Bug 14788 - couchdb new security issue CVE-2010-5312
Summary: couchdb new security issue CVE-2010-5312
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/626058/
Whiteboard: has_procedure advisory MGA4-32-OK MG...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-12-12 19:22 CET by David Walser
Modified: 2014-12-31 13:28 CET (History)
3 users (show)

See Also:
Source RPM: couchdb-1.4.0-2.3.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-12-12 19:22:23 CET
Fedora has issued an advisory on December 1:
https://lists.fedoraproject.org/pipermail/package-announce/2014-December/145767.html

The security issue is actually in jQuery UI, which apparently is bundled by couchdb and several other packages, according to the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1166041

Some other packages that we have that are in RedHat's list are:
dokuwiki, fish, yelp-xsl, mediawiki, python-sphinx, calibre, python-werkzeug, python-django14, python-django, wordpress, hotot, sagemath, sparkleshare, wesnoth, libgda, openteacher, ikiwiki, perl-Mojolicious, zabbix, drupal, spyder

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5312

Thomas was the last one working on this package, and it doesn't build now.

Reproducible: 

Steps to Reproduce:
David Walser 2014-12-12 19:25:02 CET

URL: (none) => http://lwn.net/Vulnerabilities/626058/

David Walser 2014-12-24 20:22:58 CET

CC: (none) => shlomif

Comment 1 Shlomi Fish 2014-12-25 08:11:18 CET
David Walser, hi! What am I supposed to do? Which packages should I update?
Comment 2 David Walser 2014-12-25 09:55:40 CET
(In reply to Shlomi Fish from comment #1)
> David Walser, hi! What am I supposed to do? Which packages should I update?

couchdb in Mageia 4.  I've already added the patch in SVN, but the package doesn't build.  That needs to be fixed.
Comment 3 Shlomi Fish 2014-12-25 13:20:53 CET
(In reply to David Walser from comment #2)
> (In reply to Shlomi Fish from comment #1)
> > David Walser, hi! What am I supposed to do? Which packages should I update?
> 
> couchdb in Mageia 4.  I've already added the patch in SVN, but the package
> doesn't build.  That needs to be fixed.

Hi,

I fixed the build problems (by porting fixes from Cauldron) in couchdb-1.4.0-2.5mga4 in http://pkgsubmit.mageia.org/ . Please test.

Regards,

-- Shlomi Fish
Comment 4 David Walser 2014-12-25 14:14:44 CET
Thanks Shlomi!

Advisory:
========================

Updated couchdb packages fix security vulnerability:

Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog
widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary
web script or HTML via the title option (CVE-2010-5312).

The embedded copy of jQuery UI in couchdb has been updated to version 1.10.4
to fix this issue.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5312
https://lists.fedoraproject.org/pipermail/package-announce/2014-December/145767.html
========================

Updated package in core/updates_testing:
========================
couchdb-1.4.0-2.5.mga4
couchdb-bin-1.4.0-2.5.mga4

from couchdb-1.4.0-2.5.mga4.src.rpm

Assignee: tmb => qa-bugs

Comment 5 David Walser 2014-12-25 14:49:02 CET
(In reply to David Walser from comment #0)
> Some other packages that we have that are in RedHat's list are:
> dokuwiki, fish, yelp-xsl, mediawiki, python-sphinx, calibre,
> python-werkzeug, python-django14, python-django, wordpress, hotot, sagemath,
> sparkleshare, wesnoth, libgda, openteacher, ikiwiki, perl-Mojolicious,
> zabbix, drupal, spyder

RedHat/Fedora have ruled out mediawiki, fish, python-django14, python-django, python-werkzeug, zabbix, spyder, and perl-Mojolicious as being affected.  Wordpress version 4 is not, but 3.9 may still be.  The hotot package is not fixable and has been retired because it is dead upstream.  We do not have sagemath packaged.

dokuwiki, fish, yelp-xsl, python-sphinx, calibre, sparkleshare, wesnoth, libgda, openteacher, ikiwiki, drupal, and spyder have not been ruled out yet.
Comment 6 Herman Viaene 2014-12-29 11:35:46 CET
MGA4-64 on HP Probook 6555b KDE and MGA4-32 on Acer D620 Xfce.
No installation issues.

Whiteboard: (none) => MGA4-32-OK MGA4-64-OK
CC: (none) => herman.viaene

Comment 7 claire robinson 2014-12-29 17:23:36 CET
It's actually pretty easy to functionally test this one.

http://wiki.apache.org/couchdb/CouchIn15Minutes

Whiteboard: MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 8 Herman Viaene 2014-12-29 18:06:51 CET
Ran "Hello World" example on both MGA4-64 and MGA-32.
Comment 9 claire robinson 2014-12-29 21:13:25 CET
Thanks Herman. Validating. Advisory uploaded.

Please push to updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2014-12-31 13:28:46 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0559.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.