[Announce/Security Advisory] monit 4.1.1 released

[Jan-Henrik Haukeland]

Monit version 4.1.1 is now available.

Download from:  http://www.tildeslash.com/monit/dist/
Change log:     http://www.tildeslash.com/monit/dist/CHANGES.txt
Checksum:       f900e393b575970ff30545fdc7e0a206  monit-4.1.1.tar.gz

This is a security and bugfix release. The most important changes in
this release is a patch for the the following security vulnerabilities:

 -- Vulnerability 1: Long http method stack overflow

  By supplying an overly large http request method and attacker could
  trigger a stack overflow condition which may lead to a remote root
  compromise.


-- Vulnerability 2: Denial of Service via negative Content-Length field

  By supplying a negative value in Content-Length header an attacker
  could cause a xmalloc() failure and kill a Monit daemon.

The full security report kindly provided by S-Quadra Security Research
can be viewed here:

         http://www.tildeslash.com/monit/secadv_20031121.txt


Who is affected by the vulnerabilities?
---------------------------------------
This issue only affect those that run monit with http server support
and expose the server to the internet.


Recommendations
---------------
Upgrade to monit release 4.1.1. This release makes sure that it's
virtually impossible to smash the stack via a malformed HTTP request.