Debian 10225 Published by

New puma packages have been made available for Debian GNUL/Linux 11 (Buster) LTS to resolve two vulnerabilities:

[SECURITY] [DLA 3947-1] puma security update




[SECURITY] [DLA 3947-1] puma security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3947-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
November 06, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : puma
Version : 4.3.8-1+deb11u3
CVE ID : CVE-2024-21647 CVE-2024-45614

Two vulnerabilities have been fixed in puma, a threaded HTTP server
for Ruby/Rack applications.

CVE-2024-21647

Incorrect behavior when parsing chunked transfer encoding bodies
in a way that allowed HTTP request smuggling. Fixed versions
limits the size of chunk extensions. Without this limit, an
attacker could cause unbounded resource (CPU, network bandwidth)
consumption.

CVE-2024-45614

Clients could clobber values set by intermediate proxies (such as
X-Forwarded-For) by providing a underscore version of the same
header (X-Forwarded_For). Any users relying on proxy set variables
is affected.

For Debian 11 bullseye, these problems have been fixed in version
4.3.8-1+deb11u3.

We recommend that you upgrade your puma packages.

For the detailed security status of puma please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/puma

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS