Your message dated Sun, 26 Sep 2010 10:47:07 +0000
with message-id <[email protected]>
and subject line Bug#570013: fixed in couchdb 0.11.0-2.1
has caused the Debian Bug report #570013,
regarding RESTful interface for browser Javascript is insecure
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
570013: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=570013
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: couchdb
Version: 0.10.0-1
Tags: upstream important

You cannot use a RESTful interface from a browser because it is open
to CSRF attacks.  Using an HttpOnly cookie is not sufficient because
some of our browsers do not support HttpOnly.

Furthermore, couchdb serves back Javascript contained in database
attachment back to the browser for execution, offering yet another
attack vector which also affects browsers with HttpOnly support.

This has already been reported upstream, not realizing that we've
shipped it in lenny (with no response from upstream so far):

http://mail-archives.apache.org/mod_mbox/couchdb-dev/201002.mbox/%[email protected]%3e

But lenny is exposed in a rather different way; it does not seem to
offer any authentication at all.



--- End Message ---
--- Begin Message ---
Source: couchdb
Source-Version: 0.11.0-2.1

We believe that the bug you reported is fixed in the latest version of
couchdb, which is due to be installed in the Debian FTP archive:

couchdb_0.11.0-2.1.diff.gz
  to main/c/couchdb/couchdb_0.11.0-2.1.diff.gz
couchdb_0.11.0-2.1.dsc
  to main/c/couchdb/couchdb_0.11.0-2.1.dsc
couchdb_0.11.0-2.1_i386.deb
  to main/c/couchdb/couchdb_0.11.0-2.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <[email protected]> (supplier of updated couchdb package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 26 Sep 2010 11:09:53 +0200
Source: couchdb
Binary: couchdb
Architecture: source i386
Version: 0.11.0-2.1
Distribution: unstable
Urgency: high
Maintainer: Erlang Packaging Team <[email protected]>
Changed-By: Giuseppe Iuculano <[email protected]>
Description: 
 couchdb    - RESTful document oriented database
Closes: 570013
Changes: 
 couchdb (0.11.0-2.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2010-2234: fix Cross-site request forgery vulnerability
     (Closes: #570013)
Checksums-Sha1: 
 c4047d81fdbe44b0deb1d01edc6e108171b3ec41 1399 couchdb_0.11.0-2.1.dsc
 677415fa4da5c853f53372d914c7396fdedcc0f0 11629 couchdb_0.11.0-2.1.diff.gz
 634cc69843c9eb959bdbb86ff0acb24c70fd7aac 617554 couchdb_0.11.0-2.1_i386.deb
Checksums-Sha256: 
 d119512d91ec54e91f686af9d982ee225e20d5ecc35338114dfd74d6af9f2500 1399 
couchdb_0.11.0-2.1.dsc
 1034ce36aa1ea1ad416c1960a1fb93ce145d9b9ac35c31c5d2f0b62e6945a20a 11629 
couchdb_0.11.0-2.1.diff.gz
 5e33395198805ad69a56fe5c4efb464c065aca888d2eb29895cd2b31d707b482 617554 
couchdb_0.11.0-2.1_i386.deb
Files: 
 ae0e709645bfbf3a64fb9df6942c9f81 1399 misc optional couchdb_0.11.0-2.1.dsc
 4f012101900b5798ba87ae3f20515646 11629 misc optional couchdb_0.11.0-2.1.diff.gz
 c0a1f8f7c976fd55cd7a430fec4d41ac 617554 misc optional 
couchdb_0.11.0-2.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyfIYUACgkQNxpp46476araNQCeNRM6D492FMYM9Al6aUR47JS+
sHsAn0K2f72NK1CR8MnEP/qhxjZJoNT2
=gSSO
-----END PGP SIGNATURE-----



--- End Message ---

Reply via email to