Dear community,

Apache CouchDB 2.3.1 has been released and is available for download.

Apache CouchDB™ lets you access your data where you need it. The Couch Replication Protocol is implemented in a variety of projects and products that span every imaginable computing environment from globally distributed server-clusters, over mobile phones to web browsers.

Store your data safely, on your own servers, or with any leading cloud provider. Your web- and native applications love CouchDB, because it speaks JSON natively and supports binary data for all your data storage needs.

The Couch Replication Protocol lets your data flow seamlessly between server clusters to mobile phones and web browsers, enabling a compelling offline-first user-experience while maintaining high performance and strong reliability. CouchDB comes with a developer-friendly query language, and optionally MapReduce for simple, efficient, and comprehensive data retrieval.


Pre-built packages for Windows, macOS, Debian/Ubuntu and RHEL/CentOS are available.

* * *

CouchDB 2.3.1 is a bugfix release, and was originally published on 2019-03-12.The community would like to thank all contributors for their part in making this release, from the smallest bug report or patch to major contributions in code, design, or marketing, we couldn’t have done it without you!

See the official release notes document for an exhaustive list of all changes:


Release highlights:

#1811: Add new /{db}/_sync_shards endpoint (admin-only).

#1870: Update to mochiweb 2.19.0. See also #1875.

#1875: Refuse building with known bad versions of Erlang.

#1880: Compaction: Add snooze_period_ms for finer tuning.

#1799: Restrict _purge to server admin.

#1803: Use the same salt for admin passwords on cluster setup.

#1053: Fix python2 compatibility for couchup.

#1905: Fix python3 compatibility for couchup.

On behalf of the CouchDB PMC,
Jan Lehnardt

Apache CouchDB CVE-2018-17188: Remote Privilege Escalations

Date: 17.12.2018
Affected: All Versions of Apache CouchDB
Severity: Medium
Vendor: The Apache Software Foundation


Prior to CouchDB version 2.3.0, CouchDB allowed for runtime-configuration of key components of the database. In some cases, this lead to vulnerabilities where CouchDB admin users could access the underlying operating system as the CouchDB user. Together with other vulnerabilities, it allowed full system entry for unauthenticated users.

These vulnerabilities were fixed and disclosed in the following CVE reports:

Rather than waiting for new vulnerabilities to be discovered, and fixing them as they come up, the CouchDB development team decided to make changes to avoid this entire class of vulnerabilities.

With CouchDB version 2.3.0, CouchDB no longer can configure key components at runtime. While some flexibility is needed for speciality configurations of CouchDB, the configuration was changed from being available at runtime to start-up time. And as such now requires shell access to the CouchDB server.

This closes all future paths for vulnerabilities of this type.


All users should upgrade to CouchDB 2.3.0.

Upgrades from previous 2.x versions in the same series should be seamless.

Users on earlier versions should consult with upgrade notes.


This issue was discovered by the Apple Information Security team.