CVE Request -- Apache CouchDB v.0.11.0 -- timing attacks flaw

[Jan Lieskovsky <jlieskov () redhat com>]

Hi Steve, vendors,

  Apache CouchDB upstream has released latest, v.0.11.0
version, addressing timing attack flaw(s). More from Bugtraq
post:
  [1] http://seclists.org/bugtraq/2010/Mar/254

"Apache CouchDB versions prior to version 0.11.0 are vulnerable to
timing attacks, also known as side-channel information leakage,
due to using simple break-on-inequality string comparisons when
verifying hashes and passwords."

References:
  [2] http://wiki.apache.org/couchdb/Breaking_changes
  [3] http://codahale.com/a-lesson-in-timing-attacks/
  [4] http://couchdb.apache.org/
  [5] http://couchdb.apache.org/downloads.html

Credit:
  Jason Davies of the Apache CouchDB development team

[1] references CVE-2008-2370 as CVE id, but CVE-2008-2370 is Apache Tomcat flaw:
  [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370

Since Apache CouchDB is different code base, susceptible to the same
issue as in [3], assuming new CVE identifier is required.

Steve, could you allocate one?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team