ruby3.2-rubygem-puma-6.0.0-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12900-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z ruby3.2-rubygem-puma-6.0.0-2.1 on GA media These are all security issues fixed in the ruby3.2-rubygem-puma-6.0.0-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12900 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2019-16770/ SUSE CVE CVE-2019-16770 page https://www.suse.com/security/cve/CVE-2020-11076/ SUSE CVE CVE-2020-11076 page https://www.suse.com/security/cve/CVE-2022-23634/ SUSE CVE CVE-2022-23634 page openSUSE Tumbleweed ruby3.2-rubygem-puma-6.0.0-2.1 ruby3.2-rubygem-puma-6.0.0-2.1 as a component of openSUSE Tumbleweed In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2. CVE-2019-16770 openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-16770.html CVE-2019-16770 https://bugzilla.suse.com/1158675 SUSE Bug 1158675 https://bugzilla.suse.com/1188527 SUSE Bug 1188527 In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4. CVE-2020-11076 openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-11076.html CVE-2020-11076 https://bugzilla.suse.com/1172175 SUSE Bug 1172175 https://bugzilla.suse.com/1172176 SUSE Bug 1172176 Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability. CVE-2022-23634 openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-23634.html CVE-2022-23634 https://bugzilla.suse.com/1196222 SUSE Bug 1196222