couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <bchesn...@gmail.com>
Subject Re: Manual pull request: COUCHDB-2221
Date Sun, 06 Apr 2014 07:21:14 GMT
On Sunday, April 6, 2014, Joan Touzet <wohali@apache.org> wrote:

> I wasn't able to get this branch show up under the GitHub interface for
> requesting a PR, so here it is in email.
>
>
> https://git-wip-us.apache.org/repos/asf?p=couchdb.git;a=shortlog;h=refs/heads/COUCHDB-2221
>
> Isaac w/ NPM has a big _users DB from 1.5.x where they have managed to get
> "iterations":"10" into a lot of users' records instead of "iterations":10.
> Giving the wrong password for the user will send couch into an infinite
> loop, and can act as a DDOS against the server.
>
> To fix we should backport 98d0890 to 1.5.x, but we should also degrade
> gracefully for databases where this incorrect data format is already extant.
>
> I don't know what the right process is here so I am looking for:
>
>   +1 on this for master
>   +1 to pull this and 98d0890 to 1.5.x
>
> Given the severity of this issue I am also recommending this get pushed
> out to 1.5 ASAP; I don't believe we can stop 1.5.1 going out without it,
> but we should probably issue 1.5.2.
>
> I am still up in the air as to whether this deserves a CVE or not.
>
> -Joan
>

what is the issue? docs have been changed manually?

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message