Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Couchdb Wiki" for
change notification.
The "Security" page has been changed by JoanTouzet:
https://wiki.apache.org/couchdb/Security?action=diff=3=4
Comment:
decom, point to official docs instead
<>
- = Security =
+ Please see our
[[http://docs.couchdb.org/en/stable/cve/index.html|documentation and official
process]] instead.
- This page explains the CouchDB and Apache Security Policies and links to a
list of known vulnerabilities.
-
- == List of Vulnerabilities ==
-
- * 31.03.2010: [[http://markmail.org/message/7x6ljrjsj5u3zr4h|CVE-2010-0009]]
affects all versions of Apache CouchDB prior to 0.11.0.
- * 21.02.2010:
[[http://mail-archives.apache.org/mod_mbox/couchdb-dev/201008.mbox/%%3cd105f928-15c0-403a-a958-1fd2648f5...@apache.org%%3e|CVE-2010-2234]]
affects all versions of Apache CouchDB prior to 0.11.2.
- * 28.01.2011:
[[http://mail-archives.apache.org/mod_mbox/couchdb-dev/201101.mbox/%%3cc840f655-c8c5-4ec6-8aa8-dd223e39c...@apache.org%%3e|CVE-2010-3854]]
affects all versions of Apache CouchDB prior to 1.0.1.
- * 14.01.2013: [[http://markmail.org/thread/67bpkke5yr42cur5 | CVE-2012-5641
]] affects all versions.
- * 14.01.2013: [[http://markmail.org/thread/d6pwilyhs36xxdiv | CVE-2012-5650
]] affects all versions.
- * 14.01.2013: [[http://markmail.org/thread/r3btufgy4ahnw76e | CVE-2012-5651
]] affects all versions.
-
-
- == Reporting New Security Problems with Apache CouchDB ==
-
- The Apache Software Foundation takes a very active stance in eliminating
security problems and denial of service attacks against Apache CouchDB.
-
- We strongly encourage folks to report such problems to our private security
mailing list first, before disclosing them in a public forum.
-
- Please note that the security mailing list should only be used for reporting
undisclosed security vulnerabilities in Apache CouchDB and managing the process
of
- fixing such vulnerabilities. We cannot accept regular bug reports or other
queries at this address. All mail sent to this address that does not relate to
an undisclosed
- security problem in the Apache CouchDB source code will be ignored.
-
- If you need to report a bug that isn't an undisclosed security vulnerability,
please use [[https://issues.apache.org/jira/browse/COUCHDB|the bug reporting
page]].
-
- Questions about:
-
- * how to configure CouchDB securely
- * if a vulnerability applies to your particular application
- * obtaining further information on a published vulnerability
- * availability of patches and/or new releases
-
- should be address to the [users mailing list][lists]. Please see
[[http://wiki.apache.org/couchdb/Mailing%20lists|the mailing lists page]] for
details of how to subscribe.
-
- The private security mailing address is:
[[mailto:secur...@couchdb.apache.org|secur...@couchdb.apache.org]]
-
- Please read [[http://www.apache.org/security/committers.html|how the Apache
Software Foundation handles security]]
- reports to know what to expect.
-
- Note that all networked servers are subject to denial of service attacks, and
we cannot promise magic workarounds to generic problems (such as a client
streaming lots of data to your server, or re-requesting the same URL
repeatedly). In general our philosophy is to avoid any attacks which can cause
the server to consume resources in a non-linear relationship to the size of
inputs.
-