Hello community, here is the log from the commit of package couchdb for openSUSE:Factory checked in at 2014-04-05 16:46:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/couchdb (Old) and /work/SRC/openSUSE:Factory/.couchdb.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "couchdb" Changes: -------- --- /work/SRC/openSUSE:Factory/couchdb/couchdb.changes 2013-04-18 14:57:47.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.couchdb.new/couchdb.changes 2014-04-05 16:46:53.000000000 +0200 @@ -1,0 +2,33 @@ +Tue Apr 1 11:25:31 UTC 2014 - [email protected] + +- Bug 871111 - VUL-1: CVE-2014-2668: couchdb: remote denial of service via /_uuids + Apache CouchDB 1.5.0 and earlier allows remote attackers to cause a denial of + service (CPU and memory consumption) via the count parameter to /_uuids. + Fix from upstream added as bnc-871111-remote-dos-via_uuids.patch + +------------------------------------------------------------------- +Thu Jan 16 19:31:48 UTC 2014 - [email protected] + +- Fixed Source Url + +------------------------------------------------------------------- +Fri Nov 29 01:03:18 UTC 2013 - [email protected] + +- In the systemd service, start couchdb using its script rather than + invoking erlang directly +- Clean up specfile, remove unused /etc/sysconfig/couchdb file, + as the logging options are passed directly through the service file + +------------------------------------------------------------------- +Wed Nov 27 14:51:52 UTC 2013 - [email protected] + +- Update to couchdb 1.5.0 +- Drop parameterized-modules patch, not required anymore with + newer erlang + +------------------------------------------------------------------- +Sat Oct 26 18:26:04 UTC 2013 - [email protected] + +- Add systemd support for openSUSE >= 12.3 + +------------------------------------------------------------------- Old: ---- apache-couchdb-1.3.0.tar.gz couchdb-parameterized-modules-r16b.patch New: ---- apache-couchdb-1.5.0.tar.gz bnc-871111-remote-dos-via_uuids.patch couchdb.service couchdb.tmpfiles.conf ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ couchdb.spec ++++++ --- /var/tmp/diff_new_pack.kerdQV/_old 2014-04-05 16:46:54.000000000 +0200 +++ /var/tmp/diff_new_pack.kerdQV/_new 2014-04-05 16:46:54.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package couchdb # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,20 +19,30 @@ # %define couchdb_user couchdb %define couchdb_group couchdb -%define couchdb_home %{_localstatedir}/lib/couchdb +%define couchdb_log %{_localstatedir}/log/%{name} +%define couchdb_home %{_localstatedir}/lib/%{name} + +# This should be in RPM as %%{_runstatedir} +%if 0%{?suse_version} >= 1230 +%define runstatedir /run/%{name} +%else +%define runstatedir %{_localstatedir}/run/%{name} +%endif Name: couchdb -Version: 1.3.0 +Version: 1.5.0 Release: 0 Summary: A document database server, accessible via a RESTful JSON API License: Apache-2.0 Group: Productivity/File utilities Url: http://couchdb.apache.org/ -Source0: http://www.apache.org/dist/%{name}/releases/%{version}/apache-couchdb-%{version}.tar.gz +Source0: http://www.apache.org/dist/%{name}/source/%{version}/apache-couchdb-%{version}.tar.gz Source1: %{name}.init Source2: %{name}.sysconfig +Source3: %{name}.service +Source4: %{name}.tmpfiles.conf Patch0: couchdb-futon-default-view-language.patch -Patch1: couchdb-parameterized-modules-r16b.patch +Patch1: bnc-871111-remote-dos-via_uuids.