Your message dated Mon, 5 Feb 2024 21:19:06 +0100
with message-id <[email protected]>
and subject line Re: Bug#1060345: puma: CVE-2024-21647: Invalid parsing of
chunked encoding in HTTP/1.1 allows DoS attacks
has caused the Debian Bug report #1060345,
regarding puma: CVE-2024-21647: Invalid parsing of chunked encoding in HTTP/1.1
allows DoS attacks
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1060345: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060345
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: puma
Version: 5.6.7-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for puma.
CVE-2024-21647[0]:
| Puma is a web server for Ruby/Rack applications built for
| parallelism. Prior to version 6.4.2, puma exhibited incorrect
| behavior when parsing chunked transfer encoding bodies in a way that
| allowed HTTP request smuggling. Fixed versions limits the size of
| chunk extensions. Without this limit, an attacker could cause
| unbounded resource (CPU, network bandwidth) consumption. This
| vulnerability has been fixed in versions 6.4.2 and 5.6.8.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-21647
https://www.cve.org/CVERecord?id=CVE-2024-21647
[1] https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2
[2] https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: puma
Source-Version: 6.4.2-1
On Tue, Jan 09, 2024 at 10:15:07PM +0100, Salvatore Bonaccorso wrote:
> Source: puma
> Version: 5.6.7-1
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: [email protected], Debian Security Team
> <[email protected]>
>
> Hi,
>
> The following vulnerability was published for puma.
>
> CVE-2024-21647[0]:
> | Puma is a web server for Ruby/Rack applications built for
> | parallelism. Prior to version 6.4.2, puma exhibited incorrect
> | behavior when parsing chunked transfer encoding bodies in a way that
> | allowed HTTP request smuggling. Fixed versions limits the size of
> | chunk extensions. Without this limit, an attacker could cause
> | unbounded resource (CPU, network bandwidth) consumption. This
> | vulnerability has been fixed in versions 6.4.2 and 5.6.8.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2024-21647
> https://www.cve.org/CVERecord?id=CVE-2024-21647
> [1] https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2
> [2]
> https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d
>
> Please adjust the affected versions in the BTS as needed.
This was fixed with the 6.4.2 upload,
https://tracker.debian.org/news/1500879/accepted-puma-642-1-source-into-unstable/
but not closed. Doing so manually.
Regards,
Salvatore
--- End Message ---
