{"affected":[{"ecosystem_specific":{"binaries":[{"ruby2.5-rubygem-puma":"5.6.9-150600.18.3.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise High Availability Extension 15 SP6","name":"rubygem-puma","purl":"pkg:rpm/suse/rubygem-puma&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"5.6.9-150600.18.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"ruby2.5-rubygem-puma":"5.6.9-150600.18.3.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise High Availability Extension 15 SP7","name":"rubygem-puma","purl":"pkg:rpm/suse/rubygem-puma&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP7"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"5.6.9-150600.18.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"ruby2.5-rubygem-puma":"5.6.9-150600.18.3.1","ruby2.5-rubygem-puma-doc":"5.6.9-150600.18.3.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.6","name":"rubygem-puma","purl":"pkg:rpm/opensuse/rubygem-puma&distro=openSUSE%20Leap%2015.6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"5.6.9-150600.18.3.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for rubygem-puma fixes the following issues:\n\nUpdate to version 5.6.9.\n\n- CVE-2024-45614: improper header normalization allows for clients to clobber proxy set headers, which can lead to\n  information leaks (bsc#1230848, fixed in an earlier update).\n- CVE-2024-21647: unbounded resource consumption due to invalid parsing of chunked encoding in HTTP/1.1 can lead to\n  denial-of-service attacks (bsc#1218638, fixed in an earlier update)\n- CVE-2023-40175: incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length\n  headers can lead to HTTP request smuggling attacks (bsc#1214425, fixed in an earlier update).\n","id":"SUSE-SU-2025:03467-1","modified":"2025-10-07T11:34:07Z","published":"2025-10-07T11:34:07Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2025/suse-su-202503467-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1214425"},{"type":"REPORT","url":"https://bugzilla.suse.com/1218638"},{"type":"REPORT","url":"https://bugzilla.suse.com/1230848"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-40175"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-21647"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-45614"}],"related":["CVE-2023-40175","CVE-2024-21647","CVE-2024-45614"],"summary":"Security update for rubygem-puma","upstream":["CVE-2023-40175","CVE-2024-21647","CVE-2024-45614"]}