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: autoconf-archive BuildRequires: automake @@ -55,7 +65,13 @@ Requires(preun):info # Users and groups Requires(pre): pwdutils -PreReq: %insserv_prereq %fillup_prereq +%if 0%{?suse_version} >= 1230 +BuildRequires: pkgconfig(systemd) +%{?systemd_requires} +%else +Requires(pre): %insserv_prereq +%endif +Requires(pre): %fillup_prereq %description Apache CouchDB is a distributed, fault-tolerant and schema-free @@ -68,7 +84,7 @@ %prep %setup -q -n apache-couchdb-%{version} %patch0 -%patch1 +%patch1 -p1 %build autoreconf -fi @@ -86,19 +102,26 @@ %install %makeinstall -## Install couchdb initscript +chmod -x %{buildroot}/usr/share/couchdb/server/main{,-coffee}.js +%if 0%{?suse_version} >= 1230 +# Service & tmpfiles config +install -D -m 0644 %{SOURCE3} %{buildroot}%{_unitdir}/%{name}.service +install -d -m 0755 %{buildroot}/usr/lib/tmpfiles.d/ +install -D -m 0644 %{SOURCE4} %{buildroot}/usr/lib/tmpfiles.d/%{name}.conf +%else +# sysvinit script install -D -m 0755 %{SOURCE1} %{buildroot}%{_initddir}/%{name} install -d %{buildroot}%{_sbindir} -ln -s %{_initddir}/couchdb %{buildroot}%{_sbindir}/rccouchdb +ln -s %{_initddir}/%{name} %{buildroot}%{_sbindir}/rc%{name} # Sysconfig template mkdir -p %{buildroot}%{_var}/adm/fillup-templates/ -install -p -D -m 644 %{SOURCE2} %{buildroot}%{_var}/adm/fillup-templates/sysconfig.couchdb +install -p -D -m 644 %{SOURCE2} %{buildroot}%{_var}/adm/fillup-templates/sysconfig.%{name} +%endif # Create needed directories -install -d %{buildroot}%{_localstatedir}/{log,lib}/couchdb -install -d %{buildroot}%{_sysconfdir}/couchdb/{default.d,local.d} +install -d %{buildroot}%{_sysconfdir}/%{name}/{default.d,local.d} # Remove unecessary files -rm %{buildroot}%{_sysconfdir}/rc.d/couchdb -rm -rf %{buildroot}%{_datadir}/doc/couchdb +rm %{buildroot}%{_sysconfdir}/rc.d/%{name} +rm -rf %{buildroot}%{_datadir}/doc/%{name} # clean-up .la archives find %{buildroot} -name '*.la' -delete -print @@ -106,45 +129,65 @@ getent group %{couchdb_group} >/dev/null || groupadd -r %{couchdb_group} || : if getent passwd %{couchdb_user} >/dev/null ; then # There was a bad login shell up to openSUSE 12.2 (bnc#796242), SLE11SP2 used /bin/bash. Fix it. - usermod -s /usr/sbin/nologin %{couchdb_user} || : + usermod -s $(which nologin) %{couchdb_user} || : else - useradd -r -g %{couchdb_group} -d %{couchdb_home} -s /usr/sbin/nologin \ + useradd -r -g %{couchdb_group} -d %{couchdb_home} -s $(which nologin) \ -c "Couchdb Database Server" %{couchdb_user} || : fi %post -%{fillup_and_insserv couchdb} -mkdir -p %{_localstatedir}/run/couchdb +install -o %{couchdb_user} -g %{couchdb_group} -d %{runstatedir} + +%if 0%{?suse_version} >= 1230 +%{fillup_only} +%service_add_post %{name}.service +%else +%{fillup_and_insserv %{name}} +%endif %install_info --info-dir=%{_infodir} %{_infodir}/%{name}.info.gz %postun -%restart_on_update couchdb +%if 0%{?suse_version} >= 1230 +%service_del_postun %{name}.service +%else +%restart_on_update %{name} %insserv_cleanup +%endif + %install_info_delete --info-dir=%{_infodir} %{_infodir}/%{name}.info.gz %preun -%stop_on_removal couchdb +%if 0%{?suse_version} >= 1230 +%service_del_preun %{name}.service +%else +%stop_on_removal %{name} +%endif %files %defattr(-,root,root,-) -%doc AUTHORS BUGS CHANGES LICENSE NEWS NOTICE README THANKS -%dir %{_sysconfdir}/couchdb -%dir %{_sysconfdir}/couchdb/local.d -%dir %{_sysconfdir}/couchdb/default.d -%config(noreplace) %attr(0644, %{couchdb_user}, root) %{_sysconfdir}/couchdb/default.ini -%config(noreplace) %attr(0644, %{couchdb_user}, root) %{_sysconfdir}/couchdb/local.ini -%config(noreplace) %{_sysconfdir}/default/couchdb -%config(noreplace) %{_sysconfdir}/logrotate.d/couchdb -%{_initddir}/couchdb -%{_var}/adm/fillup-templates/sysconfig.couchdb -%{_sbindir}/rccouchdb +%doc AUTHORS BUGS DEVELOPERS LICENSE NOTICE README.rst THANKS +%dir %{_sysconfdir}/%{name} +%dir %{_sysconfdir}/%{name}/local.d +%dir %{_sysconfdir}/%{name}/default.d +%config(noreplace) %attr(0644, %{couchdb_user}, root) %{_sysconfdir}/%{name}/default.ini +%config(noreplace) %attr(0644, %{couchdb_user}, root) %{_sysconfdir}/%{name}/local.ini +%config(noreplace) %{_sysconfdir}/default/%{name} +%config(noreplace) %{_sysconfdir}/logrotate.d/%{name} +%if 0%{?suse_version} >= 1230 +%{_unitdir}/%{name}.service +%{_libexecdir}/tmpfiles.d/%{name}.conf +%else +%{_initddir}/%{name} +%{_sbindir}/rc%{name} +%{_var}/adm/fillup-templates/sysconfig.