Hello community, here is the log from the commit of package couchdb.2720 for openSUSE:12.3:Update checked in at 2014-04-15 11:12:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/couchdb.2720 (Old) and /work/SRC/openSUSE:12.3:Update/.couchdb.2720.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "couchdb.2720" Changes: -------- New Changes file: --- /dev/null 2014-02-13 01:09:38.344032506 +0100 +++ /work/SRC/openSUSE:12.3:Update/.couchdb.2720.new/couchdb.changes 2014-04-15 11:12:05.000000000 +0200 @@ -0,0 +1,367 @@ +------------------------------------------------------------------- +Fri Apr 4 12:52:41 UTC 2014 - nkrin...@suse.com + +- Bug 871111 - VUL-1: CVE-2014-2668: couchdb: remote denial of service via /_uuids + Apache CouchDB 1.5.0 and earlier allows remote attackers to cause a denial of + service (CPU and memory consumption) via the count parameter to /_uuids. + Fix from upstream added as bnc-871111-remote-dos-via_uuids.patch + +------------------------------------------------------------------- +Wed Jan 9 16:11:08 CET 2013 - sbra...@suse.cz + +- Fix path to nologin in useradd (bnc#796242). + +------------------------------------------------------------------- +Fri Jan 4 16:15:39 UTC 2013 - v...@openssl.it + +- Fix a futon bug when saving view code of design documents that + do not define the "language" property. The CouchDB server treats + them as "javascript" views, so the same behavior has been added + to the futon. + +------------------------------------------------------------------- +Fri Dec 7 15:21:11 UTC 2012 - rha...@suse.com + +- Fixed LSB headers in init script to make inserv happy. CouchDB + cannot start in runlevel 2 as it requires $network. + +------------------------------------------------------------------- +Thu Nov 22 00:40:42 GMT 2012 - aspi...@suse.com + +- Use "su" instead of "sudo" in init script, else couchdb inside + screen session dies when screen terminates. + +------------------------------------------------------------------- +Mon Nov 19 13:38:34 UTC 2012 - v...@openssl.it + +- Re-introduce js-devel BuildRequire for openSUSE-12.2 + +------------------------------------------------------------------- +Thu Nov 8 18:02:16 UTC 2012 - v...@openssl.it + +- Replace js-devel BuildRequire with mozilla-xulrunner192-devel + (already in openSUSE) +- Remove BuildRequire curl-devel as it is not needed anymore + http://www.apache.org/dist/couchdb/notes/1.2.0/apache-couchdb-1.2.0.html + +------------------------------------------------------------------- +Mon Jul 30 14:32:12 UTC 2012 - sasc...@suse.de + +- BuildRequire js-devel (already in openSUSE) instead of libjs-devel + (only in server:database) + +------------------------------------------------------------------- +Tue Jul 24 11:17:02 UTC 2012 - sasc...@suse.de + +- Set login shell of user couchdb to /bin/false +- Create /var/run/couchdb in %post and %ghost it (tmpfs) + +------------------------------------------------------------------- +Fri Jul 13 14:56:07 UTC 2012 - ja...@suse.de + +- Add init and sysconfig scripts from IBS Devel:Cloud, so that CouchDB + actually starts when installed + +------------------------------------------------------------------- +Thu Jul 12 16:14:55 UTC 2012 - dmacvi...@suse.de + +- remove all xulrunner support + without the rpath patch was already not working +- add --enable-js-trunk to build with newer libjs + +------------------------------------------------------------------- +Fri Jun 15 04:07:03 UTC 2012 - factory-maintai...@kulow.org + +- fix requires for factory + +------------------------------------------------------------------- +Wed Jun 13 15:53:51 UTC 2012 - co...@suse.com + +- update to 1.2.0, plenty of changes - see + http://www.apache.org/dist/couchdb/notes/1.2.0/apache-couchdb-1.2.0.html + +------------------------------------------------------------------- +Thu Dec 15 10:52:45 UTC 2011 - co...