 2014 07:21:14 GMT
On Sunday, April 6, 2014, Joan Touzet <> wrote:

> I wasn't able to get this branch show up under the GitHub interface for
> requesting a PR, so here it is in email.
> Isaac w/ NPM has a big _users DB from 1.5.x where they have managed to get
> "iterations":"10" into a lot of users' records instead of "iterations":10.
> Giving the wrong password for the user will send couch into an infinite
> loop, and can act as a DDOS against the server.
> To fix we should backport 98d0890 to 1.5.x, but we should also degrade
> gracefully for databases where this incorrect data format is already extant.
> I don't know what the right process is here so I am looking for:
>   +1 on this for master
>   +1 to pull this and 98d0890 to 1.5.x
> Given the severity of this issue I am also recommending this get pushed
> out to 1.5 ASAP; I don't believe we can stop 1.5.1 going out without it,
> but we should probably issue 1.5.2.
> I am still up in the air as to whether this deserves a CVE or not.
> -Joan

what is the issue? docs have been changed manually?

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message