Source: puma Version: 4.3.6-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for puma, it is caused due to an incomplete fix for CVE-2019-16770. CVE-2021-29509[0]: | Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The | fix for CVE-2019-16770 was incomplete. The original fix only protected | existing connections that had already been accepted from having their | requests starved by greedy persistent-connections saturating all | threads in the same process. However, new connections may still be | starved by greedy persistent-connections saturating all threads in all | processes in the cluster. A `puma` server which received more | concurrent `keep-alive` connections than the server had threads in its | threadpool would service only a subset of connections, denying service | to the unserved connections. This problem has been fixed in `puma` | 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue. | This is not advised when using `puma` without a reverse proxy, such as | `nginx` or `apache`, because you will open yourself to slow client | attacks (e.g. slowloris). The fix is very small and a git patch is | available for those using unsupported versions of Puma. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-29509 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29509 [1] https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5 [2] https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
