On Sunday, April 6, 2014, Joan Touzet <[email protected]> wrote: > I wasn't able to get this branch show up under the GitHub interface for > requesting a PR, so here it is in email. > > > https://git-wip-us.apache.org/repos/asf?p=couchdb.git;a=shortlog;h=refs/heads/COUCHDB-2221 > > Isaac w/ NPM has a big _users DB from 1.5.x where they have managed to get > "iterations":"10" into a lot of users' records instead of "iterations":10. > Giving the wrong password for the user will send couch into an infinite > loop, and can act as a DDOS against the server. > > To fix we should backport 98d0890 to 1.5.x, but we should also degrade > gracefully for databases where this incorrect data format is already extant. > > I don't know what the right process is here so I am looking for: > > +1 on this for master > +1 to pull this and 98d0890 to 1.5.x > > Given the severity of this issue I am also recommending this get pushed > out to 1.5 ASAP; I don't believe we can stop 1.5.1 going out without it, > but we should probably issue 1.5.2. > > I am still up in the air as to whether this deserves a CVE or not. > > -Joan >
what is the issue? docs have been changed manually?
