Your message dated Sat, 27 Aug 2022 21:12:06 +0200 with message-id <YwpshrxN/eoi5...@eldamar.lan> and subject line Accepted puma 5.6.4-1 (source) into unstable has caused the Debian Bug report #1008723, regarding puma: CVE-2022-24790 - Inconsistent Interpretation of HTTP Requests to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1008723: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008723 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: puma Version: 5.5.2-2 Severity: important Tags: security X-Debbugs-Cc: codeh...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for puma. CVE-2022-24790[0]: | Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for | Ruby/Rack applications. When using Puma behind a proxy that does not | properly validate that the incoming HTTP request matches the RFC7230 | standard, Puma and the frontend proxy may disagree on where a request | starts and ends. This would allow requests to be smuggled via the | front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and | 4.3.12. Users are advised to upgrade as soon as possible. Workaround: | when deploying a proxy in front of Puma, turning on any and all | functionality to make sure that the request matches the RFC7230 | standard. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-24790 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790 Please adjust the affected versions in the BTS as needed. -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.16.0-5-amd64 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---Source: puma Source-Version: 5.6.4-1 This fixed as well #1008723 / CVE-2022-24790 but was not closed with the upload, doing so manually. ----- Forwarded message from Debian FTP Masters <ftpmas...@ftp-master.debian.org> ----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 04 Apr 2022 13:24:10 +0530 Source: puma Architecture: source Version: 5.6.4-1 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Team <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Pirate Praveen <prav...@debian.org> Changes: puma (5.6.4-1) unstable; urgency=medium . * New upstream version 5.6.4 * Refresh patches * Disable some tests that fail with NameError: uninitialized constant Puma::LogWriter * Remove tmp/restart.txt in clean Checksums-Sha1: da92d33be62b3f2fb431fd6a91b8e842a350181d 2087 puma_5.6.4-1.dsc 69620c46a66e7d9fbda7d31b22b9515380c8bf3e 310770 puma_5.6.4.orig.tar.gz c99f61ed808879e3b6d22b5dc7fc0da48e3d048b 9004 puma_5.6.4-1.debian.tar.xz b8fab4de65d793e09d23b69df977faba565491e2 9502 puma_5.6.4-1_amd64.buildinfo Checksums-Sha256: 9fd76786b4d3c60b3a5a883e3163a664080fe90973cba1a4d15d7ddd6142ab3d 2087 puma_5.6.4-1.dsc 36cfb8052b89cb3630a6286a75879d27f5536658e939cf3dab17b7378a2a6b6c 310770 puma_5.6.4.orig.tar.gz a61a94c5fbc174404ba97e988cbe1b03f4fc9976254be24d81770f3322d6947a 9004 puma_5.6.4-1.debian.tar.xz 346f6e3ae9f661bbc0f711a3e9dbdcfd45be9fd1e62608e4b8722fae837c26d4 9502 puma_5.6.4-1_amd64.buildinfo Files: 9ded77de4080c18f5892e62ad706cbfe 2087 web optional puma_5.6.4-1.dsc f8b804bc142f0f235ace6327bff38e3c 310770 web optional puma_5.6.4.orig.tar.gz c17790206916f09d7a76fc4ffd3d23df 9004 web optional puma_5.6.4-1.debian.tar.xz 482040190200fa0503184860e2292467 9502 web optional puma_5.6.4-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0whj4mAg5UP0cZqDj1PgGTspS3UFAmJKsUgACgkQj1PgGTsp S3VvcQ/9FQmF6fAjrm6ox0RJJs4URDp7unuozGbHHppIObBFL3tDRXJcMRSi+HjT psUgC0L7Av4AhTCLhp10lzTcF/BAeHtg5yrEX1B91mjadHhnxSGWZBh6A8sjaRLY g1Kji4en4wy6cnKEmyVozx68hQynly9cYs8Lbbq+CIapnchDekIu24s7bgQl+yb+ cpfsFCBuxbPmqTD/tb7cnUXp+5uxBo8pxoEJpLEjCA42d6+nu0qughgFLQfJ9sLM vAuBDOPNKhQ6fvDbd7YGwGVk5Z+eKgHONf03tGW6a4d7ljdVMjnR0oa76pZrNyz7 8H6tXEo1XML7ZLF1xricgaqZe0n/bIP8f/w7Vyqn843suhwYaSdd3jy6uPZYdfkn Y6QqVXn152z/Qn6VwH1Zw5XRiF5eqlnykVE7vfP3J6tcHgQpzr5dM3kiTfTAxhj2 ZC1XQ/qsXUWyZ+bs0zWVyiGvWBtVvTXxGwBaW7wLtNiLIBQ7hmrMnF2yF2rRl4s4 bPShdZWH6+tVmdUoZ9miuKHRd3b4KBSrPQBFizMFDO/9o3OemYsFkaT4jn/+Jet/ lA2Cn7tIdJYxEZOMurFYOJ5FzTBUPrk50hNu1p2wYWvexb+K6LNsJCNO0drQFfhJ iTx+NdnN7TKvgufboHf3fl8I++mCwiyajXuaflwRKZpVopNhgpQ= =JpmY -----END PGP SIGNATURE----- ----- End forwarded message -----
--- End Message ---
