couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Kowalski <...@kowalski.gd>
Subject Re: [VOTE] Release Apache CouchDB 1.6.0-rc.4
Date Mon, 05 May 2014 20:04:20 GMT
Hi!

You are right:
https://github.com/apache/couchdb/commit/64144cc8bdbc64002bde64394dc8850d3987718c
is
directly related to the XSS issue.

https://github.com/apache/couchdb/pull/224 just fixes a regression
introduced with "HTML escaping for Fauxton. The regression causes HTML
links which we are using in the notifications to appear as text.

The PR https://github.com/apache/couchdb/pull/223 removes the interpolation
where it is not needed, but as far as I know, this are values which are not
affected by user content.


2014-05-05 14:24 GMT+02:00 Alexander Shorin <kxepal@gmail.com>:

> 1.6.0-rc.4 lacks of two important changes:
>
> HTML escaping for Fauxton:
>
> https://github.com/apache/couchdb/commit/64144cc8bdbc64002bde64394dc8850d3987718c
> this is related to recently reported XSS vulnerability COUCHDB-2232
>
> And support of Erlang 17 (well, it's actually multiple commits due to
> branch merge and rush master fixing at night):
> Merge:
>
> https://github.com/apache/couchdb/commit/296de8b1fe69e66d649294fd0445449b18c49194
> Fixes:
>
> https://github.com/apache/couchdb/commit/519a488876323f822eaa77b435b1d28e56fd273a
>
> https://github.com/apache/couchdb/commit/8c07af243e82ea950b8ef27cfa700a4a73f878ab
>
> https://github.com/apache/couchdb/commit/7d29ade0b5b678ce35af184ef6c53824d0b0e250
>
> Also not sure if these PR:
> https://github.com/apache/couchdb/pull/223
> https://github.com/apache/couchdb/pull/224
> not containing any fixes of possible XSS. Robert, are they?
>
> --
> ,,,^..^,,,
>
>
> On Mon, May 5, 2014 at 3:40 PM, Dirkjan Ochtman <djc@apache.org> wrote:
> > Dear community,
> >
> > Due to test failures in rc.3, I would like to release Apache CouchDB
> > 1.6.0-rc.4. Special thanks to Alexander for doing a lot of
> > investigation into the failures and whipping rc.4 into shipping.
> >
> > Changes since last round:
> >
> >  *
> https://git-wip-us.apache.org/repos/asf?p=couchdb.git;a=shortlog;h=refs/heads/1.6.x
> >
> > We encourage the whole community to download and test these release
> > artefacts so that any critical issues can be resolved before the
> > release is made. Everyone is free to vote on this release, so get
> > stuck in!
> >
> > The release artefacts we are voting on are available here:
> >
> >     wget
> https://dist.apache.org/repos/dist/dev/couchdb/source/1.6.0/rc.4/apache-couchdb-1.6.0.tar.gz
> >     wget
> https://dist.apache.org/repos/dist/dev/couchdb/source/1.6.0/rc.4/apache-couchdb-1.6.0.tar.gz.asc
> >     wget
> https://dist.apache.org/repos/dist/dev/couchdb/source/1.6.0/rc.4/apache-couchdb-1.6.0.tar.gz.ish
> >     wget
> https://dist.apache.org/repos/dist/dev/couchdb/source/1.6.0/rc.4/apache-couchdb-1.6.0.tar.gz.md5
> >     wget
> https://dist.apache.org/repos/dist/dev/couchdb/source/1.6.0/rc.4/apache-couchdb-1.6.0.tar.gz.sha
> >
> > Please follow the test procedure here:
> >
> >     http://wiki.apache.org/couchdb/Test_procedure
> >
> > Please remember that "rc.4" is an annotation. If the vote passes,
> > these artefacts will be released as Apache CouchDB 1.6.0.
> >
> > Please cast your votes now.
> >
> > Thanks,
> >
> > Dirkjan
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message