This is an automated email from the ASF dual-hosted git repository. wohali pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/couchdb-documentation.git
commit 7f35921089df8ad6a3163c09747ed285dd6465cf Author: Dave Cottlehuber <[email protected]> AuthorDate: Mon Apr 30 11:29:30 2018 +0000 docs: add CVE-2018-8007 to 1.7.x and 2.1.x release notes --- src/cve/2018-8007.rst | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++ src/whatsnew/1.7.rst | 9 ++++++++ src/whatsnew/2.1.rst | 11 +++++++++- 3 files changed, 76 insertions(+), 1 deletion(-) diff --git a/src/cve/2018-8007.rst b/src/cve/2018-8007.rst new file mode 100644 index 0000000..f187989 --- /dev/null +++ b/src/cve/2018-8007.rst @@ -0,0 +1,57 @@ +.. Licensed under the Apache License, Version 2.0 (the "License"); you may not +.. use this file except in compliance with the License. You may obtain a copy of +.. the License at +.. +.. http://www.apache.org/licenses/LICENSE-2.0 +.. +.. Unless required by applicable law or agreed to in writing, software +.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +.. License for the specific language governing permissions and limitations under +.. the License. + +.. _cve/2018-8007: + +==================================================== +CVE-2018-8007: Apache CouchDB Remote Code Execution +==================================================== + +:Date: 30.04.2018 + +:Affected: All Versions of Apache CouchDB + +:Severity: Low + +:Vendor: The Apache Software Foundation + +Description +=========== + +CouchDB administrative users can configure the database server via HTTP(S). Due +to insufficient validation of administrator-supplied configuration settings via +the HTTP API, it is possible for a CouchDB administrator user to escalate their +privileges to that of the operating system's user that CouchDB runs under, by +bypassing the backlist of configuration settings that are not allowed to be +modified via the HTTP API. + +This privilege escalation effectively allows a CouchDB admin user to gain +arbitrary remote code execution, bypassing :ref:`CVE-2017-12636 <cve/2017-12636>` + +Mitigation +========== + +All users should upgrade to CouchDB :ref:`1.7.2 <release/1.7.2>` or +:ref:`2.1.2 <release/2.1.2>`. + +Upgrades from previous 1.x and 2.x versions in the same series should be +seamless. + +Users on earlier versions, or users upgrading from 1.x to 2.x should consult +with upgrade notes. + +Credit +====== + +This issue was discovered by Francesco Oddo of `MDSec Labs`_. + +.. _MDSec Labs: https://www.mdsec.co.uk/ diff --git a/src/whatsnew/1.7.rst b/src/whatsnew/1.7.rst index 322be9e..e0f9fa4 100644 --- a/src/whatsnew/1.7.rst +++ b/src/whatsnew/1.7.rst @@ -20,6 +20,15 @@ :depth: 1 :local: +.. _release/1.7.2: + +Version 1.7.2 +============= + +Security +-------- +* :ref:`CVE 2018-8007 <cve/2018-8007>` + .. _release/1.7.1: Version 1.7.1 diff --git a/src/whatsnew/2.1.rst b/src/whatsnew/2.1.rst index 47c4810..e0c0143 100644 --- a/src/whatsnew/2.1.rst +++ b/src/whatsnew/2.1.rst @@ -34,7 +34,7 @@ Upgrade Notes hand. The default has changed to meet new guidelines and to provide additional functionality in the future. - If you recieve errors in the logfile, such as + If you receive errors in the logfile, such as ``internal_server_error : No DB shards could be opened.`` or in Fauxton, such as ``This database failed to load.`` you need to make this change. @@ -73,6 +73,15 @@ Upgrade Notes ``--eval`` flag to the definition of the javascript query server in your ``local.ini`` file. +.. _release/2.1.2: + +Version 2.1.2 +============= + +Security +-------- +* :ref:`CVE 2018-8007 <cve/2018-8007>` + .. _release/2.1.1: Version 2.1.1
