Gentoo alert: Monkeyd Denial of Service vulnerability

Posted by dave on Feb 11, 2004 11:56 AM EDT
Mailing list
Mail this story
Print this story

A bug in get_real_string() function allows for a Denial of Service attack to be launched against the webserver.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200402-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ~ http://security.gentoo.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

~ Severity: Normal ~ Title: Monkeyd Denial of Service vulnerability ~ Date: February 11, 2004 ~ Bugs: #41156 ~ ID: 200402-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis ========

A bug in get_real_string() function allows for a Denial of Service attack to be launched against the webserver.

Background ==========

The Monkey HTTP daemon is a Web server written in C that works under Linux and is based on the HTTP/1.1 protocol. It aims to develop a fast, efficient and small web server.

Description ===========

A bug in the URI processing of incoming requests allows for a Denial of Service to be launched against the webserver, which may cause the server to crash or behave sporadically.

Impact ======

Although there are no public exploits known for bug, users are recommended to upgrade to ensure the security of their infrastructure.

Workaround ==========

There is no immediate workaround; a software upgrade is required. The vulnerable function in the code has been rewritten.

Resolution ==========

All users are recommended to upgrade monkeyd to 0.8.2:

~ # emerge sync ~ # emerge -pv ">=net-www/monkeyd-0.8.2" ~ # emerge ">=net-www/monkeyd-0.8.2"

Concerns? =========

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [E-mail:security@gentoo.org] or alternatively, you may file a bug at http://bugs.gentoo.org.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAKpaGMMXbAy2b2EIRAr1LAKC9dKoISy2eQelG1+Q71ZWgka7inwCgul7Z +naU63THPiXqAHQxweaTuR0= =wRuH -----END PGP SIGNATURE-----



  Nav
» Read more about: Story Type: Security; Groups: Gentoo

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.