Bug#950795: buster-pu: package puma/3.12.0-2

To: Daniel Leidert <dleidert@debian.org>, 950795@bugs.debian.org
Subject: Bug#950795: buster-pu: package puma/3.12.0-2
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Tue, 03 Mar 2020 20:37:49 +0000
Message-id: <[🔎] bd0d9edb7288d8511ed4747954a64922188addad.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 950795@bugs.debian.org
In-reply-to: <158100680780.294696.12751819690489641948.reportbug@vogon>
References: <158100680780.294696.12751819690489641948.reportbug@vogon> <158100680780.294696.12751819690489641948.reportbug@vogon>

Control: tags -1 + confirmed

On Thu, 2020-02-06 at 17:33 +0100, Daniel Leidert wrote:
> The proposed update will fix CVE-2019-16770 (#946312) for Buster
> users. The security team marked the issue no-dsa and asked to
> schedule the fix via the next point release. The debdiff is attached.
> The patch to fix the CVE has been taken from upstream's Git
> repository.

+puma (3.12.0-2+deb10u1) buster-security; urgency=medium

Just "buster" for p-u, please.

+Subject: Merge pull request from GHSA-7xx3-m584-x994
+
+could monopolize a thread. Previously, this could make a DoS attack more
+severe.

Is there a missing line (or at least words) before "could monopolize"
there?

In any case, please go ahead (with the fixed distribution).

Regards,

Adam

Reply to:

Follow-Ups:
- Bug#950795: buster-pu: package puma/3.12.0-2
  - From: Daniel Leidert <dleidert@debian.org>

Prev by Date: Processed: Re: Bug#953005: buster-pu: package serverspec-runner/1.2.2-1+deb10u1
Next by Date: Bug#950795: buster-pu: package puma/3.12.0-2
Previous by thread: Bug#951209: transition: libgusb
Next by thread: Processed: Re: Bug#950795: buster-pu: package puma/3.12.0-2
Index(es):
- Date
- Thread