[couchdb-documentation] 01/02: docs: add CVE-2018-8007 to 1.7.x and 2.1.x release notes

[wo...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

wohali pushed a commit to branch fix-the-build
in repository https://gitbox.apache.org/repos/asf/couchdb-documentation.git

commit 936e04f56e1ee1c0d395ef4f6421deac859cbb30
Author: Dave Cottlehuber <dc...@skunkwerks.at>
AuthorDate: Mon Apr 30 11:29:30 2018 +0000

    docs: add CVE-2018-8007 to 1.7.x and 2.1.x release notes
---
 src/cve/2018-8007.rst | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++
 src/whatsnew/1.7.rst  |  9 ++++++++
 src/whatsnew/2.1.rst  | 11 +++++++++-
 3 files changed, 76 insertions(+), 1 deletion(-)

diff --git a/src/cve/2018-8007.rst b/src/cve/2018-8007.rst
new file mode 100644
index 0000000..f187989
--- /dev/null
+++ b/src/cve/2018-8007.rst
@@ -0,0 +1,57 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cve/2018-8007:
+
+====================================================
+CVE-2018-8007: Apache CouchDB Remote Code Execution
+====================================================
+
+:Date: 30.04.2018
+
+:Affected: All Versions of Apache CouchDB
+
+:Severity: Low
+
+:Vendor: The Apache Software Foundation
+
+Description
+===========
+
+CouchDB administrative users can configure the database server via HTTP(S). Due
+to insufficient validation of administrator-supplied configuration settings via
+the HTTP API, it is possible for a CouchDB administrator user to escalate their
+privileges to that of the operating system's user that CouchDB runs under, by
+bypassing the backlist of configuration settings that are not allowed to be
+modified via the HTTP API.
+
+This privilege escalation effectively allows a CouchDB admin user to gain
+arbitrary remote code execution, bypassing :ref:`CVE-2017-12636 <cve/2017-12636>`
+
+Mitigation
+==========
+
+All users should upgrade to CouchDB :ref:`1.7.2 <release/1.7.2>` or
+:ref:`2.1.2 <release/2.1.2>`.
+
+Upgrades from previous 1.x and 2.x versions in the same series should be
+seamless.
+
+Users on earlier versions, or users upgrading from 1.x to 2.x should consult
+with upgrade notes.
+
+Credit
+======
+
+This issue was discovered by Francesco Oddo of `MDSec Labs`_.
+
+.. _MDSec Labs: https://www.mdsec.co.uk/
diff --git a/src/whatsnew/1.7.rst b/src/whatsnew/1.7.rst
index 322be9e..e0f9fa4 100644
--- a/src/whatsnew/1.7.rst
+++ b/src/whatsnew/1.7.rst
@@ -20,6 +20,15 @@
    :depth: 1
    :local:
 
+.. _release/1.7.2:
+
+Version 1.7.2
+=============
+
+Security
+--------
+* :ref:`CVE 2018-8007 <cve/2018-8007>`
+
 .. _release/1.7.1:
 
 Version 1.7.1
diff --git a/src/whatsnew/2.1.rst b/src/whatsnew/2.1.rst
index 47c4810..e0c0143 100644
--- a/src/whatsnew/2.1.rst
+++ b/src/whatsnew/2.1.rst
@@ -34,7 +34,7 @@ Upgrade Notes
   hand. The default has changed to meet new guidelines and to provide
   additional functionality in the future.
 
-  If you recieve errors in the logfile, such as
+  If you receive errors in the logfile, such as
   ``internal_server_error : No DB shards could be opened.`` or in Fauxton,
   such as ``This database failed to load.`` you need to make this change.
 
@@ -73,6 +73,15 @@ Upgrade Notes
   ``--eval`` flag to the definition of the javascript query server in your
   ``local.ini`` file.
 
+.. _release/2.1.2:
+
+Version 2.1.2
+=============
+
+Security
+--------
+* :ref:`CVE 2018-8007 <cve/2018-8007>`
+
 .. _release/2.1.1:
 
 Version 2.1.1