ruby3.3-rubygem-puma-5-5.6.8-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13721 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z ruby3.3-rubygem-puma-5-5.6.8-1.1 on GA media These are all security issues fixed in the ruby3.3-rubygem-puma-5-5.6.8-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13721 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13721 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2019-16770/ SUSE CVE CVE-2019-16770 page https://www.suse.com/security/cve/CVE-2020-11076/ SUSE CVE CVE-2020-11076 page https://www.suse.com/security/cve/CVE-2021-29509/ SUSE CVE CVE-2021-29509 page https://www.suse.com/security/cve/CVE-2021-41136/ SUSE CVE CVE-2021-41136 page https://www.suse.com/security/cve/CVE-2022-24790/ SUSE CVE CVE-2022-24790 page openSUSE Tumbleweed ruby3.3-rubygem-puma-5-5.6.8-1.1 ruby3.3-rubygem-puma-5-5.6.8-1.1 as a component of openSUSE Tumbleweed In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2. CVE-2019-16770 openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-16770.html CVE-2019-16770 https://bugzilla.suse.com/1158675 SUSE Bug 1158675 https://bugzilla.suse.com/1188527 SUSE Bug 1188527 In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4. CVE-2020-11076 openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-11076.html CVE-2020-11076 https://bugzilla.suse.com/1172175 SUSE Bug 1172175 https://bugzilla.suse.com/1172176 SUSE Bug 1172176 Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in `puma` 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma. CVE-2021-29509 openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-29509.html CVE-2021-29509 https://bugzilla.suse.com/1188527 SUSE Bug 1188527 Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`. CVE-2021-41136 openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-41136.html CVE-2021-41136 https://bugzilla.suse.com/1191681 SUSE Bug 1191681 Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard. CVE-2022-24790 openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-24790.html CVE-2022-24790 https://bugzilla.suse.com/1197818 SUSE Bug 1197818