You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by kx...@apache.org on 2013/08/09 14:17:07 UTC
git commit: updated refs/heads/1781-reorganize-and-improve-docs to
cb78447
Updated Branches:
refs/heads/1781-reorganize-and-improve-docs f2a0c9369 -> cb7844722
Add CVE information.
Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/cb784472
Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/cb784472
Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/cb784472
Branch: refs/heads/1781-reorganize-and-improve-docs
Commit: cb7844722e53f6cbb8fe234b8d2b4e6370a9566a
Parents: f2a0c93
Author: Alexander Shorin <kx...@apache.org>
Authored: Fri Aug 9 16:16:43 2013 +0400
Committer: Alexander Shorin <kx...@apache.org>
Committed: Fri Aug 9 16:16:43 2013 +0400
----------------------------------------------------------------------
share/doc/build/Makefile.am | 21 ++++++++++
share/doc/src/cve/2010-0009.rst | 54 ++++++++++++++++++++++++
share/doc/src/cve/2010-2234.rst | 64 +++++++++++++++++++++++++++++
share/doc/src/cve/2010-3854.rst | 57 ++++++++++++++++++++++++++
share/doc/src/cve/2012-5641.rst | 77 +++++++++++++++++++++++++++++++++++
share/doc/src/cve/2012-5649.rst | 50 +++++++++++++++++++++++
share/doc/src/cve/2012-5650.rst | 69 +++++++++++++++++++++++++++++++
share/doc/src/cve/index.rst | 73 +++++++++++++++++++++++++++++++++
share/doc/src/index.rst | 1 +
share/doc/src/whatsnew/0.10.rst | 8 +++-
share/doc/src/whatsnew/0.11.rst | 7 +++-
share/doc/src/whatsnew/1.0.rst | 14 ++++---
share/doc/src/whatsnew/1.1.rst | 20 ++++++---
share/doc/src/whatsnew/1.2.rst | 14 ++++---
share/doc/src/whatsnew/index.rst | 2 +
15 files changed, 511 insertions(+), 20 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/build/Makefile.am
----------------------------------------------------------------------
diff --git a/share/doc/build/Makefile.am b/share/doc/build/Makefile.am
index ad10df9..a4d1c06 100644
--- a/share/doc/build/Makefile.am
+++ b/share/doc/build/Makefile.am
@@ -94,6 +94,13 @@ html_files = \
html/_sources/couchapp/views/intro.txt \
html/_sources/couchapp/views/joins.txt \
html/_sources/couchapp/views/nosql.txt \
+ html/_sources/cve/2010-0009.txt \
+ html/_sources/cve/2010-2234.txt \
+ html/_sources/cve/2010-3854.txt \
+ html/_sources/cve/2012-5641.txt \
+ html/_sources/cve/2012-5649.txt \
+ html/_sources/cve/2012-5650.txt \
+ html/_sources/cve/index.txt \
html/_sources/fauxton/addons.txt \
html/_sources/fauxton/index.txt \
html/_sources/fauxton/install.txt \
@@ -195,6 +202,13 @@ html_files = \
html/couchapp/views/intro.html \
html/couchapp/views/joins.html \
html/couchapp/views/nosql.html \
+ html/cve/2010-0009.html \
+ html/cve/2010-2234.html \
+ html/cve/2010-3854.html \
+ html/cve/2012-5641.html \
+ html/cve/2012-5649.html \
+ html/cve/2012-5650.html \
+ html/cve/index.html \
html/fauxton/addons.html \
html/fauxton/index.html \
html/fauxton/install.html \
@@ -294,6 +308,13 @@ src_files = \
../src/couchapp/views/intro.rst \
../src/couchapp/views/joins.rst \
../src/couchapp/views/nosql.rst \
+ ../src/cve/2010-0009.rst \
+ ../src/cve/2010-2234.rst \
+ ../src/cve/2010-3854.rst \
+ ../src/cve/2012-5641.rst \
+ ../src/cve/2012-5649.rst \
+ ../src/cve/2012-5650.rst \
+ ../src/cve/index.rst \
../src/fauxton/addons.rst \
../src/fauxton/index.rst \
../src/fauxton/install.rst \
http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/cve/2010-0009.rst
----------------------------------------------------------------------
diff --git a/share/doc/src/cve/2010-0009.rst b/share/doc/src/cve/2010-0009.rst
new file mode 100644
index 0000000..99d409f
--- /dev/null
+++ b/share/doc/src/cve/2010-0009.rst
@@ -0,0 +1,54 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+.. http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+
+.. _cve/2010-0009:
+
+=========================================================
+CVE-2010-0009: Apache CouchDB Timing Attack Vulnerability
+=========================================================
+
+:Date: 31.03.2010
+
+:Affected: Apache CouchDB 0.8.0 to 0.10.1
+
+:Severity: Important
+
+:Vendor: The Apache Software Foundation
+
+Description
+===========
+
+Apache CouchDB versions prior to version :ref:`0.11.0 <release/0.11.0>` are
+vulnerable to timing attacks, also known as side-channel information leakage,
+due to using simple break-on-inequality string comparisons when verifying hashes
+and passwords.
