Prev: ya config file parser
Next: unicorn 0.97.0 - fix HTTP parser for Rainbows!/Zbatery
From: Eric Wong on 19 Apr 2010 17:25
Rainbows! is an HTTP server for sleepy Rack applications. It is based on
Unicorn, but designed to handle applications that expect long
request/response times and/or slow clients. For Rack applications not
heavily bound by slow external network dependencies, consider Unicorn
instead as it simpler and easier to debug.

* http://rainbows.rubyforge.org/
* rainbows-talk(a)rubyforge.org
* git://git.bogomips.org/rainbows.git

Changes:

This release fixes a denial-of-service vector for deployments
exposed directly to untrusted clients.

The HTTP parser in Unicorn <= 0.97.0 would trip an assertion
(killing the associated worker process) on invalid
Content-Length headers instead of raising an exception. Since
Rainbows! and Zbatery supports multiple clients per worker
process, all clients connected to the worker process that hit
the assertion would be aborted.

Deployments behind nginx are _not_ affected by this bug, as
nginx will reject clients that send invalid Content-Length
headers.

The status of deployments behind other HTTP-aware proxies is
unknown. Deployments behind a non-HTTP-aware proxy (or no proxy
at all) are certainly affected by this DoS.

Users are strongly encouraged to upgrade as soon as possible,
there are no other changes besides this bug fix from Rainbows!
0.91.0 nor Unicorn 0.97.0

This bug affects all previously released versions of Rainbows!
and Zbatery.

--
Eric Wong

 | 
Pages: 1
Prev: ya config file parser
Next: unicorn 0.97.0 - fix HTTP parser for Rainbows!/Zbatery