1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
5 |
Gentoo Linux Security Advisory GLSA 200402-03 |
6 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
7 |
~ http://security.gentoo.org |
8 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
9 |
|
10 |
~ Severity: Normal |
11 |
~ Title: Monkeyd Denial of Service vulnerability |
12 |
~ Date: February 11, 2004 |
13 |
~ Bugs: #41156 |
14 |
~ ID: 200402-03 |
15 |
|
16 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
17 |
|
18 |
Synopsis |
19 |
======== |
20 |
|
21 |
A bug in get_real_string() function allows for a Denial of Service |
22 |
attack to be launched against the webserver. |
23 |
|
24 |
Background |
25 |
========== |
26 |
|
27 |
The Monkey HTTP daemon is a Web server written in C that works under |
28 |
Linux and is based on the HTTP/1.1 protocol. It aims to develop a fast, |
29 |
efficient and small web server. |
30 |
|
31 |
Description |
32 |
=========== |
33 |
|
34 |
A bug in the URI processing of incoming requests allows for a Denial of |
35 |
Service to be launched against the webserver, which may cause the server |
36 |
to crash or behave sporadically. |
37 |
|
38 |
Impact |
39 |
====== |
40 |
|
41 |
Although there are no public exploits known for bug, users are |
42 |
recommended to upgrade to ensure the security of their infrastructure. |
43 |
|
44 |
Workaround |
45 |
========== |
46 |
|
47 |
There is no immediate workaround; a software upgrade is required. The |
48 |
vulnerable function in the code has been rewritten. |
49 |
|
50 |
Resolution |
51 |
========== |
52 |
|
53 |
All users are recommended to upgrade monkeyd to 0.8.2: |
54 |
|
55 |
~ # emerge sync |
56 |
~ # emerge -pv ">=net-www/monkeyd-0.8.2" |
57 |
~ # emerge ">=net-www/monkeyd-0.8.2" |
58 |
|
59 |
Concerns? |
60 |
========= |
61 |
|
62 |
Security is a primary focus of Gentoo Linux and ensuring the |
63 |
confidentiality and security of our users machines is of utmost |
64 |
importance to us. Any security concerns should be addressed to |
65 |
security@g.o or alternatively, you may file a bug at |
66 |
http://bugs.gentoo.org. |
67 |
|
68 |
-----BEGIN PGP SIGNATURE----- |
69 |
Version: GnuPG v1.2.1 (GNU/Linux) |
70 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
71 |
|
72 |
iD8DBQFAKpaGMMXbAy2b2EIRAr1LAKC9dKoISy2eQelG1+Q71ZWgka7inwCgul7Z |
73 |
+naU63THPiXqAHQxweaTuR0= |
74 |
=wRuH |
75 |
-----END PGP SIGNATURE----- |