Rainbows! Rack HTTP server user/dev discussion
 help / color / mirror / code / Atom feed
* [ANN] unicorn 0.97.1 - fix HTTP parser for Rainbows!/Zbatery
       [not found] ` <20100419212513.GB26722-yBiyF41qdooeIZ0/mPfg9Q@public.gmane.org>
@ 2010-04-19 21:28   ` Eric Wong
  0 siblings, 0 replies; only message in thread
From: Eric Wong @ 2010-04-19 21:28 UTC (permalink / raw)
  To: rainbows-talk-GrnCvJ7WPxnNLxjTenLetw

Unicorn is an HTTP server for Rack applications designed to only serve
fast clients on low-latency, high-bandwidth connections and take
advantage of features in Unix/Unix-like kernels.  Slow clients should
only be served by placing a reverse proxy capable of fully buffering
both the the request and response in between Unicorn and slow clients.

* http://unicorn.bogomips.org/
* mongrel-unicorn-GrnCvJ7WPxnNLxjTenLetw@public.gmane.org
* git://git.bogomips.org/unicorn.git

Changes:

This release fixes a denial-of-service vector for derived
servers exposed directly to untrusted clients.

This bug does not affect most Unicorn deployments as Unicorn is
only supported with trusted clients (such as nginx) on a LAN.
nginx is known to reject clients that send invalid
Content-Length headers, so any deployments on a trusted LAN
and/or behind nginx are safe.

Servers affected by this bug include (but are not limited to)
Rainbows! and Zbatery.  This bug does not affect Thin nor
Mongrel, as neither got the request body filtering treatment
that the Unicorn HTTP parser got in August 2009.

The bug fixed in this release could result in a
denial-of-service as it would trigger a process-wide assertion
instead of raising an exception.  For servers such as
Rainbows!/Zbatery that serve multiple clients per worker
process, this could abort all clients connected to the
particular worker process that hit the assertion.

-- 
Eric Wong
_______________________________________________
Rainbows! mailing list - rainbows-talk-GrnCvJ7WPxnNLxjTenLetw@public.gmane.org
http://rubyforge.org/mailman/listinfo/rainbows-talk
Do not quote signatures (like this one) or top post when replying


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2010-04-19 21:28 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <20100419212513.GB26722@dcvr.yhbt.net>
     [not found] ` <20100419212513.GB26722-yBiyF41qdooeIZ0/mPfg9Q@public.gmane.org>
2010-04-19 21:28   ` [ANN] unicorn 0.97.1 - fix HTTP parser for Rainbows!/Zbatery Eric Wong

Code repositories for project(s) associated with this inbox:

	../../../rainbows.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).