[DRE-maint] Bug#1050079: marked as done (puma: CVE-2023-40175: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'))

[Debian Bug Tracking System]

Your message dated Sun, 08 Oct 2023 18:49:21 +0000
with message-id <e1qpyq9-0010ap...@fasolo.debian.org>
and subject line Bug#1050079: fixed in puma 5.6.7-1
has caused the Debian Bug report #1050079,
regarding puma: CVE-2023-40175: Inconsistent Interpretation of HTTP Requests 
('HTTP Request/Response Smuggling')
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1050079: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050079
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: puma
Version: 5.6.5-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 6.0.2-1

Hi,

The following vulnerability was published for puma.

CVE-2023-40175[0]:
| Puma is a Ruby/Rack web server built for parallelism. Prior to
| versions 6.3.1 and 5.6.7, puma exhibited incorrect behavior when
| parsing chunked transfer encoding bodies and zero-length Content-
| Length headers in a way that allowed HTTP request smuggling.
| Severity of this issue is highly dependent on the nature of the web
| site using puma is. This could be caused by either incorrect parsing
| of trailing fields in chunked transfer encoding bodies or by parsing
| of blank/zero-length Content-Length headers. Both issues have been
| addressed and this vulnerability has been fixed in versions 6.3.1
| and 5.6.7. Users are advised to upgrade. There are no known
| workarounds for this vulnerability.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-40175
    https://www.cve.org/CVERecord?id=CVE-2023-40175
[1] https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: puma
Source-Version: 5.6.7-1
Done: Abhijith PA <abhij...@debian.org>

We believe that the bug you reported is fixed in the latest version of
puma, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1050...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Abhijith PA <abhij...@debian.org> (supplier of updated puma package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 26 Sep 2023 02:18:13 +0530
Source: puma
Binary: puma puma-dbgsym
Architecture: source amd64
Version: 5.6.7-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team 
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Abhijith PA <abhij...@debian.org>
Description:
 puma       - threaded HTTP 1.1 server for Ruby/Rack applications
Closes: 1050079
Changes:
 puma (5.6.7-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release 5.6.7
     - Fix CVE-2023-40175 (Closes: #1050079)
   * d/ruby-tests.rake: disable test_rack_version_restriction which
     uses bundler to install rack3.
   * d/puma.lintian-overrides: update existing override and add extras
   * d/control: Drop XS-Ruby-Versions, XB-Ruby-Versions fields
Checksums-Sha1:
 9d01572b57ccc45c94c2b5721649ff0e72287883 2130 puma_5.6.7-1.dsc
 54d318acca96ad400e6d05b03fbc7ee6ca72e762 316866 puma_5.6.7.orig.tar.gz
 5a38fd927fd68bcf7aa87aa84b751cb08ad1431f 9764 puma_5.6.7-1.debian.tar.xz
 62ec68c0205271a8e01af9a04624f162f797df3c 37340 puma-dbgsym_5.6.7-1_amd64.deb
 2ae8e5ac507b6a131fa10d6b712ba1a98f2da6b7 9995 puma_5.6.7-1_amd64.buildinfo
 2270b24714eab6d6b8248717a2409ae4712fddc3 156016 puma_5.6.7-1_amd64.deb
Checksums-Sha256:
 d9d03a7c328c1d4512e2452a7c8b3227f976bbcfb8514c50612316284c1e0cf3 2130 
puma_5.6.7-1.dsc
 de4a1d231eb176ec5d964db4d3948b078cb3e1f4b1f905c76bc1164c0e02cb3b 316866 
puma_5.6.7.orig.tar.gz
 25159d6e3914bf3a4c987d18c9861ca559d2f2c1eccc1d08141d3b73403103f0 9764 
puma_5.6.7-1.debian.tar.xz
 15c48c89eea99af035610f4a4286fea6fb7db67ba4e542c018f8368f08c0c24f 37340 
puma-dbgsym_5.6.7-1_amd64.deb
 7ff37b5384e9bf26eca2db82badefbc3c4af1ad69aab95ae2de6c8a78912a0f4 9995 
puma_5.6.7-1_amd64.buildinfo
 5f396eb5d91e1376f863622021fe0ca8d10b887648dc596fadcebf18d7560434 156016 
puma_5.6.7-1_amd64.deb
Files:
 a72841c637a6c3f192014bf56ad207ce 2130 web optional puma_5.6.7-1.dsc
 fcf949beca4e1d315db992c5f6020835 316866 web optional puma_5.6.7.orig.tar.gz
 eeb1ac598f98d3cb1988eb357bc678cb 9764 web optional puma_5.6.7-1.debian.tar.xz
 924203f2259c962119650ec6869f83bc 37340 debug optional 
puma-dbgsym_5.6.7-1_amd64.deb
 43e814c9a3479c4e4cc71775369fd236 9995 web optional puma_5.6.7-1_amd64.buildinfo
 d53d1822919a9336fe0c9cf8d98832d2 156016 web optional puma_5.6.7-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmUi9AoUHGFiaGlqaXRo
QGRlYmlhbi5vcmcACgkQhj1N8u2cKO99IA/+NUnLD59equHVzD3eysOXWJFI8q44
BcSWDWLXBfZ25oyQp+cJ1VpTLzkC1/5CwZGH8ki+O5MT5BWjYcG/RNom9pdjxPQj
Qfz5RQJpO9i7KoOoSmmGPcQGO31pX7aKbPH2zVzgEaaq4n5a7Q+moljFoRAndVvZ
8it1cQcx+W9wWXYpBFy+k/OmBANPlt8oTy9XCsm7QYJwl20GuXSvnstYvHjSWDwJ
6r8C95+OG5GjEHp7BbZf9JUj+euoQJgeb/Lft96DhhsGMamsq2j3FxUPyskxYoP6
rqV84HadEROKaotxJ3oIpyiIz0M34PoOoksIHmR5Wv93jASKVBjdmAwY6DXuF2U/
p/U3TDXflnEehmPXhv/2JElim8gtANKgmBsCU+mN8WBAO7pdfJHjT9XGpZPkNPr1
Xfcbg8UNot43kG0hUPD8WeL/3LKenHaPUU6vPwaHBkED3usL0/Ckp4aPEjWEvOgb
vF3z598rBUob4HliI8NzCznxdp6TWA1ItWtk/DokmSfdrjWXOx68iKyXoc8fgzzv
PkSFi7nd1wXLukDCgYoi4zHcwT9cszvqEqtfOQahEtoolSVwMBa2WeVm800RDdg4
Cm3xeg9HaRPzqg0rlx5kXm78ewfIt0LWtIy9O9v77mnJrY/5LBTkIx+fiSAGJZqk
PS1GadJdBvl0flg=
=bKv2
-----END PGP SIGNATURE-----

--- End Message ---

_______________________________________________
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers