From plasmaroo@gentoo.org Fri Feb 13 21:08:24 2004 From: Tim Yamin To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, security-alerts@linuxsecurity.com, gentoo-core@gentoo.org, gentoo-announce@gentoo.org Date: Wed, 11 Feb 2004 20:54:33 +0000 Subject: [Full-Disclosure] [ GLSA 200402-03 ] Monkeyd Denial of Service vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200402-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ~ http://security.gentoo.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ~ Severity: Normal ~ Title: Monkeyd Denial of Service vulnerability ~ Date: February 11, 2004 ~ Bugs: #41156 ~ ID: 200402-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A bug in get_real_string() function allows for a Denial of Service attack to be launched against the webserver. Background ========== The Monkey HTTP daemon is a Web server written in C that works under Linux and is based on the HTTP/1.1 protocol. It aims to develop a fast, efficient and small web server. Description =========== A bug in the URI processing of incoming requests allows for a Denial of Service to be launched against the webserver, which may cause the server to crash or behave sporadically. Impact ====== Although there are no public exploits known for bug, users are recommended to upgrade to ensure the security of their infrastructure. Workaround ========== There is no immediate workaround; a software upgrade is required. The vulnerable function in the code has been rewritten. Resolution ========== All users are recommended to upgrade monkeyd to 0.8.2: ~ # emerge sync ~ # emerge -pv ">=net-www/monkeyd-0.8.2" ~ # emerge ">=net-www/monkeyd-0.8.2" Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAKpaGMMXbAy2b2EIRAr1LAKC9dKoISy2eQelG1+Q71ZWgka7inwCgul7Z +naU63THPiXqAHQxweaTuR0= =wRuH -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html