Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 472644 (CVE-2013-2163)

Summary: <www-servers/monkeyd-1.2.2 : DoS due bug on Range header handling (CVE-2013-2163)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: blueness
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2013/06/08/1
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-06-08 09:28:22 UTC 
From ${URL} :

I've found an issue on the way as Monkey HTTPD handle the Range HTTP header
when receiving Range:bytes=N-N where N is the exact file size, which causes
the
thread to go into an infinite loop, hence keeping the server busy on each
request until a server shutdown.

More details on bug report at http://bugs.monkey-project.com/ticket/184



@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Anthony Basile gentoo-dev 2013-06-08 10:03:21 UTC 
(In reply to Agostino Sarubbo from comment #0)
> From ${URL} :
> 
> I've found an issue on the way as Monkey HTTPD handle the Range HTTP header
> when receiving Range:bytes=N-N where N is the exact file size, which causes
> the
> thread to go into an infinite loop, hence keeping the server busy on each
> request until a server shutdown.
> 
> More details on bug report at http://bugs.monkey-project.com/ticket/184
> 
> 
> 
> @maintainer(s): after the bump, in case we need to stabilize the package,
> please say explicitly if it is ready for the stabilization or not.

Thanks ago for following all these security notices for me (and the rest of us).  Right now, the issues against monkeyd are coming fast.  I had 1.2.0 in the tree, then I backported a fix for the DoS header issue, bug #472400, then 1.2.1 came out and now this.  Its best to hold until things settle down.
Comment 2 Anthony Basile gentoo-dev 2013-06-22 10:52:42 UTC 
This is fixed in 1.2.2 which I just added to the tree, but there are still more security bugs against monkeyd.
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-12 01:46:22 UTC 
Note that monkeyd needs a GLSA anyway, bug 472400 is a B2.
Comment 4 Tobias Heinlein (RETIRED) gentoo-dev 2013-09-03 16:47:05 UTC 
Added to existing request.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-09-25 17:14:19 UTC 
This issue was resolved and addressed in
 GLSA 201309-17 at http://security.gentoo.org/glsa/glsa-201309-17.xml
by GLSA coordinator Chris Reffett (creffett).