Your message dated Sat, 01 Feb 2025 22:02:26 +0000
with message-id <[email protected]>
and subject line Bug#1050079: fixed in puma 5.6.5-3+deb12u1
has caused the Debian Bug report #1050079,
regarding puma: CVE-2023-40175: Inconsistent Interpretation of HTTP Requests
('HTTP Request/Response Smuggling')
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1050079: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050079
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: puma
Version: 5.6.5-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 6.0.2-1
Hi,
The following vulnerability was published for puma.
CVE-2023-40175[0]:
| Puma is a Ruby/Rack web server built for parallelism. Prior to
| versions 6.3.1 and 5.6.7, puma exhibited incorrect behavior when
| parsing chunked transfer encoding bodies and zero-length Content-
| Length headers in a way that allowed HTTP request smuggling.
| Severity of this issue is highly dependent on the nature of the web
| site using puma is. This could be caused by either incorrect parsing
| of trailing fields in chunked transfer encoding bodies or by parsing
| of blank/zero-length Content-Length headers. Both issues have been
| addressed and this vulnerability has been fixed in versions 6.3.1
| and 5.6.7. Users are advised to upgrade. There are no known
| workarounds for this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-40175
https://www.cve.org/CVERecord?id=CVE-2023-40175
[1] https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: puma
Source-Version: 5.6.5-3+deb12u1
Done: Abhijith PA <[email protected]>
We believe that the bug you reported is fixed in the latest version of
puma, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Abhijith PA <[email protected]> (supplier of updated puma package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 29 Jan 2025 07:26:33 +0530
Source: puma
Architecture: source
Version: 5.6.5-3+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Ruby Team
<[email protected]>
Changed-By: Abhijith PA <[email protected]>
Closes: 1050079 1060345 1082379
Changes:
puma (5.6.5-3+deb12u1) bookworm; urgency=medium
.
* Team upload
* d/patches/
+ CVE-2023-40175.patch: Fix CVE-2023-40175, incorrect behavior when
parsing chunked transfer encoding bodies and zero-length
Content-Length headers in a way that allowed HTTP request
smuggling. (Closes: #1050079)
.
+ CVE-2024-21647.patch: Fix CVE-2024-21647 by limiting the size of
chunk extensions. (Closes: #1060345)
.
+ CVE-2024-45614.patch: Fix CVE-2024-45614, clients could clobber
values set by intermediate proxies (such as X-Forwarded-For) by
providing a underscore version of the same header.
(Closes: #1082379)
Checksums-Sha1:
831629bb245b57fc42af81b05f8747706e8c083d 2128 puma_5.6.5-3+deb12u1.dsc
1669453294e4ae65dfb9c0f375934cecac74d48f 13800
puma_5.6.5-3+deb12u1.debian.tar.xz
9b4c7c4f6dc6aa8b3248aee6d28fe90f8d672116 9866
puma_5.6.5-3+deb12u1_amd64.buildinfo
Checksums-Sha256:
a1d80a95ba9ab81a1b7ad4fa0a7b4348ae93176ad055497ddfd092c42aeac143 2128
puma_5.6.5-3+deb12u1.dsc
b491302c82cabcd6b3f76fa6f5d979a13507944ff9b22e874683a673d575b0dc 13800
puma_5.6.5-3+deb12u1.debian.tar.xz
a82d45e985310952220ea0fbf212cd44a8aff4fff53573428a1448e800a5f00b 9866
puma_5.6.5-3+deb12u1_amd64.buildinfo
Files:
a90189d93a44cc943c732d95ab8dcee6 2128 web optional puma_5.6.5-3+deb12u1.dsc
a2ecb0c7b47e3f830b2e026d5ff461c5 13800 web optional
puma_5.6.5-3+deb12u1.debian.tar.xz
be48458b45cfe658cf1c697e0739a52e 9866 web optional
puma_5.6.5-3+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmeZjr0UHGFiaGlqaXRo
QGRlYmlhbi5vcmcACgkQhj1N8u2cKO/UEw//Qo9ZcTYWX+0L2nH4LQ5sN0X6Zn+n
gPzqse+kihBxBYpBpw00l5D3/GZ5SqvLgkLpOpSU8SyeAH+TU3CZ8ntMrcm0DuES
Jw/oaCUcnzKIsDJgpQloCGCQwT01+iIXUA2x+t7gSTilQzPiP2A/CnQwJ0+rAAwh
wXA2n+ZPLiYJnAKATBgoxgCvIHIS+GRF6hH61iCrOEPvhu7wh+nN5X0N2h4nCpRO
gt+VFMkg0J27i6lfdoqljGzCmK+jQSFnm/MdkpT0TBZZfpWEsNBtZuvDr4duJ6Ix
qPsFa4L9mYPzQjixy7HucnheqCwBX2/1X1aR9GP7gINjZr7U3gKzfjWMAaqvtHDE
uZULxmgn3onyq2/hq/m6FI9dD9wLqzCVvu0qC5yqflOc9uOzUEaStWSkg7Tl40VS
S28UUs6Jk7x3/W7ADUkhyoC5uQFmZtkpxjHZEJY02Mvc+Hxph4iJwN0LrmMnm4E7
5LzZl/WpwvuKEeg/fsicWPU5bEF7dp8w10MEglkEl9uWn3st/+hppcr42Z7eIPEA
LH5asGNm77kvmjRVzFisRHomG3besg51ef6ipK9UKivxoII0OJQGke1JvPAbCyfD
UYWk441rg/+cxzfU/H1pDiDG7EBSl3WR3nyNa7ZQjYWcGXB1NV5qG8aykVykp6Q8
c5TJpVOGAd2yjpI=
=C3qy
-----END PGP SIGNATURE-----
pgpo_gXBMiJBY.pgp
Description: PGP signature
--- End Message ---
