[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Announce/Security Advisory] monit 4.2.1 released
|
From: |
Jan-Henrik Haukeland |
|
Subject: |
[Announce/Security Advisory] monit 4.2.1 released |
|
Date: |
Mon, 05 Apr 2004 09:38:28 +0200 |
|
User-agent: |
Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Reasonable Discussion, linux) |
Monit version 4.2.1 is now available.
Download from: http://www.tildeslash.com/monit/dist/
Change log: http://www.tildeslash.com/monit/dist/CHANGES.txt
Checksum: ce436eb5977be60aff5d8b2a1eba2ade monit-4.2.1.tar.gz
This is a security and bugfix release. The most important changes in
this release is a patch for the the following security vulnerabilities:
Monit Security Advisory [05 April 2004]
1. Monit HTTP Interface Buffer Overflow Vulnerability
=====================================================
Monit implements a simple HTTP interface that supports Basic
authentication. This interface suffers from a buffer overflow
vulnerability when handling a client that authenticates with malformed
credentials. An attacker could send a carefully crafted Authorization
header to the monit server and cause the server to either crash or
worse to execute arbitrary code with the privileges of the monit user.
2. Off-By-One Overflow in Monit HTTP Interface
==============================================
This buffer overflow lies in the handling of POST submissions with
entity bodies. If the request body has the exact length of X bytes,
monit will write one byte past its designated input buffer. This error
can cause the monit server to crash.
Recommendations
---------------
Upgrade to monit version 4.2.1. (or turn off http support in previous
monit versions)
Credits
-------
The monit team would like to thank Matthew Murphy <mattmurphy at kc rr
com> for discovering and courteously reporting these issues to the
monit team.
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Announce/Security Advisory] monit 4.2.1 released,
Jan-Henrik Haukeland <=