[DRE-maint] Bug#1060345: puma: CVE-2024-21647: Invalid parsing of chunked encoding in HTTP/1.1 allows DoS attacks
Salvatore Bonaccorso
carnil at debian.org
Mon Feb 5 20:19:06 GMT 2024
Source: puma
Source-Version: 6.4.2-1
On Tue, Jan 09, 2024 at 10:15:07PM +0100, Salvatore Bonaccorso wrote:
> Source: puma
> Version: 5.6.7-1
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>
> Hi,
>
> The following vulnerability was published for puma.
>
> CVE-2024-21647[0]:
> | Puma is a web server for Ruby/Rack applications built for
> | parallelism. Prior to version 6.4.2, puma exhibited incorrect
> | behavior when parsing chunked transfer encoding bodies in a way that
> | allowed HTTP request smuggling. Fixed versions limits the size of
> | chunk extensions. Without this limit, an attacker could cause
> | unbounded resource (CPU, network bandwidth) consumption. This
> | vulnerability has been fixed in versions 6.4.2 and 5.6.8.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2024-21647
> https://www.cve.org/CVERecord?id=CVE-2024-21647
> [1] https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2
> [2] https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d
>
> Please adjust the affected versions in the BTS as needed.
This was fixed with the 6.4.2 upload,
https://tracker.debian.org/news/1500879/accepted-puma-642-1-source-into-unstable/
but not closed. Doing so manually.
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list