[SECURITY] [DLA 3947-1] puma security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3947-1] puma security update
From: Abhijith PA <abhijith@debian.org>
Date: Wed, 6 Nov 2024 21:28:50 +0530
Message-id: <[🔎] ZyuSOljQeP5qQux1@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3947-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Abhijith PA
November 06, 2024                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : puma
Version        : 4.3.8-1+deb11u3
CVE ID         : CVE-2024-21647 CVE-2024-45614


Two vulnerabilities have been fixed in puma, a threaded HTTP server
for Ruby/Rack applications. 

CVE-2024-21647

    Incorrect behavior when parsing chunked transfer encoding bodies
    in a way that allowed HTTP request smuggling. Fixed versions
    limits the size of chunk extensions. Without this limit, an
    attacker could cause unbounded resource (CPU, network bandwidth)
    consumption.

CVE-2024-45614

    Clients could clobber values set by intermediate proxies (such as
    X-Forwarded-For) by providing a underscore version of the same
    header (X-Forwarded_For). Any users relying on proxy set variables
    is affected.

For Debian 11 bullseye, these problems have been fixed in version
4.3.8-1+deb11u3.

We recommend that you upgrade your puma packages.

For the detailed security status of puma please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/puma

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmcrkjkACgkQhj1N8u2c
KO+zww/+J5EGhtFqmnIlLAGykvyVU/WEY9bGW1UZYmNxmGCmOEDJzaRDRPOcXUfe
ARnR9FzHoIqfGcDD4PjSkxhvzGz02bRjO/n5wSnysC+kR9HgJmhPPRUI/ldQNI1R
DnJYewIbQ2PwZbhopXGECKJHiuWzbMb+w81MZyPED+g1QNZ3R6QgR0NkmwU7FjHm
9x3ra7CyiMitZbGZjZC7U0twRd1aNUJJycBTWYvUzNMSd7NbQsaawtFAXxvuWIhl
eYz6mepKDH17whGr23ss1wiHfJME7wl2NwNcYb+jpmTZy4JCBwPe/8vPNbEcM7Wc
RbtqsB8IZGh3IvrpqoyvoILsnNB2sVqLbntat5aTi7w9a8pt/IiuUf+gkjxjlXvf
9Uxj192D0heDuwd/KdMGiTVF6UM2K+vGiSBxy2KwIXv5ci3VzKT2mTFIhh3guJjJ
ekIsOSUXsEkKgskHK/lPKm7YLSfI3xtj7x14YfPfhsmQLV2OJO0U50VyqE4WtRpO
6MzhIFbu5XOcoBkmWoKDbSLH57AICn18USNcTcxDHzYTsT2TDA+aRM1vX8Lqc3KT
PfNtyH/jSnpD7O1v4BlREfiozMFZmelsBcMU3rmFZntm1WBbyA2nyfoCd329dEub
6vAi63GsGFmnC8p9IuH3b3mEesHvdozPZf1ZBEFtBopsjYekZo0=
=XxBP
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3945-1] libheif security update
Next by Date: [SECURITY] [DLA 3948-1] pypy3 security update
Previous by thread: [SECURITY] [DLA 3945-1] libheif security update
Next by thread: [SECURITY] [DLA 3948-1] pypy3 security update
Index(es):
- Date
- Thread