Your message dated Thu, 06 Feb 2020 11:35:48 +0000
with message-id <[email protected]>
and subject line Bug#946312: fixed in puma 4.3.1-1
has caused the Debian Bug report #946312,
regarding puma: CVE-2019-16770
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
946312: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946312
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: puma
Version: 3.12.0-2
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for puma.
CVE-2019-16770[0]:
| In Puma before version 4.3.2, a poorly-behaved client could use
| keepalive requests to monopolize Puma's reactor and create a denial of
| service attack. If more keepalive connections to Puma are opened than
| there are threads available, additional connections will wait
| permanently if the attacker sends requests frequently enough.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-16770
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16770
[1] https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
[2] https://github.com/puma/puma/commit/06053e60908074bb38293d4449ea261cb009b53e
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: puma
Source-Version: 4.3.1-1
We believe that the bug you reported is fixed in the latest version of
puma, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Leidert <[email protected]> (supplier of updated puma package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 06 Feb 2020 11:45:11 +0100
Source: puma
Architecture: source
Version: 4.3.1-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers
<[email protected]>
Changed-By: Daniel Leidert <[email protected]>
Closes: 946312
Changes:
puma (4.3.1-1) experimental; urgency=medium
.
* Team upload.
* New upstream release
- Fixes CVE-2019-16770 Keepalive thread overload/DoS (closes: #946312).
* d/control (Rules-Requires-Root): Set to binary-targets.
(Build-Depends, Depends): Add ruby-nio4r.
(Build-Depends): Add curl for test/test_integration_single.rb.
* d/ruby-tests.rake: Disable test/test_puma_server_ssl.rb.
* d/README.source: Add to explain tests which have been disabled.
* d/patches/0004-puma.gemspec-drop-git-usage.patch: Refresh patch.
* d/patches/0011-disable-minitest-extensions.patch: Add patch.
- Disable unavailable minitest extensions (retry and proveit).
* d/patches/0012-disable-cli-ssl-tests.patch: Add patch.
- Disable CLI SSL tests.
* d/patches/0013-fix-test-term-not-accepts-new-connections.patch: Add.
- Fix test_term_not_accepts_new_connections to be locale independent.
* d/patches/0002-test_integration-disable-test-that-fails-randomly.patch,
d/patches/0003-test_cli-disable-test-that-rails-randomly.patch,
d/patches/0005-test_puma_server-disable-test-that-fails-randomly.patch,
d/patches/0006-test-helper.rb-drop-bundler-usage.patch,
d/patches/0007-test-test_cli.rb-disable-test-that-fails-randomly.patch,
d/patches/0008-fix-ssl-tests.patch,
d/patches/0009-disable-tests-failing-in-single-cpu.patch,
d/patches/0010-fix-cluster-exit-for-ruby27.patch: Remove obsolete patches.
* d/patches/series: Adjust.
Checksums-Sha1:
4855f38aca12e48d21b6f4302ca1990a95b54941 1982 puma_4.3.1-1.dsc
fc6535d09a491a807e3f888deef926696f7f2f99 239800 puma_4.3.1.orig.tar.gz
70f31ccd7b356c33456007d529fcbf3137df1986 7364 puma_4.3.1-1.debian.tar.xz
b01b902d94efec49402f0b5117194240060d9592 9284 puma_4.3.1-1_amd64.buildinfo
Checksums-Sha256:
7da23b09e635137b136518cda3efbb766c514cc6b89c97b75fd1635002de7c55 1982
puma_4.3.1-1.dsc
d36b69f5d0fd15fe31130529cb9a56f3e2539a49765cd1de96ca6e8ca9a0ce44 239800
puma_4.3.1.orig.tar.gz
7fad245e4c066ab91ba4eef9a0eebae7d89aec3993dd47c3edfda5ebdef1533b 7364
puma_4.3.1-1.debian.tar.xz
b8e859f92c6f0f4a085a0707a9e021b4839b562cb813b093ae87d66576aee3e7 9284
puma_4.3.1-1_amd64.buildinfo
Files:
5434d437889b3e41edfdcfb3573d9842 1982 ruby optional puma_4.3.1-1.dsc
b9df2a138a5c6c7be40e0caef0e178b5 239800 ruby optional puma_4.3.1.orig.tar.gz
56ff14895a7aaa4a1cbdaeca088f9492 7364 ruby optional puma_4.3.1-1.debian.tar.xz
0afb1984b503d4bfcca74561615b12ce 9284 ruby optional
puma_4.3.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAl479NsACgkQS80FZ8KW
0F08VQ/8Dl1RjRfzNVmwYJ6td4ADTz0CWpaW5pIvQ0T9SWH8V3FMpkG6MPfwrckc
qyR7ZAdOZQCt1f8wrcrFFXoqA1avNsG6oWUUT1+WhKjEb8778Dvxk1uATTaio3I7
ljLym02EJYJTJ06GqIj5j0OirHvrQVYHQLK+YLiBn5CXQi904ESCwj9NLa5opBi5
EpzEzIywmhOxDbXrxFWm1ETWyP5wDEsBxXaEpxH+WhFsOx/DE3CSxTLWtKlNR/Si
765IzIJFiEFvtm+CszJTUzGHhOA3z0zCnHw0/MIQco0yGr0y5IWL62cesGfeW8Md
C3s/DvM+HjF4sTGERBVCyFXDdmnlHmp55OEyCG4KnFC7aRv6P9idhwAA7WN/vgX6
DCy9mEbETO4nvvidgvz8SUtBMGmsk6TK4RimepuZTiCrRiCqb/3Vxdv8PGC0DL+l
9AhkllyZFqW/OwZQeshm2iuKxPGNryaYOqZMt8V2+IvaeankzvjDnh5OPTi8VALM
aww4E6xOoQQvkmvq+rYBZqyOX/ekvu5HGC+1mpfil5c8gzFUnhKpzF0q/7L8L2cl
UomJuKaaZAFNkTADBjuqKCCAVeU6t4CfVFYeojZkhRwa6e1OHjwq4ORNo0bOVrC/
zn2KFHvPlpwQlrJljdw7EvcTC6Eb8mr8oTPMREidD5g+HKve0V8=
=arw1
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
