Your message dated Thu, 05 Mar 2020 18:47:32 +0000
with message-id <[email protected]>
and subject line Bug#946312: fixed in puma 3.12.0-2+deb10u1
has caused the Debian Bug report #946312,
regarding puma: CVE-2019-16770
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
946312: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946312
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: puma
Version: 3.12.0-2
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for puma.
CVE-2019-16770[0]:
| In Puma before version 4.3.2, a poorly-behaved client could use
| keepalive requests to monopolize Puma's reactor and create a denial of
| service attack. If more keepalive connections to Puma are opened than
| there are threads available, additional connections will wait
| permanently if the attacker sends requests frequently enough.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-16770
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16770
[1] https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
[2] https://github.com/puma/puma/commit/06053e60908074bb38293d4449ea261cb009b53e
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: puma
Source-Version: 3.12.0-2+deb10u1
Done: Daniel Leidert <[email protected]>
We believe that the bug you reported is fixed in the latest version of
puma, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Leidert <[email protected]> (supplier of updated puma package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 04 Mar 2020 00:15:43 +0100
Source: puma
Architecture: source
Version: 3.12.0-2+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers
<[email protected]>
Changed-By: Daniel Leidert <[email protected]>
Closes: 946312
Changes:
puma (3.12.0-2+deb10u1) buster; urgency=medium
.
* Team upload.
* d/control (Vcs-Git): Add branch.
* d/patches/CVE-2019-16770.patch: Add patch.
- Backport fix for CVE-2019-16770 from upstream (closes: #946312).
* d/patches/series: Add patch.
Checksums-Sha1:
6d0525eb8d1a184fceef6175dbdf3553e6a43304 2001 puma_3.12.0-2+deb10u1.dsc
a6369c0dc6e5c3d220de2bf88a538b2d98932dba 8088
puma_3.12.0-2+deb10u1.debian.tar.xz
e5f45ac4706379e9b3bf0283e2e829a2e03a2fba 9143
puma_3.12.0-2+deb10u1_amd64.buildinfo
Checksums-Sha256:
09516894978f05342c7c9d35f9dd0faa7d0b2a9c965ee03c7395bdb748b36a1e 2001
puma_3.12.0-2+deb10u1.dsc
85915cf236d3c49238f2601138a1c4a930cc8ef2373178b17597682627900011 8088
puma_3.12.0-2+deb10u1.debian.tar.xz
843f815a5ee7a9023b1e0402946636f5ea13fc50ff5d11cde45e968523c5fb65 9143
puma_3.12.0-2+deb10u1_amd64.buildinfo
Files:
921cc3aa705b1c80b0e4d192f0c5a38f 2001 ruby optional puma_3.12.0-2+deb10u1.dsc
2da90f960bea0bd0c5db0ae78b9bb71c 8088 ruby optional
puma_3.12.0-2+deb10u1.debian.tar.xz
3945761d5b54d9dbc33de354a7f73443 9143 ruby optional
puma_3.12.0-2+deb10u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAl5e5n0ACgkQS80FZ8KW
0F2VChAAx7q7WIb9wBKTaD6R190g6ystLSj9iZMRU7DdS/XakkreKw/jvAgtvm0Y
MoKOKzWvic4Sd1yRr5z6dyZWRqjIbiZ/WH6dAmbZwfR/dOHLqObSX+sb8DeG+Zgc
6ZZZmkFxcyOuLZ1ezh6PyM50skhX/oWrVrdKS2vxvrc+d9TNplMKNQ3+cVgsqfma
gHKrVj9IdgPsWOk7YoOHizCvMNkIxe5mfsmOApVf23z24Qe45/Pk73v4cbEiIbDr
SfrJiy0Tt3Oz7kqlFR+/45Yh48t8NuGK6K/5GIILSmQySAkDADq6F+OwzuTJ2iEJ
Xo7g4hTVTpOSQcsA9e7xXYPO+PI6/smC06uOraTixtvNO1gqBFWpAWpRwPHIEzvf
y3Qu6a0xO3kz++6SCbsVPg5GSTElDSFU300G1zW1H6n6bo810yt39Lfnv5pgGDKq
xGmVEi3riG/gNKEr8KYvbd6UrBqcPfWexsktvMx/kKXcKj7VDk5yoxL6KsCBsf/A
VXiAkdXzi3FCas2ULjJ656R/WJAF3TKoZJcAS9N3H9Sza0o5ZSrEVN4o/RSSZFYV
kjo9dtP8+zRRNLtwuHqKbypJBKq0t7mUIVt0opcKKHLNoEunSQby3oQ+UvIgPw68
i04gb/kbQ3sGkDiR7tbehJJp9nqoPss31ttGngtuPoGqiVLr4ZU=
=gOLt
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