+
+Mitigation
+==========
+
+All users should upgrade to CouchDB :ref:`0.11.0 <release/0.11.0>`.
+Upgrades from the :ref:`0.10.x <release/0.10.x>` series should be seamless.
+Users on earlier versions should consult with
+:ref:`upgrade notes <release/0.10.x/upgrade>`.
+
+Example
+=======
+
+A canonical description of the attack can be found in
+http://codahale.com/a-lesson-in-timing-attacks/
+
+Credit
+======
+
+This issue was discovered by *Jason Davies* of the Apache CouchDB development
+team.
http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/cve/2010-2234.rst
----------------------------------------------------------------------
diff --git a/share/doc/src/cve/2010-2234.rst b/share/doc/src/cve/2010-2234.rst
new file mode 100644
index 0000000..799780f
--- /dev/null
+++ b/share/doc/src/cve/2010-2234.rst
@@ -0,0 +1,64 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+.. http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+
+.. _cve/2010-2234:
+
+===============================================================
+CVE-2010-2234: Apache CouchDB Cross Site Request Forgery Attack
+===============================================================
+
+:Date: 21.02.2010
+
+:Affected: Apache CouchDB 0.8.0 to 0.11.1
+
+:Severity: Important
+
+:Vendor: The Apache Software Foundation
+
+
+Description
+===========
+
+Apache CouchDB versions prior to version :ref:`0.11.1 <release/0.11.1>` are
+vulnerable to `Cross Site Request Forgery`_ (CSRF) attacks.
+
+.. _Cross Site Request Forgery: http://en.wikipedia.org/wiki/Cross-site_request_forgery
+
+Mitigation
+==========
+
+All users should upgrade to CouchDB :ref:`0.11.2 <release/0.11.2>`
+or :ref:`1.0.1 <release/1.0.1>`.
+
+Upgrades from the :ref:`0.11.x <release/0.11.x>` and
+:ref:`0.10.x <release/0.10.x>` series should be seamless.
+
+Users on earlier versions should consult with upgrade notes.
+
+Example
+=======
+
+A malicious website can `POST` arbitrary JavaScript code to well
+known CouchDB installation URLs (like http://localhost:5984/)
+and make the browser execute the injected JavaScript in the
+security context of CouchDB's admin interface Futon.
+
+Unrelated, but in addition the JSONP API has been turned off
+by default to avoid potential information leakage.
+
+Credit
+======
+
+This CSRF issue was discovered by a source that wishes to stay
+anonymous.
+
http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/cve/2010-3854.rst
----------------------------------------------------------------------
diff --git a/share/doc/src/cve/2010-3854.rst b/share/doc/src/cve/2010-3854.rst
new file mode 100644
index 0000000..3d59060
--- /dev/null
+++ b/share/doc/src/cve/2010-3854.rst
@@ -0,0 +1,57 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+.. http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+
+.. _cve/2010-3854:
+
+========================================================
+CVE-2010-3854: Apache CouchDB Cross Site Scripting Issue
+========================================================
+
+:Date: 28.01.2011
+
+:Affected: Apache CouchDB 0.8.0 to 1.0.1
+
+:Severity: Important
+
+:Vendor: The Apache Software Foundation
+
+
+Description
+===========
+
+Apache CouchDB versions prior to version :ref:`1.0.2 <release/1.0.2>` are
+vulnerable to `Cross Site Scripting`_ (XSS) attacks.
