Your message dated Fri, 16 Apr 2010 15:34:43 +0000
with message-id <[email protected]>
and subject line Bug#576304: fixed in couchdb 0.11.0-1
has caused the Debian Bug report #576304,
regarding CVE-2010-0009: Apache CouchDB Timing Attack Vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
576304: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=576304
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: couchdb
Severity: important
Tags: security
The following advisory was posted to full-disclosure. I don't see
the security implications, can you tell me what property is being
attacked here through the timing attack?
Cheers,
Moritz
CVE-2010-0009: Apache CouchDB Timing Attack Vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache CouchDB 0.8.0 to 0.10.1
Description:
Apache CouchDB versions prior to version 0.11.0 are vulnerable to
timing attacks, also known as side-channel information leakage,
due to using simple break-on-inequality string comparisons when
verifying hashes and passwords.
Mitigation:
All users should upgrade to CouchDB 0.11.0. Upgrades from the 0.10.x
series should be seamless. Users on earlier versions should consult
http://wiki.apache.org/couchdb/Breaking_changes
Example:
A canonical description of the attack can be found in
http://codahale.com/a-lesson-in-timing-attacks/
Credit:
This issue was discovered by Jason Davies of the Apache CouchDB
development team.
References:
http://couchdb.apache.org/
http://couchdb.apache.org/downloads.html
http://wiki.apache.org/couchdb/Breaking_changes
http://codahale.com/a-lesson-in-timing-attacks/
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-3-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages couchdb depends on:
ii adduser 3.112 add and remove users and groups
pn erlang-abi-11.b.3 <none> (no description available)
pn erlang-nox <none> (no description available)
ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib
pn libicu38 <none> (no description available)
pn libmozjs1d <none> (no description available)
ii lsb-base 3.2-23 Linux Standard Base 3.2 init scrip
ii mime-support 3.48-1 MIME files 'mime.types' & 'mailcap
couchdb recommends no packages.
couchdb suggests no packages.
--- End Message ---
--- Begin Message ---
Source: couchdb
Source-Version: 0.11.0-1
We believe that the bug you reported is fixed in the latest version of
couchdb, which is due to be installed in the Debian FTP archive:
couchdb_0.11.0-1.diff.gz
to main/c/couchdb/couchdb_0.11.0-1.diff.gz
couchdb_0.11.0-1.dsc
to main/c/couchdb/couchdb_0.11.0-1.dsc
couchdb_0.11.0-1_i386.deb
to main/c/couchdb/couchdb_0.11.0-1_i386.deb
couchdb_0.11.0.orig.tar.gz
to main/c/couchdb/couchdb_0.11.0.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sam Bisbee <[email protected]> (supplier of updated couchdb package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 16 Apr 2010 18:04:47 +0400
Source: couchdb
Binary: couchdb
Architecture: source i386
Version: 0.11.0-1
Distribution: unstable
Urgency: medium
Maintainer: Erlang Packaging Team <[email protected]>
Changed-By: Sam Bisbee <[email protected]>
Description:
couchdb - RESTful document oriented database
Closes: 576304 577417
Changes:
couchdb (0.11.0-1) unstable; urgency=medium (security fixes)
.
* New upstream release, including security fix for CVE-2010-00009.
(closes: #576304, #577417)
* Removed debian/patches/icu-patch.patch, as it's no longer needed.
Checksums-Sha1:
1e73cbaa43d827cb585e6efb894866ab587c57b6 1379 couchdb_0.11.0-1.dsc
b5b84e1d8a082960df09df7e4eda664b5e6c59d7 925354 couchdb_0.11.0.orig.tar.gz
d8cd779f78f857237bba3d4b55fe232e86f94950 7070 couchdb_0.11.0-1.diff.gz
9de233d911c5eb0bcc03803104b8f450480c47b5 597734 couchdb_0.11.0-1_i386.deb
Checksums-Sha256:
501bffcaa5bbd21091c254598a55c6fd930eea3361d951b77f2a007b22bb1e49 1379
couchdb_0.11.0-1.dsc
8190262c27a0704f8f91854908a8473a797ef7e3176ec9ae13c0ab3f0d4cb049 925354
couchdb_0.11.0.orig.tar.gz
b11f5424193f07a6dead3b4fb8bab23163e46f212961972838b3d2d4470ac011 7070
couchdb_0.11.0-1.diff.gz
7247072222eb5d5534f792fbf3c8d7d274a52cf58ef01dcde8d0c971df91bf71 597734
couchdb_0.11.0-1_i386.deb
Files:
4c8acef6c3e558c08cad61bc7e470fa7 1379 misc optional couchdb_0.11.0-1.dsc
c1784e3850da01dc37dad20c5b1a85f8 925354 misc optional
couchdb_0.11.0.orig.tar.gz
7102fed8c636c5195c6cadaa56c3a60f 7070 misc optional couchdb_0.11.0-1.diff.gz
0559d150ebb5d8c1d01b7c443fd999c0 597734 misc optional couchdb_0.11.0-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFLyHMqIcdH02pGEFIRAqXPAKCFRz7mCIOX+x70IRMzTP3EUhwj1ACfUfth
xlUX24CMb/GC8CnYViUrPYA=
=kTE+
-----END PGP SIGNATURE-----
--- End Message ---
