MGASA-2013-0040
| Date: | February 8th, 2013 |
| Affected releases: | 2 |
| Media: | Core |
Description:
Updated couchdb packages fix security vulnerabilities:
A security flaw was found in the way Apache CouchDB, a distributed,fault-
tolerant and schema-free document-oriented database accessible via a RESTful
HTTP/JSON API, processed certain JSON callback. A remote attacker could
provide a specially-crafted JSON callback that, when processed could lead
to arbitrary JSON code execution via Adobe Flash (CVE-2012-5649).
A DOM based cross-site scripting (XSS) flaw was found in the way browser-
based test suite of Apache CouchDB, a distributed, fault-tolerant and
schema-free document-oriented database accessible via a RESTful HTTP/JSON
API, processed certain query parameters. A remote attacker could provide a
specially-crafted web page that, when accessed could lead to arbitrary web
script or HTML execution in the context of a CouchDB user session
(CVE-2012-5650).
Updated Packages:
i586:
couchdb-1.2.1-1.2.mga2.i586.rpm
couchdb-bin-1.2.1-1.2.mga2.i586.rpm
couchdb-debug-1.2.1-1.2.mga2.i586.rpm
x86_64:
couchdb-1.2.1-1.2.mga2.x86_64.rpm
couchdb-bin-1.2.1-1.2.mga2.x86_64.rpm
couchdb-debug-1.2.1-1.2.mga2.x86_64.rpm
SRPMS:
couchdb-1.2.1-1.2.mga2.src.rpm
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5649
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5650
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098089.html
https://bugs.mageia.org/show_bug.cgi?id=8973