%{name} +%endif %{_bindir}/* -%{_libdir}/couchdb -%{_datadir}/couchdb +%{_libdir}/%{name} +%{_datadir}/%{name} %{_mandir}/man1/* %{_infodir}/CouchDB* -%dir %attr(0755, %{couchdb_user}, root) %{_localstatedir}/log/couchdb -%ghost %dir %attr(0755, %{couchdb_user}, root) %{_localstatedir}/run/couchdb -%dir %attr(0755, %{couchdb_user}, root) %{_localstatedir}/lib/couchdb +%dir %attr(0755, %{couchdb_user}, %{couchdb_group}) %{couchdb_log} +%dir %attr(0755, %{couchdb_user}, %{couchdb_group}) %{couchdb_home} +%ghost %dir %attr(0755, %{couchdb_user}, root) %{runstatedir} %changelog ++++++ apache-couchdb-1.3.0.tar.gz -> apache-couchdb-1.5.0.tar.gz ++++++ /work/SRC/openSUSE:Factory/couchdb/apache-couchdb-1.3.0.tar.gz /work/SRC/openSUSE:Factory/.couchdb.new/apache-couchdb-1.5.0.tar.gz differ: char 5, line 1 ++++++ bnc-871111-remote-dos-via_uuids.patch ++++++ From: Robert Newson <[email protected]> Date: Tue, 25 Mar 2014 15:02:50 +0000 (+0000) Subject: Configurable upper bound to _uuids count parameter X-Git-Url: http://git-wip-us.apache.org/repos/asf?p=couchdb.git;a=commitdiff_plain;h=0fb5aa9e67bd291ca2638dba961f4ddd3f6ccb3e;hp=198bea3479dfecac13ab1a3e95f902b8eba02f7d Configurable upper bound to _uuids count parameter --- diff --git a/etc/couchdb/default.ini.tpl.in b/etc/couchdb/default.ini.tpl.in index fd953c2..32537e0 100644 --- a/etc/couchdb/default.ini.tpl.in +++ b/etc/couchdb/default.ini.tpl.in @@ -215,6 +215,8 @@ algorithm = sequential ; The utc_id_suffix value will be appended to uuids generated by the utc_id algorithm. ; Replicating instances should have unique utc_id_suffix values to ensure uniqueness of utc_id ids. utc_id_suffix = +# Maximum number of UUIDs retrievable from /_uuids in a single request +max_count = 1000 [stats] ; rate is in milliseconds diff --git a/share/www/script/test/uuids.js b/share/www/script/test/uuids.js index 6f5d223..0f141a9 100644 --- a/share/www/script/test/uuids.js +++ b/share/www/script/test/uuids.js @@ -80,6 +80,10 @@ couchTests.uuids = function(debug) { } }; + // test max_uuid_count + var xhr = CouchDB.request("GET", "/_uuids?count=1001"); + TEquals(401, xhr.status, "should error when count > max_count"); + run_on_modified_server([{ "section": "uuids", "key": "algorithm", diff --git a/src/couchdb/couch_httpd_misc_handlers.erl b/src/couchdb/couch_httpd_misc_handlers.erl index 96a05c6..67e3a12 100644 --- a/src/couchdb/couch_httpd_misc_handlers.erl +++ b/src/couchdb/couch_httpd_misc_handlers.erl @@ -105,7 +105,12 @@ handle_restart_req(Req) -> handle_uuids_req(#httpd{method='GET'}=Req) -> + Max = list_to_integer(couch_config:get("uuids","max","1000")), Count = list_to_integer(couch_httpd:qs_value(Req, "count", "1")), + case Count > Max of + true -> throw({forbidden, <<"count parameter too large">>}); + false -> ok + end, UUIDs = [couch_uuids:new() || _ <- lists:seq(1, Count)], Etag = couch_httpd:make_etag(UUIDs), couch_httpd:etag_respond(Req, Etag, fun() -> ++++++ couchdb-futon-default-view-language.patch ++++++ --- /var/tmp/diff_new_pack.kerdQV/_old 2014-04-05 16:46:55.000000000 +0200 +++ /var/tmp/diff_new_pack.kerdQV/_new 2014-04-05 16:46:55.000000000 +0200 @@ -1,6 +1,6 @@ ---- share/www/script/futon.browse.js.orig 2013-01-04 16:45:45.000000000 +0100 -+++ share/www/script/futon.browse.js 2013-01-04 17:06:24.000000000 +0100 -@@ -567,6 +567,9 @@ +--- share/www/script/futon.browse.js.orig 2013-11-27 15:44:13.000000000 +0100 ++++ share/www/script/futon.browse.js 2013-11-27 15:44:24.000000000 +0100 +@@ -599,6 +599,9 @@ for (var viewName in (doc.views || {})) { if (viewName != localViewName) numViews++; } ++++++ couchdb.service ++++++ [Unit] Description=CouchDB Server After=network.target [Service] User=couchdb Group=couchdb Type=forking StandardOutput=journal StandardError=journal Restart=always StartLimitInterval=10 StartLimitBurst=5 PIDFile=/run/couchdb/couchdb.pid ExecStart=/usr/bin/couchdb -b -p /run/couchdb/couchdb.pid -o /var/log/couchdb/couchdb.stdout -e /var/log/couchdb/couchdb.stderr [Install] WantedBy=multi-user.target ++++++ couchdb.tmpfiles.conf ++++++ d /var/run/couchdb 0755 couchdb couchdb -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
