1 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
2 |
Gentoo Linux Security Advisory GLSA 200403-14 |
3 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
4 |
http://security.gentoo.org |
5 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
6 |
|
7 |
Severity: High |
8 |
Title: Multiple Security Vulnerabilities in Monit |
9 |
Date: March 31, 2004 |
10 |
Bugs: #43967 |
11 |
ID: 200403-14 |
12 |
|
13 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
14 |
|
15 |
Synopsis |
16 |
======== |
17 |
|
18 |
A denial of service and a buffer overflow vulnerability have been found |
19 |
in Monit. |
20 |
|
21 |
Background |
22 |
========== |
23 |
|
24 |
Monit is a system administration utility that allows management and |
25 |
monitoring of processes, files, directories and devices on a Unix |
26 |
system. |
27 |
|
28 |
Affected packages |
29 |
================= |
30 |
|
31 |
------------------------------------------------------------------- |
32 |
Package / Vulnerable / Unaffected |
33 |
------------------------------------------------------------------- |
34 |
app-admin/monit <= 4.1 >= 4.2 |
35 |
|
36 |
Description |
37 |
=========== |
38 |
|
39 |
A denial of service may occur due to Monit not sanitizing remotely |
40 |
supplied HTTP parameters before passing them to memory allocation |
41 |
functions. This could allow an attacker to cause an unexpected |
42 |
condition that could lead to the Monit daemon crashing. |
43 |
|
44 |
An overly long http request method may cause a buffer overflow due to |
45 |
Monit performing insufficient bounds checking when handling HTTP |
46 |
requests. |
47 |
|
48 |
Impact |
49 |
====== |
50 |
|
51 |
An attacker may crash the Monit daemon to create a denial of service |
52 |
condition or cause a buffer overflow that would allow arbitrary code to |
53 |
be executed with root privileges. |
54 |
|
55 |
Workaround |
56 |
========== |
57 |
|
58 |
A workaround is not currently known for this issue. All users are |
59 |
advised to upgrade to the latest version of the affected package. |
60 |
|
61 |
Resolution |
62 |
========== |
63 |
|
64 |
Monit users should upgrade to version 4.2 or later: |
65 |
|
66 |
# emerge sync |
67 |
|
68 |
# emerge -pv ">=app-admin/monit-4.2" |
69 |
# emerge ">=app-admin/monit-4.2" |
70 |
|
71 |
References |
72 |
========== |
73 |
|
74 |
[ 1 ] http://www.securityfocus.com/bid/9098 |
75 |
[ 2 ] http://www.securityfocus.com/bid/9099 |
76 |
|
77 |
Concerns? |
78 |
========= |
79 |
|
80 |
Security is a primary focus of Gentoo Linux and ensuring the |
81 |
confidentiality and security of our users machines is of utmost |
82 |
importance to us. Any security concerns should be addressed to |
83 |
security@g.o or alternatively, you may file a bug at |
84 |
http://bugs.gentoo.org. |