Return-Path: Delivered-To: apmail-couchdb-user-archive@www.apache.org Received: (qmail 25279 invoked from network); 31 Mar 2010 13:48:36 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 31 Mar 2010 13:48:36 -0000 Received: (qmail 21316 invoked by uid 500); 31 Mar 2010 13:48:33 -0000 Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org Received: (qmail 21038 invoked by uid 500); 31 Mar 2010 13:48:33 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 21016 invoked by uid 99); 31 Mar 2010 13:48:33 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 31 Mar 2010 13:48:33 +0000 X-ASF-Spam-Status: No, hits=0.7 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [80.244.253.218] (HELO mail.traeumt.net) (80.244.253.218) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 31 Mar 2010 13:48:27 +0000 Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.traeumt.net (Postfix) with ESMTP id 7EAB61B56F; Wed, 31 Mar 2010 15:48:05 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mail.g3th.net Received: from unknown by localhost (amavisd-new, unix socket) id N9r5ckwVoqUy; Wed, 31 Mar 2010 15:48:02 +0200 (CEST) Received: from [10.0.1.21] (g226048153.adsl.alicedsl.de [92.226.48.153]) (authenticated) by mail.traeumt.net (amavisd-milter) (authenticated as web50m1); Wed, 31 Mar 2010 15:48:02 +0200 (CEST) (envelope-from ) From: Jan Lehnardt Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [SECURITY] CVE-2008-2370: Apache CouchDB Timing Attack Vulnerability Date: Wed, 31 Mar 2010 15:48:01 +0200 Message-Id: <02AC8AFB-A0BF-4916-9F2B-CCA5009FB81C@apache.org> Cc: user@couchdb.apache.org, security@couchdb.apache.org, security@apache.org, full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com, Jason Davies To: dev@couchdb.apache.org Mime-Version: 1.0 (Apple Message framework v1078) X-Mailer: Apple Mail (2.1078) CVE-2008-2370: Apache CouchDB Timing Attack Vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache CouchDB 0.8.0 to 0.10.1 Description: Apache CouchDB versions prior to version 0.11.0 are vulnerable to timing attacks, also known as side-channel information leakage, due to using simple break-on-inequality string comparisons when verifying hashes and passwords. Mitigation: All users should upgrade to CouchDB 0.11.0. Upgrades from the 0.10.x series should be seamless. Users on earlier versions should consult http://wiki.apache.org/couchdb/Breaking_changes Example: A canonical description of the attack can be found in http://codahale.com/a-lesson-in-timing-attacks/ Credit: This issue was discovered by Jason Davies of the Apache CouchDB development team. References: http://couchdb.apache.org/ http://couchdb.apache.org/downloads.html http://wiki.apache.org/couchdb/Breaking_changes http://codahale.com/a-lesson-in-timing-attacks/ Jan Lehnardt --