+
+.. _Cross Site Scripting: http://en.wikipedia.org/wiki/Cross-site_scripting
+
+Mitigation
+==========
+
+All users should upgrade to CouchDB :ref:`1.0.2 <release/1.0.2>`.
+
+Upgrades from the :ref:`0.11.x <release/0.11.x>` and
+:ref:`0.10.x <release/0.10.x>` series should be seamless.
+
+Users on earlier versions should consult with upgrade notes.
+
+Example
+=======
+
+Due to inadequate validation of request parameters and cookie data in Futon,
+CouchDB's web-based administration UI, a malicious site can execute arbitrary
+code in the context of a user's browsing session.
+
+Credit
+======
+
+This XSS issue was discovered by a source that wishes to stay anonymous.
http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/cve/2012-5641.rst
----------------------------------------------------------------------
diff --git a/share/doc/src/cve/2012-5641.rst b/share/doc/src/cve/2012-5641.rst
new file mode 100644
index 0000000..7400b2f
--- /dev/null
+++ b/share/doc/src/cve/2012-5641.rst
@@ -0,0 +1,77 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+.. http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+
+.. _cve/2012-5641:
+
+==================================================================================
+CVE-2012-5641: Information disclosure via unescaped backslashes in URLs on Windows
+==================================================================================
+
+:Date: 14.01.2013
+
+:Affected: All Windows-based releases of Apache CouchDB, up to and including
+ 1.0.3, 1.1.1, and 1.2.0 are vulnerable.
+
+:Severity: Moderate
+
+:Vendor: The Apache Software Foundation
+
+Description
+===========
+
+A specially crafted request could be used to access content directly that
+would otherwise be protected by inbuilt CouchDB security mechanisms. This
+request could retrieve in binary form any CouchDB database, including the
+`_users` or `_replication` databases, or any other file that the user account
+used to run CouchDB might have read access to on the local filesystem. This
+exploit is due to a vulnerability in the included MochiWeb HTTP library.
+
+Mitigation
+==========
+
+Upgrade to a supported CouchDB release that includes this fix, such as:
+
+- :ref:`1.0.4 <release/1.0.4>`
+- :ref:`1.1.2 <release/1.1.2>`
+- :ref:`1.2.1 <release/1.2.1>`
+- :ref:`1.3.x <release/1.3.x>`
+
+All listed releases have included a specific fix for the MochiWeb component.
+
+Work-Around
+===========
+
+Users may simply exclude any file-based web serving components directly
+within their configuration file, typically in `local.ini`. On a default
+CouchDB installation, this requires amending the
+:ref:`config/httpd_global_handlers/favicon.ico` and
+:ref:`config/httpd_global_handlers/_utils` lines within
+``[httpd_global_handlers]``::
+
+ [httpd_global_handlers]
+ favicon.ico = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>}
+ _utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>}
+
+If additional handlers have been added, such as to support Adobe's Flash
+`crossdomain.xml` files, these would also need to be excluded.
+
+Acknowledgement
+===============
+
+The issue was found and reported by Sriram Melkote to the upstream MochiWeb
+project.
+
+References
+==========
+
+- https://github.com/melkote/mochiweb/commit/ac2bf
http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/cve/2012-5649.rst
----------------------------------------------------------------------
diff --git a/share/doc/src/cve/2012-5649.rst b/share/doc/src/cve/2012-5649.rst
new file mode 100644
index 0000000..af48ff2
--- /dev/null
+++ b/share/doc/src/cve/2012-5649.rst
@@ -0,0 +1,50 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+.. http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+
+.. _cve/2012-5649:
+
+==============================================================
+CVE-2012-5649: JSONP arbitrary code execution with Adobe Flash
+==============================================================
+
+:Date: 14.01.2013
+
+:Affected: Releases up to and including 1.0.3, 1.1.1, and 1.2.0 are vulnerable,
+ if administrators have enabled JSONP.
