Your message dated Thu, 27 May 2021 11:18:35 +0000
with message-id <e1lme27-000hgc...@fasolo.debian.org>
and subject line Bug#989054: fixed in puma 4.3.8-1
has caused the Debian Bug report #989054,
regarding puma: CVE-2021-29509: Keepalive Connections Causing Denial Of Service
in puma
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
989054: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989054
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: puma
Version: 4.3.6-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for puma, it is caused due
to an incomplete fix for CVE-2019-16770.
CVE-2021-29509[0]:
| Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The
| fix for CVE-2019-16770 was incomplete. The original fix only protected
| existing connections that had already been accepted from having their
| requests starved by greedy persistent-connections saturating all
| threads in the same process. However, new connections may still be
| starved by greedy persistent-connections saturating all threads in all
| processes in the cluster. A `puma` server which received more
| concurrent `keep-alive` connections than the server had threads in its
| threadpool would service only a subset of connections, denying service
| to the unserved connections. This problem has been fixed in `puma`
| 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue.
| This is not advised when using `puma` without a reverse proxy, such as
| `nginx` or `apache`, because you will open yourself to slow client
| attacks (e.g. slowloris). The fix is very small and a git patch is
| available for those using unsupported versions of Puma.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-29509
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29509
[1] https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5
[2] https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: puma
Source-Version: 4.3.8-1
Done: Pirate Praveen <prav...@debian.org>
We believe that the bug you reported is fixed in the latest version of
puma, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 989...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pirate Praveen <prav...@debian.org> (supplier of updated puma package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 26 May 2021 10:24:19 +0530
Source: puma
Architecture: source
Version: 4.3.8-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Pirate Praveen <prav...@debian.org>
Closes: 989054
Changes:
puma (4.3.8-1) unstable; urgency=medium
.
* New upstream version 4.3.8 (Closes: #989054) (Fixes: CVE-2021-29509)
Checksums-Sha1:
a0c757f3451955928f5a98f9384ab3e91ea8e102 2036 puma_4.3.8-1.dsc
c8c3f468bb6df47280426d6e3b5ffb62233f5cf2 243000 puma_4.3.8.orig.tar.gz
2b6dbc8d662a5cc3e4479f2514ef7b27633b59d0 9548 puma_4.3.8-1.debian.tar.xz
e9404b225e89dc3c6d1a00046902329a0805d4c6 9477 puma_4.3.8-1_amd64.buildinfo
Checksums-Sha256:
d9d0428d6d04001b0af326ff29025f61fc7277e66bb7b66b98e2b9b64127b50e 2036
puma_4.3.8-1.dsc
f05b7273afd9ae633ff94a208ef58f2c82657d0042d6e33a03683fdfead70c75 243000
puma_4.3.8.orig.tar.gz
e389c74911af98f20112c2c2afa971240314444bd4ee7feb2101c94585241484 9548
puma_4.3.8-1.debian.tar.xz
058e37ee8980056b3ae079bdd5b46396aecfc31e50e756a53ea23043ecf650c9 9477
puma_4.3.8-1_amd64.buildinfo
Files:
a4743657e7d56b7fe2c9c00ef3515197 2036 web optional puma_4.3.8-1.dsc
d3a98ae10c73e14819525cbff4094ce2 243000 web optional puma_4.3.8.orig.tar.gz
dbac34123a35e1bac01ed9c8baa3349c 9548 web optional puma_4.3.8-1.debian.tar.xz
b9ce347c6c3bb9d06d1c71e0ef4cc1b7 9477 web optional puma_4.3.8-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0whj4mAg5UP0cZqDj1PgGTspS3UFAmCve+cACgkQj1PgGTsp
S3UEyQ//fcEx9SsKCMV4LF+lgwBVeUmCFV2SBHTP5AqvG4qpZSMWZ3Sf1eT+M8Lj
5lWe6CZL4LJpYtJzlF1r+DbF1EDGIHrOV+MbGzpTf4+AUfN9Y8VQ/sPzL5dGAvPr
/KgJmkd75joqVE4mU4barktSuSmBXLZaWrXG2ao6Y4oFSbRLz4+8JH1rJcN0Xw2r
qu7gokQJwp6oWbL2xJnbrmSCrvy2B/R8V08GAh3OMEJXo3gh94Kyke4FuIs2XfKc
I1sor6LhNcYal28cky1Xvr5MaVwnQ2mTyiQrZ1uuHeszWJFkJMLgeOsudAnLvcVN
yJkI5brH6euAqI4AGnUgRpw4u5d2Gl1jBUqsxksVM8s+LLPOqJFqO3DUUHQnzcUh
qNqPNiy/a24SNx62cAJS74PgaCZR+4m+lrwZnlD2YK1njjCh10Pl7MHcpSzPugcH
N4OXWaqwwhZgVfNNrym5Tr38MnQE/0oOu7sJTxVsKT1tYux8ImFXEBehRR4leqe6
LNkp2MDsVguDTpcVFMAFB260LDLvLRhnq73G8jWK6tON3i+AYhJb8Xdg8U9USOK+
Agk37iIo3/LUsFQYB4OKpIu5ORuym9Cfg+TTQhmDj3T3wWEpPZNJZygS8rCCLwDD
JBrtmsaO7P/NFpjbdqn+9SpHzfQ9stFEbsS4vsgNW+ItZeqLB2Q=
=IaAP
-----END PGP SIGNATURE-----
--- End Message ---
