ruby3.1-rubygem-puma-4-4.3.10-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11830 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z ruby3.1-rubygem-puma-4-4.3.10-1.1 on GA media These are all security issues fixed in the ruby3.1-rubygem-puma-4-4.3.10-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11830 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11830 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2019-16770/ SUSE CVE CVE-2019-16770 page https://www.suse.com/security/cve/CVE-2020-11076/ SUSE CVE CVE-2020-11076 page https://www.suse.com/security/cve/CVE-2021-41136/ SUSE CVE CVE-2021-41136 page openSUSE Tumbleweed ruby3.1-rubygem-puma-4-4.3.10-1.1 ruby3.1-rubygem-puma-4-4.3.10-1.1 as a component of openSUSE Tumbleweed In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2. CVE-2019-16770 openSUSE Tumbleweed:ruby3.1-rubygem-puma-4-4.3.10-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-16770.html CVE-2019-16770 https://bugzilla.suse.com/1158675 SUSE Bug 1158675 https://bugzilla.suse.com/1188527 SUSE Bug 1188527 In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4. CVE-2020-11076 openSUSE Tumbleweed:ruby3.1-rubygem-puma-4-4.3.10-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-11076.html CVE-2020-11076 https://bugzilla.suse.com/1172175 SUSE Bug 1172175 https://bugzilla.suse.com/1172176 SUSE Bug 1172176 Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`. CVE-2021-41136 openSUSE Tumbleweed:ruby3.1-rubygem-puma-4-4.3.10-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-41136.html CVE-2021-41136 https://bugzilla.suse.com/1191681 SUSE Bug 1191681