[SECURITY] [DLA 3947-1] puma security update
[SECURITY] [DLA 3947-1] puma security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3947-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
November 06, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : puma
Version : 4.3.8-1+deb11u3
CVE ID : CVE-2024-21647 CVE-2024-45614
Two vulnerabilities have been fixed in puma, a threaded HTTP server
for Ruby/Rack applications.
CVE-2024-21647
Incorrect behavior when parsing chunked transfer encoding bodies
in a way that allowed HTTP request smuggling. Fixed versions
limits the size of chunk extensions. Without this limit, an
attacker could cause unbounded resource (CPU, network bandwidth)
consumption.
CVE-2024-45614
Clients could clobber values set by intermediate proxies (such as
X-Forwarded-For) by providing a underscore version of the same
header (X-Forwarded_For). Any users relying on proxy set variables
is affected.
For Debian 11 bullseye, these problems have been fixed in version
4.3.8-1+deb11u3.
We recommend that you upgrade your puma packages.
For the detailed security status of puma please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/puma
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