@suse.com + +- apache pulled 1.1.0, so update to 1.1.1 + - Support SpiderMonkey 1.8.5 + - Add configurable maximum to the number of bytes returned by _log. + - Allow CommonJS modules to be an empty string. + - Bump minimum Erlang version to R13B02. + - Do not run deleted validate_doc_update functions. + - ETags for views include current sequence if include_docs=true. + - Fix bug where duplicates can appear in _changes feed. + - Fix bug where update handlers break after conflict resolution. + - Fix bug with _replicator where include "filter" could crash couch. + - Fix crashes when compacting large views. + - Fix file descriptor leak in _log + - Fix missing revisions in _changes?style=all_docs. + - Improve handling of compaction at max_dbs_open limit. + - JSONP responses now send "text/javascript" for Content-Type. + - Link to ICU 4.2 on Windows. + - Permit forward slashes in path to update functions. + - Reap couchjs processes that hit reduce_overflow error. + - Status code can be specified in update handlers. + - Support provides() in show functions. + - _view_cleanup when ddoc has no views now removes all index files. + - max_replication_retry_count now supports "infinity". + - Fix replication crash when source database has a document with empty ID. + - Fix deadlock when assigning couchjs processes to serve requests. + - Fixes to the document multipart PUT API. + - Fixes regarding file descriptor leaks for databases with views. + +------------------------------------------------------------------- +Thu Dec 8 12:51:05 UTC 2011 - dmacvi...@suse.de + +- create /var/run/couchdb explicitly in the init script + (needed with /var/run as tmpfs) + +------------------------------------------------------------------- +Thu Dec 1 11:20:40 UTC 2011 - co...@suse.com + +- add libtool as buildrequire to avoid implicit dependency + +------------------------------------------------------------------- +Fri Sep 30 00:10:35 UTC 2011 - sasc...@suse.de + +- Set license to Apache-2.0 (SPDX style) +- Removed outdated %clean section +- Use %_smp_mflags instead of %jobs macro +- Use %make_install instead of %makeinstall + +------------------------------------------------------------------- +Mon Jun 6 16:44:37 UTC 2011 - mrueck...@suse.de + +- update to version 1.1.0 + - Native SSL support. + - Added support for HTTP range requests for attachments. + - Added built-in filters for _changes: _doc_ids and _design. + - Added configuration option for TCP_NODELAY aka “Nagle”. + - Allow wildcards in vhosts definitions. + - More granular ETag support for views. + - More flexible URL rewriter. + - Added OS Process module to manage daemons outside of CouchDB. + - Added HTTP Proxy handler for more scalable externals. + - Added _replicator database to manage replications. + - Multiple micro-optimizations when reading data. + - Added CommonJS support to map functions. + - Added stale=update_after query option that triggers a view + update after returning a stale=ok response. + - More explicit error messages when it’s not possible to access a + file due to lack of permissions. + - Added a “change password”-feature to Futon. + +------------------------------------------------------------------- +Thu Mar 31 16:15:21 UTC 2011 - roos...