+
+:Severity: Moderate
+
+:Vendor: The Apache Software Foundation
+
+Description
+===========
+
+A hand-crafted JSONP callback and response can be used to run arbitrary code
+inside client-side browsers via Adobe Flash.
+
+Mitigation
+==========
+
+Upgrade to a supported CouchDB release that includes this fix, such as:
+
+- :ref:`1.0.4 <release/1.0.4>`
+- :ref:`1.1.2 <release/1.1.2>`
+- :ref:`1.2.1 <release/1.2.1>`
+- :ref:`1.3.x <release/1.3.x>`
+
+All listed releases have included a specific fix.
+
+Work-Around
+===========
+
+Disable JSONP or don't enable it since it's disabled by default.
http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/cve/2012-5650.rst
----------------------------------------------------------------------
diff --git a/share/doc/src/cve/2012-5650.rst b/share/doc/src/cve/2012-5650.rst
new file mode 100644
index 0000000..1e8bc50
--- /dev/null
+++ b/share/doc/src/cve/2012-5650.rst
@@ -0,0 +1,69 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+.. http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+
+.. _cve/2012-5650:
+
+==========================================================
+CVE-2012-5650: DOM based Cross-Site Scripting via Futon UI
+==========================================================
+
+:Date: 14.01.2013
+
+:Affected: Apache CouchDB releases up to and including 1.0.3, 1.1.1,
+ and 1.2.0 are vulnerable.
+
+:Severity: Moderate
+
+:Vendor: The Apache Software Foundation
+
+Description
+===========
+
+Query parameters passed into the browser-based test suite are not sanitised,
+and can be used to load external resources. An attacker may execute JavaScript
+code in the browser, using the context of the remote user.
+
+Mitigation
+==========
+
+Upgrade to a supported CouchDB release that includes this fix, such as:
+
+- :ref:`1.0.4 <release/1.0.4>`
+- :ref:`1.1.2 <release/1.1.2>`
+- :ref:`1.2.1 <release/1.2.1>`
+- :ref:`1.3.x <release/1.3.x>`
+
+All listed releases have included a specific fix.
+
+Work-Around
+===========
+
+Disable the Futon user interface completely, by adapting `local.ini` and
+restarting CouchDB::
+
+ [httpd_global_handlers]
+ _utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>}
+
+Or by removing the UI test suite components:
+
+- share/www/verify_install.html
+- share/www/couch_tests.html
+- share/www/custom_test.html
+
+Acknowledgement
+===============
+
+This vulnerability was discovered & reported to the Apache Software Foundation
+by `Frederik Braun`_.
+
+.. _Frederik Braun: https://frederik-braun.com/
http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/cve/index.rst
----------------------------------------------------------------------
diff --git a/share/doc/src/cve/index.rst b/share/doc/src/cve/index.rst
new file mode 100644
index 0000000..3af7ab9
--- /dev/null
+++ b/share/doc/src/cve/index.rst
@@ -0,0 +1,73 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+.. http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+
+.. _cve:
+
+Security Issues Information
+===========================
+
+.. toctree::
+ :maxdepth: 1
+ :glob:
+
+ *
+
+.. _cve/report:
+
+Reporting New Security Problems with Apache CouchDB
+===================================================
+
+The Apache Software Foundation takes a very active stance in eliminating
+security problems and denial of service attacks against Apache CouchDB.
+
+We strongly encourage folks to report such problems to our private security
+mailing list first, before disclosing them in a public forum.
+
+Please note that the security mailing list should only be used for reporting
+undisclosed security vulnerabilities in Apache CouchDB and managing the
+process of fixing such vulnerabilities. We cannot accept regular bug reports
+or other queries at this address. All mail sent to this address that does not
+relate to an undisclosed security problem in the Apache CouchDB source code
+will be ignored.
+
+If you need to report a bug that isn't an undisclosed security vulnerability,
+please use the `bug reporting page`_.
