CouchDB SRU summary
CouchDB users running the version in Ubuntu 10.04 are unable to sync with CouchDB servers running the current release in Ubuntu 10.10. A significant number of security issues have been patched in that later version.
Testing Points
In all cases, the ppa:ubuntuone/stable PPA was utilized to install the stable 1.0.1 couchdb package for testing. This version is the same as what is in Ubuntu 10.10, apart from 10.04 specific packaging/versioning.
- Clean install on Ubuntu 10.04 VM.
- Upgrade CouchDB .0.10.0 to 1.0.1, then populate with data.
[RESULT: Pass]
- Clean install on Ubuntu 10.04 VM
- Populate CouchDB .0.10.0 with large typical data set (Lucid couch-enabled apps like Gwibber)
- Upgrade existing CouchDB 0.10.0 installation to CouchDB 1.0.1.
[RESULT: Pass]
- Specific patch issues from the list below are not addressed in Testing Points, but may be of interest in construction of test scenarios.
- Side by Side/"Downgrade" compatibility: loading evolution address book with a version of lucid that has CouchDB 0.10, then rebooting into a different installation using the same home directory and loading the address book database using CouchDB 1.0.1, and then back again into the lucid with 0.10.
- It is believed that the CouchDB on-disk formats do a one-way data conversion when they are loaded with the new version of CouchDB, and from then on cannot be loaded by the old version of CouchDB.
[RESULT: Performed as expected.] in this case a CouchDB 0.10.0 installation recieves {"error":"unknown_error","reason":"undef"} when trying to access the Futon interface, and the DB cannot be read, but a 1.0.1 based installation continues to access and manipulate the DB correctly.
CouchDB related applications
Each application was in place with functional data during the testing the Testing Points section. An actual Ubuntu One account was used, and data checked for consistency in cases where replication occurred (the post upgrade cases). Multiple systems were associated with the account and the local databases on each checked for consistency. Additionally, pairing relationships between these systems, as well as existing 10.10 installations were established before and after upgrades.
Examples of applications at risk as a consequence of such an upgrade:
- bindwood
- installation on existing 10.04 install does not replicate (expected). Begins replication after upgrade.
[Result: Pass]
- add/delete operations on upgraded installation work as intended.
[Result: Pass]
- New install after upgrade works as intended.
[Result: Pass]
- gwibber
- Works correctly after upgrade
[Result: Pass]
- evolution address book
- upgraded installation replicates after upgrade. Includes add/remove operations.
[Result: Pass]
- desktopcouch pairing tool
- Pairing occurs correctly after upgrade
[Result: Pass]
- desktopcouch replication
- Occurs correctly after upgrade.
[Result: Pass]
- quickly applications
- basic operations of a typical test application (record save, etc) function as expected after upgrade
[Result: Pass}
Security issues patched
1.0.0
- Added authentication caching, to avoid repeated opening and closing of the
- users database for each request requiring authentication.
0.11.2
- Avoid potential DOS attack by guarding all creation of atoms.
- Fixed CVE-2010-2234: Cross Site Request Forgery Vulnerability:
0.11.1
- Added authentication redirect URL to log in clients.
- Fixed query parameter encoding issue in oauth.js.
- Made authentication timeout configurable.
- Temporary views are now admin-only resources.
0.11.0
- Fixed CVE-2010-0009: Apache CouchDB Timing Attack Vulnerability.
- Added default cookie-authentication and users database.
- Added Futon user interface for user signup and login.
- Added per-database reader access control lists.
- Added per-database security object for configuration data in validation
- functions.
- Added proxy authentication handler