Date: Fri, 3 May 2013 23:51:22 -0400 (EDT) From: Garrett Wollman <wollman@hergotha.csail.mit.edu> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/178331: unpatched security issues in databases/couchdb Message-ID: <201305040351.r443pMsp076813@hergotha.csail.mit.edu> Resent-Message-ID: <201305040400.r44400mw078385@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 178331 >Category: ports >Synopsis: unpatched security issues in databases/couchdb >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sat May 04 04:00:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Garrett Wollman >Release: FreeBSD 8.3-RELEASE-p4 amd64 >Organization: MIT Computer Science & Artificial Intelligence Laboratory >Environment: System: FreeBSD hergotha.csail.mit.edu 8.3-RELEASE-p4 FreeBSD 8.3-RELEASE-p4 #5 r242853: Sat Nov 10 19:26:33 EST 2012 wollman@hergotha.csail.mit.edu:/usr/obj/usr/src/sys/HERGOTHA amd64 >Description: databases/couchdb is still version 1.2.0, and hasn't been updated since a number of security issues were announced in January. The change list for version 1.2.1 notes: * Fixed CVE-2012-5649: Apache CouchDB JSONP arbitrary code execution with Adobe Flash * Fixed CVE-2012-5650: Apache CouchDB DOM based Cross-Site Scripting via Futon UI These security issues are not reported by pkg audit, either. The current recommended version is 1.2.2. >How-To-Repeat: portinstall couchdb >Fix: Upgrade to 1.2.2. I'm looking now to see if it's non-trivial; haven't tried it yet. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201305040351.r443pMsp076813>