[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Announce/Security Advisory] monit 4.2.1 released

From: Jan-Henrik Haukeland
Subject: [Announce/Security Advisory] monit 4.2.1 released
Date: Mon, 05 Apr 2004 09:38:28 +0200
User-agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Reasonable Discussion, linux)

Monit version 4.2.1 is now available.

Download from:
Change log:
Checksum:       ce436eb5977be60aff5d8b2a1eba2ade  monit-4.2.1.tar.gz

This is a security and bugfix release. The most important changes in
this release is a patch for the the following security vulnerabilities:

Monit Security Advisory [05 April 2004]

1. Monit HTTP Interface Buffer Overflow Vulnerability

Monit implements a simple HTTP interface that supports Basic
authentication. This interface suffers from a buffer overflow
vulnerability when handling a client that authenticates with malformed
credentials. An attacker could send a carefully crafted Authorization
header to the monit server and cause the server to either crash or
worse to execute arbitrary code with the privileges of the monit user.

2. Off-By-One Overflow in Monit HTTP Interface

This buffer overflow lies in the handling of POST submissions with
entity bodies. If the request body has the exact length of X bytes,
monit will write one byte past its designated input buffer. This error
can cause the monit server to crash.


Upgrade to monit version 4.2.1. (or turn off http support in previous
monit versions)


The monit team would like to thank Matthew Murphy <mattmurphy at kc rr
com> for discovering and courteously reporting these issues to the
monit team.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]