Date: Wed, 11 Feb 2004 20:54:33 +0000
From: Tim Yamin <[email protected]>
To: [email protected], [email protected],
Subject: [ GLSA 200402-03 ] Monkeyd Denial of Service vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200402-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
~ http://security.gentoo.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
~ Severity: Normal
~ Title: Monkeyd Denial of Service vulnerability
~ Date: February 11, 2004
~ Bugs: #41156
~ ID: 200402-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A bug in get_real_string() function allows for a Denial of Service
attack to be launched against the webserver.
Background
==========
The Monkey HTTP daemon is a Web server written in C that works under
Linux and is based on the HTTP/1.1 protocol. It aims to develop a fast,
efficient and small web server.
Description
===========
A bug in the URI processing of incoming requests allows for a Denial of
Service to be launched against the webserver, which may cause the server
to crash or behave sporadically.
Impact
======
Although there are no public exploits known for bug, users are
recommended to upgrade to ensure the security of their infrastructure.
Workaround
==========
There is no immediate workaround; a software upgrade is required. The
vulnerable function in the code has been rewritten.
Resolution
==========
All users are recommended to upgrade monkeyd to 0.8.2:
~ # emerge sync
~ # emerge -pv ">=net-www/monkeyd-0.8.2"
~ # emerge ">=net-www/monkeyd-0.8.2"
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
http://bugs.gentoo.org.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAKpaGMMXbAy2b2EIRAr1LAKC9dKoISy2eQelG1+Q71ZWgka7inwCgul7Z
+naU63THPiXqAHQxweaTuR0=
=wRuH
-----END PGP SIGNATURE-----