CouchDB update fixes cross-site scripting vulnerabilities
The Apache CouchDB Project developers have issued version 1.0.2 of their NoSQL document-oriented database, a maintenance and security update. According to security specialist Secunia, the update addresses several cross-site scripting (XSS) vulnerabilities that could be exploited by an attacker, possibly leading to the execution of arbitrary HTML and script code in a user's browser session. The issue is caused by certain unspecified input not being properly sanitised before being returned to the user. Versions 0.8.0 to 1.0.1 are reportedly affected. All users are encouraged to upgrade to the latest release.
Further information about the update can be found in the mailing list release announcement. Apache CouchDB 1.0.2 is available to download from the project's web site and is licensed under the Apache License.
See also:
- Apache CouchDB Cross-Site Scripting Vulnerabilities, security advisory from Secunia.
- CouchDB update fixes data loss problem, a report from The H.
(crve)