|
From: | Jan-Henrik Haukeland |
Subject: | [Announce/Security Advisory] monit 4.1.1 released |
Date: | Sat, 22 Nov 2003 00:03:57 +0100 |
User-agent: | Gnus/5.1002 (Gnus v5.10.2) XEmacs/21.4 (Reasonable Discussion, linux) |
Monit version 4.1.1 is now available. Download from: http://www.tildeslash.com/monit/dist/ Change log: http://www.tildeslash.com/monit/dist/CHANGES.txt Checksum: f900e393b575970ff30545fdc7e0a206 monit-4.1.1.tar.gz This is a security and bugfix release. The most important changes in this release is a patch for the the following security vulnerabilities: -- Vulnerability 1: Long http method stack overflow By supplying an overly large http request method and attacker could trigger a stack overflow condition which may lead to a remote root compromise. -- Vulnerability 2: Denial of Service via negative Content-Length field By supplying a negative value in Content-Length header an attacker could cause a xmalloc() failure and kill a Monit daemon. The full security report kindly provided by S-Quadra Security Research can be viewed here: http://www.tildeslash.com/monit/secadv_20031121.txt Who is affected by the vulnerabilities? --------------------------------------- This issue only affect those that run monit with http server support and expose the server to the internet. Recommendations --------------- Upgrade to monit release 4.1.1. This release makes sure that it's virtually impossible to smash the stack via a malformed HTTP request.
[Prev in Thread] | Current Thread | [Next in Thread] |