Your message dated Fri, 28 May 2021 17:36:02 +0000
with message-id <e1lmgow-000ekr...@fasolo.debian.org>
and subject line Bug#989054: fixed in puma 5.3.2-1
has caused the Debian Bug report #989054,
regarding puma: CVE-2021-29509: Keepalive Connections Causing Denial Of Service
in puma
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
989054: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989054
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: puma
Version: 4.3.6-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for puma, it is caused due
to an incomplete fix for CVE-2019-16770.
CVE-2021-29509[0]:
| Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The
| fix for CVE-2019-16770 was incomplete. The original fix only protected
| existing connections that had already been accepted from having their
| requests starved by greedy persistent-connections saturating all
| threads in the same process. However, new connections may still be
| starved by greedy persistent-connections saturating all threads in all
| processes in the cluster. A `puma` server which received more
| concurrent `keep-alive` connections than the server had threads in its
| threadpool would service only a subset of connections, denying service
| to the unserved connections. This problem has been fixed in `puma`
| 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue.
| This is not advised when using `puma` without a reverse proxy, such as
| `nginx` or `apache`, because you will open yourself to slow client
| attacks (e.g. slowloris). The fix is very small and a git patch is
| available for those using unsupported versions of Puma.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-29509
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29509
[1] https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5
[2] https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: puma
Source-Version: 5.3.2-1
Done: Pirate Praveen <prav...@debian.org>
We believe that the bug you reported is fixed in the latest version of
puma, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 989...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pirate Praveen <prav...@debian.org> (supplier of updated puma package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 28 May 2021 22:34:53 +0530
Source: puma
Architecture: source
Version: 5.3.2-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Ruby Team
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Pirate Praveen <prav...@debian.org>
Closes: 989054
Changes:
puma (5.3.2-1) experimental; urgency=medium
.
* New upstream version 5.3.2 (Closes: #989054) (Fixes: CVE-2021-29509)
* Refresh patches
Checksums-Sha1:
6e90c003fd49828bc4059ad1a6bdcb21c7797ffe 2062 puma_5.3.2-1.dsc
0872ec01d229a502366d4ec2944f0f7448bd9a06 297673 puma_5.3.2.orig.tar.gz
55ccb2e7e6160671d998543bc99d307d75a2e16e 8520 puma_5.3.2-1.debian.tar.xz
a1dd36b41bb0d77a677999fa09e483facea9189f 9516 puma_5.3.2-1_amd64.buildinfo
Checksums-Sha256:
b32dd74c0673cff02dcd73ddf86f0f88113d755d8b41c7e44b5ebfb90b5d977a 2062
puma_5.3.2-1.dsc
1e5db1cb3df98118dc7eef3a93b3433a731ba8a6669fb5f6bcb26800579b4a02 297673
puma_5.3.2.orig.tar.gz
dc6aa010eea65485662554ff784f6a4fa1f1153d5ca3999e938da63f06ad2f48 8520
puma_5.3.2-1.debian.tar.xz
4b9bd071e5eb8fb5b68b6d60cbceb1833a9bf26f290b96d3992fa3afa0a33a2c 9516
puma_5.3.2-1_amd64.buildinfo
Files:
ecc5f124204599e2fcbecda393b17b2a 2062 web optional puma_5.3.2-1.dsc
90099fdb00e0452abc00fa545348d1f2 297673 web optional puma_5.3.2.orig.tar.gz
a7dd46c96163735d096e4396e1248c8b 8520 web optional puma_5.3.2-1.debian.tar.xz
6a2bd245e8035989fa2403db468a2be5 9516 web optional puma_5.3.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0whj4mAg5UP0cZqDj1PgGTspS3UFAmCxJyAACgkQj1PgGTsp
S3WjyhAAoEJp1l0ON+w7JGXXRtMbQYULe+TXWRXTUikIN37CBpqXUBjXb35h6g0K
z1zRuq9KLP0O9WiJJY9/s65xo/UaBmNPoeMo3frObEVz4PV8UuKdSlzOyOlKG1bN
kNe3i2nQQ+Fp5kkDbLs4AF11X43zPYcPIfeP5h94Jsl1qhocoOcNsdXl1GbziZ2p
Yl7mjMv6v7Oda8vLlmB7XcCdyp/NOn6suZl6WGLXHvjXXS30Ea2bqD139onxMC1V
olX7cCDAi2jqhWxtz2MBM5jQ2SOQsa8hvaGaO4JltP0Uay4AybShv6mTvwZqW6A/
n4VO59s3TKz7+Vcfb7SE7nxJjuO7PzPtzGOACMUfcQqifS9d0wtpAVaEPuA1YQIk
ez0M3lmFfgHxYhmRufpUPnzMX5O8fBoG7OPQTuAN2x4YpZ4V06Ynf+rxZfAI1H6w
ERXZJIraZAk3DSudpIKUeuCtk5MSM1Qu+pTDdhRqF7pHIKScJnUcQXTROazyDl38
e3e7xSORqSK/nJeIiNRvw9Dqubbn/lkP6T4uHqoD4bSF4fiJtNAa3U4o9I706WOV
0QVfNPL4CV/uVv5AhsR9BXpSGiyqXIQdwgv2GK2PpAG7f2fjZK3sZKghY+MyCXQT
GNJzOcWi/tUu7a9xh0iW1cT6cNrKIdtJL37l7Yn8b+haHy45p5Y=
=Jzyf
-----END PGP SIGNATURE-----
--- End Message ---
