Updated Branches: refs/heads/1.2.x 1b02bf40c -> 891f16244 (forced update)
Added CVE-2012-5641, CVE-2012-5649, and CVE-2012-5650 to NEWS and CHANGES in 1.2.x branch Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/891f1624 Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/891f1624 Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/891f1624 Branch: refs/heads/1.2.x Commit: 891f162440fe6d2074f6f34fd5ec4f759ae6de3b Parents: 09063e9 Author: Noah Slater <[email protected]> Authored: Mon Feb 25 19:53:36 2013 +0000 Committer: Robert Newson <[email protected]> Committed: Mon Feb 25 20:11:37 2013 +0000 ---------------------------------------------------------------------- CHANGES | 9 +++++++++ NEWS | 6 ++++++ 2 files changed, 15 insertions(+), 0 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/couchdb/blob/891f1624/CHANGES ---------------------------------------------------------------------- diff --git a/CHANGES b/CHANGES index 44a310b..496f7b1 100644 --- a/CHANGES +++ b/CHANGES @@ -12,6 +12,15 @@ Note that this version has not been released yet. Version 1.2.1 ------------- +Security: + + * Fixed CVE-2012-5641: Apache CouchDB Information disclosure via unescaped + backslashes in URLs on Windows + * Fixed CVE-2012-5649: Apache CouchDB JSONP arbitrary code execution with Adobe + Flash + * Fixed CVE-2012-5650: Apache CouchDB DOM based Cross-Site Scripting via Futon + UI + HTTP Interface: * No longer rewrites the X-CouchDB-Requested-Path during recursive http://git-wip-us.apache.org/repos/asf/couchdb/blob/891f1624/NEWS ---------------------------------------------------------------------- diff --git a/NEWS b/NEWS index 418a319..bb7e4a7 100644 --- a/NEWS +++ b/NEWS @@ -15,6 +15,12 @@ Note that this version has not been released yet. Version 1.2.1 ------------- + * Fixed CVE-2012-5641: Apache CouchDB Information disclosure via unescaped + backslashes in URLs on Windows + * Fixed CVE-2012-5649: Apache CouchDB JSONP arbitrary code execution with Adobe + Flash + * Fixed CVE-2012-5650: Apache CouchDB DOM based Cross-Site Scripting via Futon + UI * Fix various bugs in the URL rewriter when recursion is involved. * Fix couchdb start script. * Futon: Disable buttons that aren't available for the logged-in user.
