[gentoo-announce] [ GLSA 200403-14 ] Multiple Security Vulnerabilities in Monit - gentoo-announce

From:	Aida Escriva-Sammer <aescriva@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 200403-14 ] Multiple Security Vulnerabilities in Monit
Date:	Wed, 31 Mar 2004 15:27:50
Message-Id:	`406AE0C7.4090404@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200403-14

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                              http://security.gentoo.org

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

   Severity: High

8

      Title: Multiple Security Vulnerabilities in Monit

9

       Date: March 31, 2004

10

       Bugs: #43967

11

         ID: 200403-14

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A denial of service and a buffer overflow vulnerability have been found

19

in Monit.

20

21

Background

22

==========

23

24

Monit is a system administration utility that allows management and

25

monitoring of processes, files, directories and devices on a Unix

26

system.

27

28

Affected packages

29

=================

30

31

     -------------------------------------------------------------------

32

      Package          /   Vulnerable   /                    Unaffected

33

     -------------------------------------------------------------------

34

      app-admin/monit        <= 4.1                              >= 4.2

35

36

Description

37

===========

38

39

A denial of service may occur due to Monit not sanitizing remotely

40

supplied HTTP parameters before passing them to memory allocation

41

functions. This could allow an attacker to cause an unexpected

42

condition that could lead to the Monit daemon crashing.

43

44

An overly long http request method may cause a buffer overflow due to

45

Monit performing insufficient bounds checking when handling HTTP

46

requests.

47

48

Impact

49

======

50

51

An attacker may crash the Monit daemon to create a denial of service

52

condition or cause a buffer overflow that would allow arbitrary code to

53

be executed with root privileges.

54

55

Workaround

56

==========

57

58

A workaround is not currently known for this issue. All users are

59

advised to upgrade to the latest version of the affected package.

60

61

Resolution

62

==========

63

64

Monit users should upgrade to version 4.2 or later:

65

66

     # emerge sync

67

68

     # emerge -pv ">=app-admin/monit-4.2"

69

     # emerge ">=app-admin/monit-4.2"

70

71

References

72

==========

73

74

   [ 1 ] http://www.securityfocus.com/bid/9098

75

   [ 2 ] http://www.securityfocus.com/bid/9099

76

77

Concerns?

78

=========

79

80

Security is a primary focus of Gentoo Linux and ensuring the

81

confidentiality and security of our users machines is of utmost

82

importance to us. Any security concerns should be addressed to

83

security@g.o or alternatively, you may file a bug at

84

http://bugs.gentoo.org.

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200403-14
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: Multiple Security Vulnerabilities in Monit
9	Date: March 31, 2004
10	Bugs: #43967
11	ID: 200403-14
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A denial of service and a buffer overflow vulnerability have been found
19	in Monit.
20
21	Background
22	==========
23
24	Monit is a system administration utility that allows management and
25	monitoring of processes, files, directories and devices on a Unix
26	system.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	app-admin/monit <= 4.1 >= 4.2
35
36	Description
37	===========
38
39	A denial of service may occur due to Monit not sanitizing remotely
40	supplied HTTP parameters before passing them to memory allocation
41	functions. This could allow an attacker to cause an unexpected
42	condition that could lead to the Monit daemon crashing.
43
44	An overly long http request method may cause a buffer overflow due to
45	Monit performing insufficient bounds checking when handling HTTP
46	requests.
47
48	Impact
49	======
50
51	An attacker may crash the Monit daemon to create a denial of service
52	condition or cause a buffer overflow that would allow arbitrary code to
53	be executed with root privileges.
54
55	Workaround
56	==========
57
58	A workaround is not currently known for this issue. All users are
59	advised to upgrade to the latest version of the affected package.
60
61	Resolution
62	==========
63
64	Monit users should upgrade to version 4.2 or later:
65
66	# emerge sync
67
68	# emerge -pv ">=app-admin/monit-4.2"
69	# emerge ">=app-admin/monit-4.2"
70
71	References
72	==========
73
74	[ 1 ] http://www.securityfocus.com/bid/9098
75	[ 2 ] http://www.securityfocus.com/bid/9099
76
77	Concerns?
78	=========
79
80	Security is a primary focus of Gentoo Linux and ensuring the
81	confidentiality and security of our users machines is of utmost
82	importance to us. Any security concerns should be addressed to
83	security@g.o or alternatively, you may file a bug at
84	http://bugs.gentoo.org.