[gentoo-announce] [ GLSA 201412-16 ] CouchDB: Denial of Service - gentoo-announce

From:	Sean Amoss <ackle@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201412-16 ] CouchDB: Denial of Service
Date:	Sat, 13 Dec 2014 17:55:20
Message-Id:	`548C7CE4.2060304@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201412-16

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: CouchDB: Denial of Service

9

     Date: December 13, 2014

10

     Bugs: #506354

11

       ID: 201412-16

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A vulnerability in CouchDB could result in Denial of Service.

19

20

Background

21

==========

22

23

Apache CouchDB is a distributed, fault-tolerant and schema-free

24

document-oriented database.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  dev-db/couchdb               < 1.5.1                    >= 1.5.1

33

34

Description

35

===========

36

37

CouchDB does not properly sanitize the count parameter for Universally

38

Unique Identifiers (UUID) requests.

39

40

Impact

41

======

42

43

A remote attacker could send a specially crafted request to CouchDB,

44

possibly resulting in a Denial of Service condition.

45

46

Workaround

47

==========

48

49

The /_uuids handler can be disabled in local.ini with the following

50

configuration:

51

52

[httpd_global_handlers]

53

_uuids =

54

55

Resolution

56

==========

57

58

All CouchDB users should upgrade to the latest version:

59

60

  # emerge --sync

61

  # emerge --ask --oneshot --verbose ">=dev-db/couchdb-1.5.1"

62

63

References

64

==========

65

66

[ 1 ] CVE-2014-2668

67

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2668

68

69

Availability

70

============

71

72

This GLSA and any updates to it are available for viewing at

73

the Gentoo Security Website:

74

75

 http://security.gentoo.org/glsa/glsa-201412-16.xml

76

77

Concerns?

78

=========

79

80

Security is a primary focus of Gentoo Linux and ensuring the

81

confidentiality and security of our users' machines is of utmost

82

importance to us. Any security concerns should be addressed to

83

security@g.o or alternatively, you may file a bug at

84

https://bugs.gentoo.org.

85

86

License

87

=======

88

89

Copyright 2014 Gentoo Foundation, Inc; referenced text

90

belongs to its owner(s).

91

92

The contents of this document are licensed under the

93

Creative Commons - Attribution / Share Alike license.

94

95

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201412-16
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: CouchDB: Denial of Service
9	Date: December 13, 2014
10	Bugs: #506354
11	ID: 201412-16
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A vulnerability in CouchDB could result in Denial of Service.
19
20	Background
21	==========
22
23	Apache CouchDB is a distributed, fault-tolerant and schema-free
24	document-oriented database.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 dev-db/couchdb < 1.5.1 >= 1.5.1
33
34	Description
35	===========
36
37	CouchDB does not properly sanitize the count parameter for Universally
38	Unique Identifiers (UUID) requests.
39
40	Impact
41	======
42
43	A remote attacker could send a specially crafted request to CouchDB,
44	possibly resulting in a Denial of Service condition.
45
46	Workaround
47	==========
48
49	The /_uuids handler can be disabled in local.ini with the following
50	configuration:
51
52	[httpd_global_handlers]
53	_uuids =
54
55	Resolution
56	==========
57
58	All CouchDB users should upgrade to the latest version:
59
60	# emerge --sync
61	# emerge --ask --oneshot --verbose ">=dev-db/couchdb-1.5.1"
62
63	References
64	==========
65
66	[ 1 ] CVE-2014-2668
67	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2668
68
69	Availability
70	============
71
72	This GLSA and any updates to it are available for viewing at
73	the Gentoo Security Website:
74
75	http://security.gentoo.org/glsa/glsa-201412-16.xml
76
77	Concerns?
78	=========
79
80	Security is a primary focus of Gentoo Linux and ensuring the
81	confidentiality and security of our users' machines is of utmost
82	importance to us. Any security concerns should be addressed to
83	security@g.o or alternatively, you may file a bug at
84	https://bugs.gentoo.org.
85
86	License
87	=======
88
89	Copyright 2014 Gentoo Foundation, Inc; referenced text
90	belongs to its owner(s).
91
92	The contents of this document are licensed under the
93	Creative Commons - Attribution / Share Alike license.
94
95	http://creativecommons.org/licenses/by-sa/2.5