Fedora has issued an advisory on January 24: http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098089.html The issues are fixed upstream in 1.2.1. Mageia 2 is also affected.
CC: (none) => dmorganecWhiteboard: (none) => MGA2TOO
In progress by Nicolas. Pushed in SVN for Cauldron, awaiting freeze push. Updated package uploaded for Mageia 2. Updated RPMs: couchdb-1.2.1-1.mga2 couchdb-bin-1.2.1-1.mga2 from couchdb-1.2.1-1.mga2.src.rpm
CC: (none) => fundawangAssignee: fundawang => nicolas.lecureuil
Updated package uploaded for Cauldron. Assigning to QA. Advisory: ======================== Updated couchdb packages fix security vulnerabilities: A security flaw was found in the way Apache CouchDB, a distributed, fault- tolerant and schema-free document-oriented database accessible via a RESTful HTTP/JSON API, processed certain JSON callback. A remote attacker could provide a specially-crafted JSON callback that, when processed could lead to arbitrary JSON code execution via Adobe Flash (CVE-2012-5649). A DOM based cross-site scripting (XSS) flaw was found in the way browser- based test suite of Apache CouchDB, a distributed, fault-tolerant and schema-free document-oriented database accessible via a RESTful HTTP/JSON API, processed certain query parameters. A remote attacker could provide a specially-crafted web page that, when accessed could lead to arbitrary web script or HTML execution in the context of a CouchDB user session (CVE-2012-5650). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5649 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5650 http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098089.html ======================== Updated packages in core/updates_testing: ======================== couchdb-1.2.1-1.mga2 couchdb-bin-1.2.1-1.mga2 from couchdb-1.2.1-1.mga2.src.rpm
CC: (none) => nicolas.lecureuilVersion: Cauldron => 2Assignee: nicolas.lecureuil => qa-bugsWhiteboard: MGA2TOO => (none)
Testing clues on bug 2196 and also http://wiki.apache.org/couchdb/CouchIn15Minutes
Whiteboard: (none) => has_procedure
No PoC's so just testing it works
Testing mga2 64 first with the single instance from couchdb-bin then again with the system wide instance from couchdb. Before ------ # urpmi couchdb-bin # su - couchdb -bash-4.2$ couchdb Apache CouchDB 1.1.1 (LogLevel=info) is starting. Apache CouchDB has started. Time to relax. [info] [<0.32.0>] Apache CouchDB has started on http://127.0.0.1:5984/ Followed the couchin15mins link 'Hello World!'. It actually took 5 minutes :) Killed the instance with ctrl-c and exited back to root ^C -bash-4.2$ exit logout # Repeated with couchdb # urpmi couchdb # service couchdb start Starting couchdb (via systemctl): [ OK ] Accessed at http://localhost:5984/_utils/ and deleted the example database then followed couchdbin15mins again to recreate 'Hello World!'. Stopped the service to test the updates # service couchdb stop Stopping couchdb (via systemctl): [ OK ] After ----- # su - couchdb -bash-4.2$ couchdb {"init terminating in do_boot",{{badmatch,{error,{"no such file or directory","os_mon.app"}}},[{couch,start,0},{init,start_it,1},{init,start_em,1}]}} Crash dump was written to: erl_crash.dump init terminating in do_boot () -bash-4.2$ Crashes when started. I'll retrieve the logs from /var/lib/couchdb. Testing couchdb.. # service couchdb start Starting couchdb (via systemctl): [ OK ] It appears to be missing some some css when browsing to http://localhost:5984/_utils/ and it won't create a databse, so I don't think it is starting properly, despite the init script reporting it has done. # ps aux | grep couch Shows nothing.
Whiteboard: has_procedure => has_procedure feedback
Created attachment 3489 [details] /var/lib/couchdb/erl_crash.dump
fixed with the new package on updates_testing. If you can't wait please install the missing require: erlang-os_mon
Thanks Nicolas. This will need to be depcheck'd before it's pushed as it's likely going to be affected by bug 2317
Whiteboard: has_procedure feedback => has_procedure
Please don't forget to fix it in Cauldron too, as the updates_testing package is now newer (1.1.mga2 vs 1.mga3).
URL: http://lwn.net/Vulnerabilities/536056/ => http://lwn.net/Vulnerabilities/536624/Summary: couchdb new security issues CVE-2012-5649 CVE-2012-5650 => couchdb new security issues CVE-2012-5649 and CVE-2012-5650
couchdb is updated in Cauldron. Thanks Nicolas. It was also updated again in Mageia 2 to 1.2.1-1.2.mga2.
The following packages will require linking: erlang-os_mon-R14B03-3.mga2 (Core 32bit Release) erlang-os_mon-R14B03-3.mga2 (Core Release)
CC: (none) => davidwhodgins
Testing complete on Mageia 2 i586 and x86_64. Could someone from the sysadmin team push the srpm couchdb-1.2.1-1.2.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and link the following rpm packages from Release to Updates ... erlang-os_mon-R14B03-3.mga2 (Core 32bit Release) erlang-os_mon-R14B03-3.mga2 (Core Release) Advisory: Updated couchdb packages fix security vulnerabilities: A security flaw was found in the way Apache CouchDB, a distributed, fault- tolerant and schema-free document-oriented database accessible via a RESTful HTTP/JSON API, processed certain JSON callback. A remote attacker could provide a specially-crafted JSON callback that, when processed could lead to arbitrary JSON code execution via Adobe Flash (CVE-2012-5649). A DOM based cross-site scripting (XSS) flaw was found in the way browser- based test suite of Apache CouchDB, a distributed, fault-tolerant and schema-free document-oriented database accessible via a RESTful HTTP/JSON API, processed certain query parameters. A remote attacker could provide a specially-crafted web page that, when accessed could lead to arbitrary web script or HTML execution in the context of a CouchDB user session (CVE-2012-5650). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5649 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5650 http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098089.html https://bugs.mageia.org/show_bug.cgi?id=8973
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: has_procedure => has_procedure MGA2-64-OK MGA2-32-OK
Depends on: (none) => 2317
Packages linked and update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0040
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED