Apache CouchDB updates handle multiple security issues
Recent new releases of Apache's CouchDB project, 1.0.4, 1.1.2 and 1.2.1, address a number of vulnerabilities in the NoSQL database, although the fixes are not mentioned in the announcement. All versions, 1.0.3, 1.1.1 and 1.2.0 and earlier are affected. The updates are the first release from the project since 1.2.0 was made available in April 2012; CouchDB 1.3 is in development and is expected sometime soon.
A cross site scripting issue (CVE-2012-5650) affects CouchDB's Futon UI in code from the test suite; removal of the test suite components or disabling the Futon UI can be used as temporary workaround. On Windows, another issue exists (CVE-2012-5641) which allows requests to access content directly if an attacker uses specially crafted requests that include unescaped backslashes in the request. This includes the _users and _replication databases and it is possible to retrieve arbitrary files on the local filesystem. The problem is apparently due to a bug in the MochiWeb HTTP library; it has been reported and fixed upstream. A final issue (CVE-2012-5649) affects users who have enabled JSONP support as it could allow code to be executed on the client browsers by using a crafted JSONP request and callback.
The releases also contain a number of other fixes and enhancements to the Apache-licensed NoSQL document database. The 1.2.1 release is available from the main CouchDB page. 1.0.4 and 1.1.2 are available from Apache mirror sites.