@gmail.com + +- update to version 1.0.2 + * Make test suite work with Safari and Chrome. + * Fixed animated progress spinner. + * Fix raw view document link due to overzealous URI encoding. + * Spell javascript correctly in loadScript(uri). + * Fix leaking file handles after compacting databases and views. + * Fix databases forgetting their validation function after + compaction. + * Fix occasional timeout errors after successfully compacting + large databases. + * Fix ocassional error when writing to a database that has just + been compacted. + * Fix occasional timeout errors on systems with slow or heavily + loaded IO. + * Fix for OOME when compactions include documents with many + conflicts. + * Fix for missing attachment compression when MIME types + included parameters. + * Preserve purge metadata during compaction to avoid spurious + view rebuilds. + * Fix spurious conflicts introduced when uploading an attachment + after a doc has been in a conflict. + See COUCHDB-902 for details. + * Fix for frequently edited documents in multi-master deployments + being duplicated in changes and _alldocs. See COUCHDDB-968 for + details on how to repair. + * Significantly higher read and write throughput against database + and view index files. + * Reduce lengthy stack traces. + * Allow logging of native types. + * Allow reduce=false parameter in map-only views. + * Fix parsing of Accept headers. + * Fix for multipart GET APIs when an attachment was created + during a local-local replication. See COUCHDB-1022 for details. + * Updated ibrowse library to 2.1.2 fixing numerous replication + issues. + * Make sure that the replicator respects HTTP settings defined + in the config. + * Fix error when the ibrowse connection closes unexpectedly. + * Fix authenticated replication (with HTTP basic auth) of design + documents with attachments. ++++ 170 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.3:Update/.couchdb.2720.new/couchdb.changes New: ---- apache-couchdb-1.2.0.tar.gz bnc-871111-remote-dos-via_uuids.patch couchdb-futon-default-view-language.patch couchdb.changes couchdb.init couchdb.spec couchdb.sysconfig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ couchdb.spec ++++++ # # spec file for package couchdb # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # %define couchdb_user couchdb %define couchdb_group couchdb %define couchdb_home %{_localstatedir}/lib/couchdb Name: couchdb Version: 1.2.0 Release: 0 Summary: A document database server, accessible via a RESTful JSON API License: Apache-2.0 Group: Productivity/File utilities Url: http://couchdb.apache.org/ Source0: http://www.apache.org/dist/%{name}/releases/%{version}/apache-couchdb-%{version}.tar.gz Source1: %{name}.init Source2: %{name}.sysconfig Patch0: couchdb-futon-default-view-language.patch Patch1: bnc-871111-remote-dos-via_uuids.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: automake BuildRequires: erlang BuildRequires: gcc-c++ BuildRequires: help2man BuildRequires: libicu-devel BuildRequires: libtool %if 0%{?suse_version} < 1200 BuildRequires: mozilla-xulrunner192-devel %else BuildRequires: js-devel %endif BuildRequires: pkgconfig Requires: erlang Requires: logrotate Requires(post): aaa_base Requires(preun):aaa_base # Users and groups Requires(pre): pwdutils PreReq: %insserv_prereq %fillup_prereq %description Apache CouchDB is a distributed, fault-tolerant and schema-free document-oriented database accessible via a RESTful HTTP/JSON API. Among other features, it provides robust, incremental replication with bi-directional conflict detection and resolution, and is queryable and indexable using a table-oriented view engine with JavaScript acting as the default view definition language. %prep %setup -q -n apache-couchdb-%{version} %patch0 %patch1 -p1 %build autoreconf -fi # Versions of SpiderMonkey after the js185-1.0.0 release remove the optional # enforcement of preventing anonymous functions in a statement context. This # will most likely break your existing JavaScript code as well as render all # example code invalid. # If you wish to ignore this error pass --enable-js-trunk to ./configure. # # We need to define the use of gnu99 standard. It seems expected in the code, but not passed. export CFLAGS="%{optflags} -std=gnu99" %configure --enable-js-trunk make %{?