Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 472644 (CVE-2013-2163) - <www-servers/monkeyd-1.2.2 : DoS due bug on Range header handling (CVE-2013-2163)
Summary: <www-servers/monkeyd-1.2.2 : DoS due bug on Range header handling (CVE-2013-2...
Status: RESOLVED FIXED
Alias: CVE-2013-2163
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-06-08 09:28 UTC by Agostino Sarubbo
Modified: 2013-09-25 17:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-06-08 09:28:22 UTC
From ${URL} :

I've found an issue on the way as Monkey HTTPD handle the Range HTTP header
when receiving Range:bytes=N-N where N is the exact file size, which causes
the
thread to go into an infinite loop, hence keeping the server busy on each
request until a server shutdown.

More details on bug report at http://bugs.monkey-project.com/ticket/184



@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Anthony Basile gentoo-dev 2013-06-08 10:03:21 UTC
(In reply to Agostino Sarubbo from comment #0)
> From ${URL} :
> 
> I've found an issue on the way as Monkey HTTPD handle the Range HTTP header
> when receiving Range:bytes=N-N where N is the exact file size, which causes
> the
> thread to go into an infinite loop, hence keeping the server busy on each
> request until a server shutdown.
> 
> More details on bug report at http://bugs.monkey-project.com/ticket/184
> 
> 
> 
> @maintainer(s): after the bump, in case we need to stabilize the package,
> please say explicitly if it is ready for the stabilization or not.

Thanks ago for following all these security notices for me (and the rest of us).  Right now, the issues against monkeyd are coming fast.  I had 1.2.0 in the tree, then I backported a fix for the DoS header issue, bug #472400, then 1.2.1 came out and now this.  Its best to hold until things settle down.
Comment 2 Anthony Basile gentoo-dev 2013-06-22 10:52:42 UTC
This is fixed in 1.2.2 which I just added to the tree, but there are still more security bugs against monkeyd.
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-12 01:46:22 UTC
Note that monkeyd needs a GLSA anyway, bug 472400 is a B2.
Comment 4 Tobias Heinlein (RETIRED) gentoo-dev 2013-09-03 16:47:05 UTC
Added to existing request.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-09-25 17:14:19 UTC
This issue was resolved and addressed in
 GLSA 201309-17 at http://security.gentoo.org/glsa/glsa-201309-17.xml
by GLSA coordinator Chris Reffett (creffett).