| Summary: | <www-servers/monkeyd-1.5.3: denial of service (CVE-2014-5336) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | blueness |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2014/08/18/5 | ||
| Whiteboard: | B3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
Its ready: TARGET="amd64 arm ppc ppc64 x86" amd64 stable x86 stable Stable on arm, ppc and ppc64. We're done stabilizing and I've removed all vulnerable versions from the tree. Arches and Maintainer(s), Thank you for your work. GLSA Vote: No GLSA Vote: No CVE-2014-5336 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5336): Monkey HTTP Server before 1.5.3, when the File Descriptor Table (FDT) is enabled and custom error messages are set, allows remote attackers to cause a denial of service (file descriptor consumption) via an HTTP request that triggers an error message. |
From ${URL} : Description: When the File Descriptor Table (FDT) mechanism is enabled (the default setting), any HTTP requests that result in a custom error message being returned cause a file descriptor (to the custom error message content file) to be leaked. An attacker can therefore repeatedly send such requests so as to leak a large number of descriptors. Eventually, the server will reach the OS-enforced per-process limit on the amount of open file descriptors (as given by `ulimit -n`). From this point on, and until the server is restarted, any request that requires the opening of another file in order to be handled will fail; even valid requests from other parties for normal files will fail with an HTTP 403 error. This is a simple denial-of-service attack. Workaround: Do not use custom error messages, or disable the File Descriptor Table by using the "FDT off" directive in the server configuration file (see http://monkey-project.com/documentation/1.5/configuration/server.html#fdt). Affected versions: <= v1.5.2 Fixed version: v1.5.3 Fix: https://github.com/monkey/monkey/commit/b2d0e6f92310bb14a15aa2f8e96e1fb5379776dd Release notes: http://monkey-project.com/Announcements/v1.5.3 Reported by: Matthew Daley @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.