_smp_mflags} %install %makeinstall ## Install couchdb initscript install -D -m 0755 %{SOURCE1} %{buildroot}%{_initddir}/%{name} install -d %{buildroot}%{_sbindir} ln -s %{_initddir}/couchdb %{buildroot}%{_sbindir}/rccouchdb # Sysconfig template mkdir -p %{buildroot}%{_var}/adm/fillup-templates/ install -p -D -m 644 %{SOURCE2} %{buildroot}%{_var}/adm/fillup-templates/sysconfig.couchdb # Create needed directories install -d %{buildroot}%{_localstatedir}/{log,lib}/couchdb install -d %{buildroot}%{_sysconfdir}/couchdb/{default.d,local.d} # Remove unecessary files rm %{buildroot}%{_sysconfdir}/rc.d/couchdb rm -rf %{buildroot}%{_datadir}/doc/couchdb # clean-up .la archives find %{buildroot} -name '*.la' -delete -print %pre getent group %{couchdb_group} >/dev/null || groupadd -r %{couchdb_group} || : if getent passwd %{couchdb_user} >/dev/null ; then # There was a bad login shell up to openSUSE 12.2 (bnc#796242), SLE11SP2 used /bin/bash. Fix it. usermod -s /usr/sbin/nologin %{couchdb_user} || : else useradd -r -g %{couchdb_group} -d %{couchdb_home} -s /usr/sbin/nologin \ -c "Couchdb Database Server" %{couchdb_user} || : fi %post %{fillup_and_insserv couchdb} mkdir -p %{_localstatedir}/run/couchdb %postun %restart_on_update couchdb %insserv_cleanup %preun %stop_on_removal couchdb %files %defattr(-,root,root,-) %doc AUTHORS BUGS CHANGES LICENSE NEWS NOTICE README THANKS %dir %{_sysconfdir}/couchdb %dir %{_sysconfdir}/couchdb/local.d %dir %{_sysconfdir}/couchdb/default.d %config(noreplace) %attr(0644, %{couchdb_user}, root) %{_sysconfdir}/couchdb/default.ini %config(noreplace) %attr(0644, %{couchdb_user}, root) %{_sysconfdir}/couchdb/local.ini %config(noreplace) %{_sysconfdir}/default/couchdb %config(noreplace) %{_sysconfdir}/logrotate.d/couchdb %{_initddir}/couchdb %{_var}/adm/fillup-templates/sysconfig.couchdb %{_sbindir}/rccouchdb %{_bindir}/* %{_libdir}/couchdb %{_datadir}/couchdb %{_mandir}/man1/* %dir %attr(0755, %{couchdb_user}, root) %{_localstatedir}/log/couchdb %ghost %dir %attr(0755, %{couchdb_user}, root) %{_localstatedir}/run/couchdb %dir %attr(0755, %{couchdb_user}, root) %{_localstatedir}/lib/couchdb %changelog ++++++ bnc-871111-remote-dos-via_uuids.patch ++++++ From: Robert Newson <rnew...@apache.org> Date: Tue, 25 Mar 2014 15:02:50 +0000 (+0000) Subject: Configurable upper bound to _uuids count parameter X-Git-Url: http://git-wip-us.apache.org/repos/asf?p=couchdb.git;a=commitdiff_plain;h=0fb5aa9e67bd291ca2638dba961f4ddd3f6ccb3e;hp=198bea3479dfecac13ab1a3e95f902b8eba02f7d Configurable upper bound to _uuids count parameter --- diff --git a/etc/couchdb/default.ini.tpl.in b/etc/couchdb/default.ini.tpl.in index fd953c2..32537e0 100644 --- a/etc/couchdb/default.ini.tpl.in +++ b/etc/couchdb/default.ini.tpl.in @@ -169,6 +169,8 @@ algorithm = sequential ; utc_random - Time since Jan 1, 1970 UTC with microseconds ; First 14 characters are the time in hex. Last 18 are random. algorithm = sequential +# Maximum number of UUIDs retrievable from /_uuids in a single request +max_count = 1000 [stats] ; rate is in milliseconds diff --git a/share/www/script/test/uuids.js b/share/www/script/test/uuids.js index 6f5d223..0f141a9 100644 --- a/share/www/script/test/uuids.js +++ b/share/www/script/test/uuids.js @@ -80,6 +80,10 @@ couchTests.uuids = function(debug) { } }; + // test max_uuid_count + var xhr = CouchDB.request("GET", "/_uuids?count=1001"); + TEquals(401, xhr.status, "should error when count > max_count"); + run_on_modified_server([{ "section": "uuids", "key": "algorithm", diff --git a/src/couchdb/couch_httpd_misc_handlers.erl b/src/couchdb/couch_httpd_misc_handlers.erl index 96a05c6..67e3a12 100644 --- a/src/couchdb/couch_httpd_misc_handlers.erl +++ b/src/couchdb/couch_httpd_misc_handlers.erl @@ -105,7 +105,12 @@ handle_restart_req(Req) -> handle_uuids_req(#httpd{method='GET'}=Req) -> + Max = list_to_integer(couch_config:get("uuids","max","1000")), Count = list_to_integer(couch_httpd:qs_value(Req, "count", "1")), + case Count > Max of + true -> throw({forbidden, <<"count parameter too large">>}); + false -> ok + end, UUIDs = [couch_uuids:new() || _ <- lists:seq(1, Count)], Etag = couch_httpd:make_etag(UUIDs), couch_httpd:etag_respond(Req, Etag, fun() -> ++++++ couchdb-futon-default-view-language.patch ++++++ --- share/www/script/futon.browse.js.orig 2013-01-04 16:45:45.000000000 +0100 +++ share/www/script/futon.browse.js 2013-01-04 17:06:24.000000000 +0100 @@ -567,6 +567,9 @@ for (var viewName in (doc.views || {})) { if (viewName != localViewName) numViews++; } + if (doc.language === undefined) { + doc.language = 'javascript'; + } if (numViews > 0 && page.viewLanguage != doc.language) { alert("Cannot save view because the design document language " + "is \"" + doc.language + "\", not \"" + ++++++ couchdb.init ++++++ #!/bin/sh # # couchdb This is the init script for starting up the CouchDB server # # chkconfig: - 20 80 # description: Starts and stops the CouchDB daemon that handles \ # all database requests. ### BEGIN INIT INFO # Provides: couchdb # Required-Start: $local_fs $network # Required-Stop: $local_fs $network # Should-Start: $remote_fs # Should-Stop: $remote_fs # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: start and stop CouchDB database server # Description: Apache CouchDB is a distributed, fault-tolerant and # schema-free document-oriented database accessible # via a RESTful HTTP/JSON API ### END INIT INFO # Source function library. . /etc/rc.status rc_reset COUCHDB_BIN="/usr/bin/couchdb" COUCHDB_USER="couchdb" COUCHDB_INIT_FILE="/var/log/couchdb/couchdb.init" COUCHDB_STDOUT_FILE="/dev/null" COUCHDB_STDERR_FILE="/var/log/couchdb/couchdb.stderr" COUCHDB_RESPAWN_TIMEOUT=5 export HOME=/var/lib/couchdb config="/etc/sysconfig/couchdb" [ -e $config ] && . $config lockfile=/var/lock/subsys/couchdb mkdir -m 755 -p /var/run/couchdb chown couchdb /var/run/couchdb case "$1" in start) echo -n "Starting CouchDB" [ -n "$COUCHDB_RESPAWN_TIMEOUT" ] && respawn="-r $COUCHDB_RESPAWN_TIMEOUT" startproc -s -u $COUCHDB_USER $COUCHDB_BIN -b \ -o $COUCHDB_STDOUT_FILE \ -e $COUCHDB_STDERR_FILE \ $respawn \ $COUCHDB_OPTIONS >> $COUCHDB_INIT_FILE 2>&1 rc_status -v ;; stop) echo -n "Stopping CouchDB" sudo -u $COUCHDB_USER $COUCHDB_BIN -d >> $COUCHDB_INIT_FILE 2>&1 rc_status -v ;; restart|force-reload) $0 stop $0 start rc_status ;; status) echo -n "Checking for CouchDB" su $COUCHDB_USER -c "$COUCHDB_BIN -s" >> $COUCHDB_INIT_FILE 2>&1 || rc_failed 3 rc_status -v ;; condrestart|try-restart) ;; *) echo $"Usage: $0 {start|stop|status|restart}" exit 1 esac rc_exit ++++++ couchdb.sysconfig ++++++ ## Type: string ## Default: "couchdb" # # User the process runs as. # Don't change this unless you know what you are doing # COUCHDB_USER=couchdb ## Type: string ## Default: "/var/log/couchdb/couchdb.init" # # Standard output/error for the CouchDb init script # Don't change this unless you know what you are doing # COUCHDB_INIT_FILE=/var/log/couchdb/couchdb.init ## Type: string ## Default: "/dev/null" # # Standard output for the CouchDb process # Don't change this unless you know what you are doing # COUCHDB_STDOUT_FILE=/dev/null ## Type: string ## Default: "/var/log/couchdb/couchdb.stderr" # # Standard error for the CouchDb process # Don't change this unless you know what you are doing # COUCHDB_STDERR_FILE=/var/log/couchdb/couchdb.stderr ## Type: integer(0:) ## Default: 5 # # Respawn timeout # COUCHDB_RESPAWN_TIMEOUT=5 ## Type: string ## Default: "" # # Other options to pass to the server process # COUCHDB_OPTIONS= -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org