+
+Questions about:
+
+- How to configure CouchDB securely
+- If a vulnerability applies to your particular application
+- Obtaining further information on a published vulnerability
+- Availability of patches and/or new releases
+
+should be address to the `users mailing list`_. Please see the `mailing
+lists page`_ for details of how to subscribe.
+
+The private security mailing address is: `security@couchdb.apache.org`_
+
+Please read `how the Apache Software Foundation handles security`_ reports to
+know what to expect.
+
+Note that all networked servers are subject to denial of service attacks,
+and we cannot promise magic workarounds to generic problems (such as a client
+streaming lots of data to your server, or re-requesting the same URL
+repeatedly). In general our philosophy is to avoid any attacks which can
+cause the server to consume resources in a non-linear relationship to the
+size of inputs.
+
+.. _bug reporting page: https://issues.apache.org/jira/browse/COUCHDB
+.. _mailing lists page: http://couchdb.apache.org/#mailing-list
+.. _how the Apache Software Foundation handles security: http://apache.org/security/committers.html
+.. _security@couchdb.apache.org: mailto:security@couchdb.apache.org
+.. _users mailing list: mailto:user@couchdb.apache.org
+
http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/index.rst
----------------------------------------------------------------------
diff --git a/share/doc/src/index.rst b/share/doc/src/index.rst
index 0ad38b1..1262375 100644
--- a/share/doc/src/index.rst
+++ b/share/doc/src/index.rst
@@ -39,6 +39,7 @@ Contents
json-structure
contributing
whatsnew/index
+ cve/index
.. This is how you get a TM sign into a link. Haha. Seriously.
.. |Apache CouchDB(TM)| unicode:: Apache U+0020 CouchDB U+2122
http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/whatsnew/0.10.rst
----------------------------------------------------------------------
diff --git a/share/doc/src/whatsnew/0.10.rst b/share/doc/src/whatsnew/0.10.rst
index c628e1f..c68d152 100644
--- a/share/doc/src/whatsnew/0.10.rst
+++ b/share/doc/src/whatsnew/0.10.rst
@@ -27,6 +27,11 @@
Upgrade Notes
=============
+.. warning::
+
+ :ref:`release/0.10.2` contains important security fixes. Previous `0.10.x`
+ releases are not recommended for regular usage.
+
Modular Configuration Directories
---------------------------------
@@ -67,6 +72,7 @@ View query reduce parameter strictness
CouchDB now considers the parameter ``reduce=false`` to be an error for queries
of map-only views, and responds with status code 400.
+
.. _release/0.10.2:
Version 0.10.2
@@ -80,7 +86,7 @@ Build and System Integration
Security
--------
-* Fixed CVE-2010-0009: Apache CouchDB Timing Attack Vulnerability
+* Fixed :ref:`cve/2010-0009`
Replicator
----------
http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/whatsnew/0.11.rst
----------------------------------------------------------------------
diff --git a/share/doc/src/whatsnew/0.11.rst b/share/doc/src/whatsnew/0.11.rst
index 6db258a..4e184c6 100644
--- a/share/doc/src/whatsnew/0.11.rst
+++ b/share/doc/src/whatsnew/0.11.rst
@@ -27,6 +27,11 @@
Upgrade Notes
=============
+.. warning::
+
+ :ref:`release/0.11.2` contains important security fixes. Previous `0.11.x`
+ releases are not recommended for regular usage.
+
Changes Between 0.11.0 and 0.11.1
---------------------------------
@@ -149,7 +154,7 @@ Security
--------
* Avoid potential DOS attack by guarding all creation of atoms.
-* Fixed CVE-2010-2234: Apache CouchDB Cross Site Request Forgery Attack
+* Fixed :ref:`cve/2010-2234`
.. _release/0.11.1:
http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/whatsnew/1.0.rst
----------------------------------------------------------------------
diff --git a/share/doc/src/whatsnew/1.0.rst b/share/doc/src/whatsnew/1.0.rst
index 4ec9a2f..3d7fdc8 100644
--- a/share/doc/src/whatsnew/1.0.rst
+++ b/share/doc/src/whatsnew/1.0.rst
@@ -43,6 +43,11 @@ replicator to use the ``application/json`` content type.
string. Previously, these properties contained strings which needed to be
converted to JSON before using.
