Source: puma Version: 5.6.5-4 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 6.0.2-1
Hi, The following vulnerability was published for puma. CVE-2023-40175[0]: | Puma is a Ruby/Rack web server built for parallelism. Prior to | versions 6.3.1 and 5.6.7, puma exhibited incorrect behavior when | parsing chunked transfer encoding bodies and zero-length Content- | Length headers in a way that allowed HTTP request smuggling. | Severity of this issue is highly dependent on the nature of the web | site using puma is. This could be caused by either incorrect parsing | of trailing fields in chunked transfer encoding bodies or by parsing | of blank/zero-length Content-Length headers. Both issues have been | addressed and this vulnerability has been fixed in versions 6.3.1 | and 5.6.7. Users are advised to upgrade. There are no known | workarounds for this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-40175 https://www.cve.org/CVERecord?id=CVE-2023-40175 [1] https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
