I wasn't able to get this branch show up under the GitHub interface for requesting a PR, so here it is in email.
https://git-wip-us.apache.org/repos/asf?p=couchdb.git;a=shortlog;h=refs/heads/COUCHDB-2221 Isaac w/ NPM has a big _users DB from 1.5.x where they have managed to get "iterations":"10" into a lot of users' records instead of "iterations":10. Giving the wrong password for the user will send couch into an infinite loop, and can act as a DDOS against the server. To fix we should backport 98d0890 to 1.5.x, but we should also degrade gracefully for databases where this incorrect data format is already extant. I don't know what the right process is here so I am looking for: +1 on this for master +1 to pull this and 98d0890 to 1.5.x Given the severity of this issue I am also recommending this get pushed out to 1.5 ASAP; I don't believe we can stop 1.5.1 going out without it, but we should probably issue 1.5.2. I am still up in the air as to whether this deserves a CVE or not. -Joan
