Your message dated Thu, 06 Feb 2020 12:20:25 +0000
with message-id <[email protected]>
and subject line Bug#946312: fixed in puma 3.12.0-4
has caused the Debian Bug report #946312,
regarding puma: CVE-2019-16770
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
946312: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946312
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: puma
Version: 3.12.0-2
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for puma.
CVE-2019-16770[0]:
| In Puma before version 4.3.2, a poorly-behaved client could use
| keepalive requests to monopolize Puma's reactor and create a denial of
| service attack. If more keepalive connections to Puma are opened than
| there are threads available, additional connections will wait
| permanently if the attacker sends requests frequently enough.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-16770
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16770
[1] https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
[2] https://github.com/puma/puma/commit/06053e60908074bb38293d4449ea261cb009b53e
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: puma
Source-Version: 3.12.0-4
We believe that the bug you reported is fixed in the latest version of
puma, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Leidert <[email protected]> (supplier of updated puma package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 06 Feb 2020 12:54:59 +0100
Source: puma
Architecture: source
Version: 3.12.0-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers
<[email protected]>
Changed-By: Daniel Leidert <[email protected]>
Closes: 946312
Changes:
puma (3.12.0-4) unstable; urgency=medium
.
* Team upload.
* d/control (Rules-Requires-Root): Set to binary-targets.
* d/patches/0011-disable-minitest-extensions.patch: Add patch.
- Disable unavailable minitest retry extension.
* d/patches/CVE-2019-16770.patch: Add patch.
- Backport fix for CVE-2019-16770 from upstream (closes: #946312).
* d/patches/series: Add patch.
Checksums-Sha1:
2ba9e610154e50640e8ca8b65b57b625d76750e4 1960 puma_3.12.0-4.dsc
4bf2555eee5dfdf12d606d218970551cd20b9a8e 11696 puma_3.12.0-4.debian.tar.xz
3396c468d29c5769d74861336b7a1acc042c30ad 8916 puma_3.12.0-4_amd64.buildinfo
Checksums-Sha256:
3ce9dbc7f8ee18fcafbe5a42b14d4aa2df5e45e9c2aff6b5db078ffdfb063fef 1960
puma_3.12.0-4.dsc
0969e25d00f1942913ac93813444542a308d11599fd065351f19d3e665876406 11696
puma_3.12.0-4.debian.tar.xz
35ee8ee7c37e1134860aa07ddd32c3a1a1a8e6afdfcfe447df3f20e2b809c2c8 8916
puma_3.12.0-4_amd64.buildinfo
Files:
ae43a905e091694a0f7404f60cbde814 1960 ruby optional puma_3.12.0-4.dsc
e85092fa61d010b7dcf4d8d155d7fc2c 11696 ruby optional
puma_3.12.0-4.debian.tar.xz
e084fde7c48f7b81904d2577911a094b 8916 ruby optional
puma_3.12.0-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAl48ABQACgkQS80FZ8KW
0F3krhAA0APJibaXCWrj7zRVQcCYiU++LlIy+TpHssqgNza13jH3NQV2wqNluDEo
dARq6k9yD88MKIlbpi2GQWf3oQZDvghG0V+TwtMgAQhP42wpiowvihsGUg2M+zI/
M1Jsd5phFk0qUH0XnrS+gfHD/Z9+qgXxW3rjpumezL49IMW9A4WSAFXhzSEo9Wo8
cvq8uBhyCl2mVY2qK3U27VsT1tX5ObtektXHlauHDW+snpE7lrmKNjV4FBIIEZ/S
9YV6XVO3adjfy6f1YWoC9ceF0PQ39P80LiLScuGOmBIl/x0IrRHlfxyhJDi9jDIX
k6NSHkcMuJnOQ3AbYAcWqj6zIPP2SYRCBZqOh/6BDNvwEDaRPNGCJKvvuO/L8TRf
hOS1e3pG+8SWcttqPYFbDKGVHt6i25yTxmO9K8xbMShO7FX2QR2VZJ0fls4COYwz
0/L4VOqou27nqehh421s+MHURrozdoO0EjPrYa+aJHT5WlQ5DxiIcfmcdL1pkcko
pxgAGoWFFPOSxbb4Pa8YMBe3wZia1v9yciPSXQ+7CJzc+E5jRPWWNa9xSDUsPbOM
wv0V0BU00I+PqHxKzglFXzmWK6JhPU9gAYad33SQwJBtuVgKR7rps9Mt/Yk05GoS
piKCHqKUx32bE8+E530RWrnSatIUPC9FjX1wVeq/KM+KN0DJZVQ=
=aznx
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
