Date: Wed, 31 Mar 2010 19:26:38 +0200 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> CC: oss-security <oss-security@...ts.openwall.com>, Jan Lehnardt <jan@...che.org> Subject: CVE Request -- Apache CouchDB v.0.11.0 -- timing attacks flaw Hi Steve, vendors, Apache CouchDB upstream has released latest, v.0.11.0 version, addressing timing attack flaw(s). More from Bugtraq post:  http://seclists.org/bugtraq/2010/Mar/254 "Apache CouchDB versions prior to version 0.11.0 are vulnerable to timing attacks, also known as side-channel information leakage, due to using simple break-on-inequality string comparisons when verifying hashes and passwords." References:  http://wiki.apache.org/couchdb/Breaking_changes  http://codahale.com/a-lesson-in-timing-attacks/  http://couchdb.apache.org/  http://couchdb.apache.org/downloads.html Credit: Jason Davies of the Apache CouchDB development team  references CVE-2008-2370 as CVE id, but CVE-2008-2370 is Apache Tomcat flaw:  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370 Since Apache CouchDB is different code base, susceptible to the same issue as in , assuming new CVE identifier is required. Steve, could you allocate one? Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.