- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200402-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
~                                             http://security.gentoo.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

~  Severity: Normal
~     Title: Monkeyd Denial of Service vulnerability
~      Date: February 11, 2004
~      Bugs: #41156
~        ID: 200402-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A bug in get_real_string() function allows for a Denial of Service
attack to be launched against the webserver.

Background
==========

The Monkey HTTP daemon is a Web server written in C that works under
Linux and is based on the HTTP/1.1 protocol. It aims to develop a fast,
efficient and small web server.

Description
===========

A bug in the URI processing of incoming requests allows for a Denial of
Service to be launched against the webserver, which may cause the server
to crash or behave sporadically.

Impact
======

Although there are no public exploits known for bug, users are
recommended to upgrade to ensure the security of their infrastructure.

Workaround
==========

There is no immediate workaround; a software upgrade is required. The
vulnerable function in the code has been rewritten.

Resolution
==========

All users are recommended to upgrade monkeyd to 0.8.2:

~    # emerge sync
~    # emerge -pv ">=net-www/monkeyd-0.8.2"
~    # emerge ">=net-www/monkeyd-0.8.2"

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at 
http://bugs.gentoo.org.