+.. warning::
+
+ :ref:`release/1.0.4` contains important security fixes. Previous `1.0.x`
+ releases are not recommended for regular usage.
+
.. _release/1.0.4:
@@ -68,12 +73,9 @@ Replicator
Security
--------
-* Fixed CVE-2012-5641: Apache CouchDB Information disclosure via unescaped
- backslashes in URLs on Windows
-* Fixed CVE-2012-5649: Apache CouchDB JSONP arbitrary code execution with
- Adobe Flash
-* Fixed CVE-2012-5650: Apache CouchDB DOM based Cross-Site Scripting via Futon
- UI
+* Fixed :ref:`cve/2012-5641`
+* Fixed :ref:`cve/2012-5649`
+* Fixed :ref:`cve/2012-5650`
View System
-----------
http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/whatsnew/1.1.rst
----------------------------------------------------------------------
diff --git a/share/doc/src/whatsnew/1.1.rst b/share/doc/src/whatsnew/1.1.rst
index 4a78300..a376593 100644
--- a/share/doc/src/whatsnew/1.1.rst
+++ b/share/doc/src/whatsnew/1.1.rst
@@ -22,6 +22,17 @@
:local:
+.. _release/1.1.x/upgrade:
+
+Upgrade Notes
+=============
+
+.. warning::
+
+ :ref:`release/1.1.2` contains important security fixes. Previous `1.1.x`
+ releases are not recommended for regular usage.
+
+
.. _release/1.1.2:
Version 1.1.2
@@ -57,12 +68,9 @@ Replicator
Security
--------
-* Fixed CVE-2012-5641: Apache CouchDB Information disclosure via unescaped
- backslashes in URLs on Windows
-* Fixed CVE-2012-5649: Apache CouchDB JSONP arbitrary code execution with
- Adobe Flash
-* Fixed CVE-2012-5650: Apache CouchDB DOM based Cross-Site Scripting via Futon
- UI
+* Fixed :ref:`cve/2012-5641`
+* Fixed :ref:`cve/2012-5649`
+* Fixed :ref:`cve/2012-5650`
View Server
-----------
http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/whatsnew/1.2.rst
----------------------------------------------------------------------
diff --git a/share/doc/src/whatsnew/1.2.rst b/share/doc/src/whatsnew/1.2.rst
index 3d6620d..ce228ba 100644
--- a/share/doc/src/whatsnew/1.2.rst
+++ b/share/doc/src/whatsnew/1.2.rst
@@ -33,6 +33,11 @@ Upgrade Notes
version 0.9.0. Compact your older databases (that have not been compacted
for a long time) before upgrading, or they will become inaccessible.
+.. warning::
+
+ :ref:`release/1.2.1` contains important security fixes. Previous `1.2.x`
+ releases are not recommended for regular usage.
+
Security changes
----------------
@@ -114,12 +119,9 @@ HTTP Interface
Security
--------
-* Fixed CVE-2012-5641: Apache CouchDB Information disclosure via unescaped
- backslashes in URLs on Windows
-* Fixed CVE-2012-5649: Apache CouchDB JSONP arbitrary code execution with Adobe
- Flash
-* Fixed CVE-2012-5650: Apache CouchDB DOM based Cross-Site Scripting via Futon
- UI
+* Fixed :ref:`cve/2012-5641`
+* Fixed :ref:`cve/2012-5649`
+* Fixed :ref:`cve/2012-5650`
Replication
-----------
http://git-wip-us.apache.org/repos/asf/couchdb/blob/cb784472/share/doc/src/whatsnew/index.rst
----------------------------------------------------------------------
diff --git a/share/doc/src/whatsnew/index.rst b/share/doc/src/whatsnew/index.rst
index b5a1f91..a69a75e 100644
--- a/share/doc/src/whatsnew/index.rst
+++ b/share/doc/src/whatsnew/index.rst
@@ -19,6 +19,7 @@ Release History
.. toctree::
:glob:
+ ../cve/index
1.4
1.3
1.2
@@ -28,3 +29,4 @@ Release History
0.10
0.9
0.8
+