From ${URL} : Description A vulnerability has been discovered in Monkey HTTP Daemon, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a signedness error in the "mk_request_header_process()" function (src/mk_request.c) when parsing the request and can be exploited to cause a stack-based buffer overflow. The vulnerability is confirmed in version 1.2.0. Other versions may also be affected. Solution No official solution is currently available. Provided and/or discovered by Reported by dougsko in a bug report. Original Advisory http://bugs.monkey-project.com/ticket/182 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Looks like upstream has a solution: http://git.monkey-project.com/?p=monkey;a=commit;h=95d646e5de252bfaa8b68c39d0f48e5d82965d41
The patch is in the tree with monkeyd-1.2.0.
(In reply to Anthony Basile from comment #2) > The patch is in the tree with monkeyd-1.2.0. 1.2.1 was released with the fix, so I pulled 1.2.0 and pushed 1.2.1
GLSA request filed
This issue was resolved and addressed in GLSA 201309-17 at http://security.gentoo.org/glsa/glsa-201309-17.xml by GLSA coordinator Chris Reffett (creffett).