A cross-site scripting flaw was reported in Apache CouchDB 0.8.0 to 1.0.1 [1]. This flaw has been corrected in version 1.0.2. Due to inadequate validation of request parameters and cookie data in Futon, CouchDB's web-based administration UI, a malicious site can execute arbitrary code in the context of a user's browsing session. [1] http://mail-archives.apache.org/mod_mbox/couchdb-dev/201101.mbox/%3cC840F655-C8C5-4EC6-8AA8-DD223E39C34A@apache.org%3e
Created couchdb tracking bugs for this issue Affects: fedora-all [bug 674145] Affects: epel-all [bug 674146]
Almost done with this - fixed builds were pulled in F-14, F-15, EL-6. Unfortunately, it seems that it couldn't be easy to fix EL-5 (it will require upgrade from 0.11.2 to recent 1.0.2). I'll consider upgrading next week. No luck for F-13 also.
The only missing branch is EL-5. I plan to upgrade coiuchdb from 0.11.2 to 1.0.2 very soon.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.