You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by wo...@apache.org on 2020/05/19 16:26:31 UTC
[couchdb-documentation] branch 3.0.x-cve created (now 2fa04b0)
This is an automated email from the ASF dual-hosted git repository.
wohali pushed a change to branch 3.0.x-cve
in repository https://gitbox.apache.org/repos/asf/couchdb-documentation.git.
at 2fa04b0 Update src/cve/2020-1955.rst
This branch includes the following new commits:
new 93526e4 feat: new cve, woop
new 3b8bc21 Update src/cve/2020-1955.rst
new 0674346 Update src/cve/2020-1955.rst
new 976d0b2 Update src/cve/2020-1955.rst
new 2fa04b0 Update src/cve/2020-1955.rst
The 5 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[couchdb-documentation] 03/05: Update src/cve/2020-1955.rst
Posted by wo...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
wohali pushed a commit to branch 3.0.x-cve
in repository https://gitbox.apache.org/repos/asf/couchdb-documentation.git
commit 0674346f8d70ac73fe0634457693c994c57bd2e2
Author: Jan Lehnardt <ja...@apache.org>
AuthorDate: Tue May 19 15:58:28 2020 +0200
Update src/cve/2020-1955.rst
Co-authored-by: Jonathan Hall <fl...@flimzy.com>
---
src/cve/2020-1955.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/cve/2020-1955.rst b/src/cve/2020-1955.rst
index 7f55ef7..085adf2 100644
--- a/src/cve/2020-1955.rst
+++ b/src/cve/2020-1955.rst
@@ -47,7 +47,7 @@ CouchDB versions :ref:`3.0.1 <release/3.0.1>` and :ref:`3.1.0
Mitigation
==========
-Users that have not enabled `require_valid_user_except_for_up` are not
+Users who have not enabled `require_valid_user_except_for_up` are not
affected.
Users that have it enabled can either disable it again, or upgrade to
[couchdb-documentation] 01/05: feat: new cve, woop
Posted by wo...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
wohali pushed a commit to branch 3.0.x-cve
in repository https://gitbox.apache.org/repos/asf/couchdb-documentation.git
commit 93526e498b93b3d1d409809b7844d7aecffa2f16
Author: Jan Lehnardt <ja...@apache.org>
AuthorDate: Tue May 19 15:52:16 2020 +0200
feat: new cve, woop
---
src/cve/2020-1955.rst | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 60 insertions(+)
diff --git a/src/cve/2020-1955.rst b/src/cve/2020-1955.rst
new file mode 100644
index 0000000..17345dd
--- /dev/null
+++ b/src/cve/2020-1955.rst
@@ -0,0 +1,60 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+.. http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cve/2020-1955:
+
+===========================================================
+CVE-2020-1955: Apache CouchDB Remote Privilege Escalations
+===========================================================
+
+:Date: 19.05.2020
+
+:Affected: 3.0.0
+
+:Severity: Medium
+
+:Vendor: The Apache Software Foundation
+
+Description
+===========
+
+CouchDB version 3.0.0 shipped with a new configuration setting that
+governs access control to the entire database server called
+`require_valid_user_except_for_up`. It was meant as an extension to the
+long standing setting `require_valid_user`, which in turn requires that
+any and all requests to CouchDB will have to be made with valid
+credentials, effectively forbidding any anonymous requests.
+
+The new `require_valid_user_except_for_up` is an off-by-default setting
+that was meant to allow requiring valid credentials for all endpoints
+except for the `/_up` endpoint.
+
+However, the implementation of this made an error that lead to not
+enforcing credentials on any endpoint, when enabled.
+
+CouchDB versions :ref:`3.0.1 <release/3.0.1>` and :ref:`3.1.0
+<release/3.1.0>` fix this issue.
+
+Mitigation
+==========
+
+Users that have not enabled `require_valid_user_except_for_up` are not
+affected.
+
+Users that have it enabled can either disable it again, or upgrade to
+CouchDB versions :ref:`3.0.1 <release/3.0.1>` and :ref:`3.1.0
+<release/3.1.0>`
+
+Credit
+======
+
+This issue was discovered by Stefan Klein.
[couchdb-documentation] 04/05: Update src/cve/2020-1955.rst
Posted by wo...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
wohali pushed a commit to branch 3.0.x-cve
in repository https://gitbox.apache.org/repos/asf/couchdb-documentation.git
commit 976d0b2a3b5b87ccc83dc432baad78c013a6f013
Author: Jan Lehnardt <ja...@apache.org>
AuthorDate: Tue May 19 15:59:03 2020 +0200
Update src/cve/2020-1955.rst
---
src/cve/2020-1955.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/cve/2020-1955.rst b/src/cve/2020-1955.rst
index 085adf2..5457588 100644
--- a/src/cve/2020-1955.rst
+++ b/src/cve/2020-1955.rst
@@ -50,7 +50,7 @@ Mitigation
Users who have not enabled `require_valid_user_except_for_up` are not
affected.
-Users that have it enabled can either disable it again, or upgrade to
+Users who have it enabled can either disable it again, or upgrade to
CouchDB versions :ref:`3.0.1 <release/3.0.1>` and :ref:`3.1.0
<release/3.1.0>`
[couchdb-documentation] 05/05: Update src/cve/2020-1955.rst
Posted by wo...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
wohali pushed a commit to branch 3.0.x-cve
in repository https://gitbox.apache.org/repos/asf/couchdb-documentation.git
commit 2fa04b02978f7afe2f0d61c5f609f5b70d765e3e
Author: Jan Lehnardt <ja...@apache.org>
AuthorDate: Tue May 19 16:00:06 2020 +0200
Update src/cve/2020-1955.rst
---
src/cve/2020-1955.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/cve/2020-1955.rst b/src/cve/2020-1955.rst
index 5457588..6766f20 100644
--- a/src/cve/2020-1955.rst
+++ b/src/cve/2020-1955.rst
@@ -13,7 +13,7 @@
.. _cve/2020-1955:
===========================================================
-CVE-2020-1955: Apache CouchDB Remote Privilege Escalations
+CVE-2020-1955: Apache CouchDB Remote Privilege Escalation
===========================================================
:Date: 19.05.2020
[couchdb-documentation] 02/05: Update src/cve/2020-1955.rst
Posted by wo...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
wohali pushed a commit to branch 3.0.x-cve
in repository https://gitbox.apache.org/repos/asf/couchdb-documentation.git
commit 3b8bc210289bd8775c0bc8b9065f9815d50bb553
Author: Jan Lehnardt <ja...@apache.org>
AuthorDate: Tue May 19 15:58:10 2020 +0200
Update src/cve/2020-1955.rst
Co-authored-by: Jonathan Hall <fl...@flimzy.com>
---
src/cve/2020-1955.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/cve/2020-1955.rst b/src/cve/2020-1955.rst
index 17345dd..7f55ef7 100644
--- a/src/cve/2020-1955.rst
+++ b/src/cve/2020-1955.rst
@@ -30,7 +30,7 @@ Description
CouchDB version 3.0.0 shipped with a new configuration setting that
governs access control to the entire database server called
`require_valid_user_except_for_up`. It was meant as an extension to the
-long standing setting `require_valid_user`, which in turn requires that
+long-standing setting `require_valid_user`, which in turn requires that
any and all requests to CouchDB will have to be made with valid
credentials, effectively forbidding any anonymous requests.