oss-sec mailing list archives
CVE Request -- Apache CouchDB v.0.11.0 -- timing attacks flaw
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 31 Mar 2010 19:26:38 +0200
Hi Steve, vendors, Apache CouchDB upstream has released latest, v.0.11.0 version, addressing timing attack flaw(s). More from Bugtraq post: [1] http://seclists.org/bugtraq/2010/Mar/254 "Apache CouchDB versions prior to version 0.11.0 are vulnerable to timing attacks, also known as side-channel information leakage, due to using simple break-on-inequality string comparisons when verifying hashes and passwords." References: [2] http://wiki.apache.org/couchdb/Breaking_changes [3] http://codahale.com/a-lesson-in-timing-attacks/ [4] http://couchdb.apache.org/ [5] http://couchdb.apache.org/downloads.html Credit: Jason Davies of the Apache CouchDB development team [1] references CVE-2008-2370 as CVE id, but CVE-2008-2370 is Apache Tomcat flaw: [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370 Since Apache CouchDB is different code base, susceptible to the same issue as in [3], assuming new CVE identifier is required. Steve, could you allocate one? Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request -- Apache CouchDB v.0.11.0 -- timing attacks flaw Jan Lieskovsky (Mar 31)
- Re: CVE Request -- Apache CouchDB v.0.11.0 -- timing attacks flaw Alex Legler (Mar 31)