Re: Docker Hub security breach and CouchDB image update

[Garren Smith <ga...@apache.org>]

Hi Joan,

Thanks for reacting so quickly and fixing it all. It’s really appreciated.

Cheers
Garren

On Tue, Apr 30, 2019 at 11:47 PM Joan Touzet <wo...@apache.org> wrote:

> Hello there,
>
> You may have read about the recent breach of security at Docker Hub[1].
>
> In light of this breach, and in the interest of security for all of our
> users, today we have taken the following actions:
>
> * Reset all passwords and tokens that were in use with Docker Hub.
>   (Apache CouchDB never published anything to Docker Hub in an
>   automated fashion, by policy.)
>
> * Rebuilt and republished all currently supported CouchDB images in use:
>
>   apache/couchdb:2.3.1 (aka "latest")
>   apache/couchdb:2.3.0
>
> * Rebuilt and republished these images, which are no longer supported:
>   apache/couchdb:1.7.2
>   apache/couchdb:1.7.2-couchperuser
>
> * Removed all tags that are no longer supported or have known security
>   issues. This includes versions 1.6.*, 1.7.1, 2.0.*, 2.1.*, and 2.2.*.
>
> While there were no known issues with any of our published images, and
> we were not notified that our password hash was potentially leaked, this
> action was in the best interest of the project.
>
> Note that the "official" Docker couchdb image (what you get if you run
> `docker pull couchdb` instead of `docker pull apache/couchdb`) is
> maintained by Docker staff, not us, and is auto-published using their
> infrastructure based on the Dockerfile and scripts we provide. They are
> already updating this image on a regular basis.
>
> -Joan "Move over, Maersk" Touzet
>
> [1]: https://success.docker.com/article/docker-hub-user-notification
>
>