lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 11 Feb 2004 20:54:33 +0000
From: Tim Yamin <plasmaroo@...too.org>
To: bugtraq@...urityfocus.com,  full-disclosure@...ts.netsys.com, 
 security-alerts@...uxsecurity.com,  gentoo-core@...ts.gentoo.org, 
 gentoo-announce@...ts.gentoo.org
Subject: [ GLSA 200402-03 ] Monkeyd Denial of Service vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200402-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
~                                            http://security.gentoo.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

~  Severity: Normal
~     Title: Monkeyd Denial of Service vulnerability
~      Date: February 11, 2004
~      Bugs: #41156
~        ID: 200402-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A bug in get_real_string() function allows for a Denial of Service
attack to be launched against the webserver.

Background
==========

The Monkey HTTP daemon is a Web server written in C that works under
Linux and is based on the HTTP/1.1 protocol. It aims to develop a fast,
efficient and small web server.

Description
===========

A bug in the URI processing of incoming requests allows for a Denial of
Service to be launched against the webserver, which may cause the server
to crash or behave sporadically.

Impact
======

Although there are no public exploits known for bug, users are
recommended to upgrade to ensure the security of their infrastructure.

Workaround
==========

There is no immediate workaround; a software upgrade is required. The
vulnerable function in the code has been rewritten.

Resolution
==========

All users are recommended to upgrade monkeyd to 0.8.2:

~    # emerge sync
~    # emerge -pv ">=net-www/monkeyd-0.8.2"
~    # emerge ">=net-www/monkeyd-0.8.2"

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@...too.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAKpaGMMXbAy2b2EIRAr1LAKC9dKoISy2eQelG1+Q71ZWgka7inwCgul7Z
+naU63THPiXqAHQxweaTuR0=
=wRuH
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