Hi! You are right: https://github.com/apache/couchdb/commit/64144cc8bdbc64002bde64394dc8850d3987718c is directly related to the XSS issue.
https://github.com/apache/couchdb/pull/224 just fixes a regression introduced with "HTML escaping for Fauxton. The regression causes HTML links which we are using in the notifications to appear as text. The PR https://github.com/apache/couchdb/pull/223 removes the interpolation where it is not needed, but as far as I know, this are values which are not affected by user content. 2014-05-05 14:24 GMT+02:00 Alexander Shorin <[email protected]>: > 1.6.0-rc.4 lacks of two important changes: > > HTML escaping for Fauxton: > > https://github.com/apache/couchdb/commit/64144cc8bdbc64002bde64394dc8850d3987718c > this is related to recently reported XSS vulnerability COUCHDB-2232 > > And support of Erlang 17 (well, it's actually multiple commits due to > branch merge and rush master fixing at night): > Merge: > > https://github.com/apache/couchdb/commit/296de8b1fe69e66d649294fd0445449b18c49194 > Fixes: > > https://github.com/apache/couchdb/commit/519a488876323f822eaa77b435b1d28e56fd273a > > https://github.com/apache/couchdb/commit/8c07af243e82ea950b8ef27cfa700a4a73f878ab > > https://github.com/apache/couchdb/commit/7d29ade0b5b678ce35af184ef6c53824d0b0e250 > > Also not sure if these PR: > https://github.com/apache/couchdb/pull/223 > https://github.com/apache/couchdb/pull/224 > not containing any fixes of possible XSS. Robert, are they? > > -- > ,,,^..^,,, > > > On Mon, May 5, 2014 at 3:40 PM, Dirkjan Ochtman <[email protected]> wrote: > > Dear community, > > > > Due to test failures in rc.3, I would like to release Apache CouchDB > > 1.6.0-rc.4. Special thanks to Alexander for doing a lot of > > investigation into the failures and whipping rc.4 into shipping. > > > > Changes since last round: > > > > * > https://git-wip-us.apache.org/repos/asf?p=couchdb.git;a=shortlog;h=refs/heads/1.6.x > > > > We encourage the whole community to download and test these release > > artefacts so that any critical issues can be resolved before the > > release is made. Everyone is free to vote on this release, so get > > stuck in! > > > > The release artefacts we are voting on are available here: > > > > wget > https://dist.apache.org/repos/dist/dev/couchdb/source/1.6.0/rc.4/apache-couchdb-1.6.0.tar.gz > > wget > https://dist.apache.org/repos/dist/dev/couchdb/source/1.6.0/rc.4/apache-couchdb-1.6.0.tar.gz.asc > > wget > https://dist.apache.org/repos/dist/dev/couchdb/source/1.6.0/rc.4/apache-couchdb-1.6.0.tar.gz.ish > > wget > https://dist.apache.org/repos/dist/dev/couchdb/source/1.6.0/rc.4/apache-couchdb-1.6.0.tar.gz.md5 > > wget > https://dist.apache.org/repos/dist/dev/couchdb/source/1.6.0/rc.4/apache-couchdb-1.6.0.tar.gz.sha > > > > Please follow the test procedure here: > > > > http://wiki.apache.org/couchdb/Test_procedure > > > > Please remember that "rc.4" is an annotation. If the vote passes, > > these artefacts will be released as Apache CouchDB 1.6.0. > > > > Please cast your votes now. > > > > Thanks, > > > > Dirkjan >
