Source: puma Source-Version: 6.4.2-1 On Tue, Jan 09, 2024 at 10:15:07PM +0100, Salvatore Bonaccorso wrote: > Source: puma > Version: 5.6.7-1 > Severity: important > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > > Hi, > > The following vulnerability was published for puma. > > CVE-2024-21647[0]: > | Puma is a web server for Ruby/Rack applications built for > | parallelism. Prior to version 6.4.2, puma exhibited incorrect > | behavior when parsing chunked transfer encoding bodies in a way that > | allowed HTTP request smuggling. Fixed versions limits the size of > | chunk extensions. Without this limit, an attacker could cause > | unbounded resource (CPU, network bandwidth) consumption. This > | vulnerability has been fixed in versions 6.4.2 and 5.6.8. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2024-21647 > https://www.cve.org/CVERecord?id=CVE-2024-21647 > [1] https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2 > [2] > https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d > > Please adjust the affected versions in the BTS as needed.
This was fixed with the 6.4.2 upload, https://tracker.debian.org/news/1500879/accepted-puma-642-1-source-into-unstable/ but not closed. Doing so manually. Regards, Salvatore _______________________________________________ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers