Your message dated Fri, 08 Nov 2024 07:04:24 +0000
with message-id <e1t9j2e-002sbs...@fasolo.debian.org>
and subject line Bug#1082379: fixed in puma 6.4.3-1
has caused the Debian Bug report #1082379,
regarding puma: CVE-2024-45614
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1082379: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082379
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: puma
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for puma.
CVE-2024-45614[0]:
| Puma is a Ruby/Rack web server built for parallelism. In affected
| versions clients could clobber values set by intermediate proxies
| (such as X-Forwarded-For) by providing a underscore version of the
| same header (X-Forwarded_For). Any users relying on proxy set
| variables is affected. v6.4.3/v5.6.9 now discards any headers using
| underscores if the non-underscore version also exists. Effectively,
| allowing the proxy defined headers to always win. Users are advised
| to upgrade. Nginx has a underscores_in_headers configuration
| variable to discard these headers at the proxy level as a
| mitigation. Any users that are implicitly trusting the proxy defined
| headers for security should immediately cease doing so until
| upgraded to the fixed versions.
https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-45614
https://www.cve.org/CVERecord?id=CVE-2024-45614
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: puma
Source-Version: 6.4.3-1
Done: Abhijith PA <abhij...@debian.org>
We believe that the bug you reported is fixed in the latest version of
puma, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1082...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Abhijith PA <abhij...@debian.org> (supplier of updated puma package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 30 Sep 2024 09:46:18 +0530
Source: puma
Architecture: source
Version: 6.4.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Abhijith PA <abhij...@debian.org>
Closes: 1082379
Changes:
puma (6.4.3-1) unstable; urgency=medium
.
* Team upload.
* New upstream version. Fixes CVE-2024-45614 (Closes: #1082379)
* Remove custom ssl autopkgtest.
- https://lists.debian.org/debian-ruby/2024/11/msg00006.html
* Update certificates for tests.
Checksums-Sha1:
85df03a6714cd7aabed63fea0d919a825b49d5b5 2119 puma_6.4.3-1.dsc
e33794a53e3d0a4319352b367154ec3124b179cb 388116 puma_6.4.3.orig.tar.gz
ad55cd516f1e8865d2cf47916da3213154eb9969 71472 puma_6.4.3-1.debian.tar.xz
7032f540ea878a08905840fc285c425d0b7a1b5f 10287 puma_6.4.3-1_amd64.buildinfo
Checksums-Sha256:
c829353240cde58c1c666d7ea8a01642bfb0908b80d9db9f604624066b4a6809 2119
puma_6.4.3-1.dsc
5ed78b1a81a0932b69c974723d78515c56db5b05760b36149b53bc75a915de3b 388116
puma_6.4.3.orig.tar.gz
290389cd4f1d4f81a9a1aa7f92d4fd309233b4bc7c8332e2849148511aef29e6 71472
puma_6.4.3-1.debian.tar.xz
f1e1eeba317bb252609f49268ce1c70ebb910242e453e96e64c7b586a3d3b450 10287
puma_6.4.3-1_amd64.buildinfo
Files:
2fe6ea318930bdeb0534f383f2436334 2119 web optional puma_6.4.3-1.dsc
2516ff65f8815abf82ad88719b298739 388116 web optional puma_6.4.3.orig.tar.gz
b28afbc3ec50786cec20d10fc541784e 71472 web optional puma_6.4.3-1.debian.tar.xz
aea2c4fcf98462a6bfe83b761d412830 10287 web optional
puma_6.4.3-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmcttAoUHGFiaGlqaXRo
QGRlYmlhbi5vcmcACgkQhj1N8u2cKO+30Q/8Dbt9gJJmhg1dKgVWmKQ3Qhb/QY3k
L991Q/P7hi7h8/ojv1U0ELOMY/WuZCC/zq5yS0KpTegb+ddvhy3tDdVlpWfX2oFH
ZwkN9V/zLhQUCQhcDMH4A10fai+OMQDjU6Kk8Bv7K9Hmnu+fmbTai+EB4bAgHlHb
r4ms+HL7bSqXTWgRZ7TLwuB/K+R28BgwmNBweCx8qBe3mGJMzmZcZfQro7HUsuqg
7G9FxW5Jr8ho1RouczaCKtZTZ63+n2ctK1RHtD45dPBE4f1enSVpCsGsg0xuYAfo
+kmMlCFudrh3/tO0FpQ2BTPQ1oxf3IDUnxxjQWkDu5e5riL5fXRAn3Z8KuKxyx08
XcJ1XDwaINInYJEnlquo3HwmoKOyiTMpDtkD58b9+P/sxEQK5k/+zg8XuIZQ30gV
WktFunMQ3ThKJBnOynj2RV9n1KjZSYWjywnshU+fHG72rHwrAiSUopLd4hzGir46
FeaU0Szn7nF/sJmxwra3sC9run6KIJPCiMakdOrBB+brNPdzWFB6vAIv1EF5WuS1
P3Q7qrwDis0DP9NXXrHjWAvMxk5fVPZhH/zXy3aLGS17ijC4SIH82m+HZsmmDbHF
XjYouYeQkUIt36uU7ryBrNaEbRBghSDRj07HlvACXvj+it4p6ez/rM+CYvjBsMS6
wnaU2Bjn14S1UV8=
=CnzV
-----END PGP SIGNATURE-----
pgpRLE2aSv4OW.pgp
Description: PGP signature
--- End Message ---
