[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2022-24790,puma: Mark as no-dsa for Stretch

Markus Koschany (@apo) apo at debian.org
Wed May 25 23:27:24 BST 2022 


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
00630d0c by Markus Koschany at 2022-05-26T00:01:19+02:00
CVE-2022-24790,puma: Mark as no-dsa for Stretch

Although all existing tests pass, the new test_requests_invalid tests never
seem to finish. It is currently not possible to determine if this is caused by
a failing test or a Puma bug. The error message is:

Error reached top of thread-pool

and might be related to

https://github.com/puma/puma/issues/1502

I have opted not to apply the patch because of that. The preliminary patch to
fix CVE-2022-24790 can be found at

https://people.debian.org/~apo/lts/stretch/puma/CVE-2022-24790.patch

Also remove the no-dsa tags for CVE-2019-16770 and CVE-2020-5247 because they
will be fixed in an upcoming security update.

- - - - -
1851ca48 by Markus Koschany at 2022-05-26T00:27:15+02:00
Reserve DLA-3023-1 for puma

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -19270,9 +19270,11 @@ CVE-2022-24791 (Wasmtime is a standalone JIT-style runtime for WebAssembly, usin
 CVE-2022-24790 (Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for R ...)
 	{DSA-5146-1}
 	- puma <unfixed> (bug #1008723)
+	[stretch] - puma <no-dsa> (possibly introduces regressions)
 	NOTE: https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9
 	NOTE: https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5 (5-6-stable)
 	NOTE: https://github.com/puma/puma/commit/6c514e70f5ae0ff14c9b0091fa84bfa39b022025 (v5.6.3)
+	NOTE: https://people.debian.org/~apo/lts/stretch/puma/CVE-2022-24790.patch
 CVE-2022-24789 (C1 CMS is an open-source, .NET based Content Management System (CMS).  ...)
 	NOT-FOR-US: C1 CMS
 CVE-2022-24788 (Vyper is a pythonic Smart Contract Language for the ethereum virtual m ...)
@@ -168163,7 +168165,6 @@ CVE-2020-5248 (GLPI before before version 9.4.6 has a vulnerability involving a
 CVE-2020-5247 (In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application us ...)
 	- puma 3.12.4-1 (bug #952766)
 	[buster] - puma 3.12.0-2+deb10u2
-	[stretch] - puma <no-dsa> (intrusive to backport)
 	NOTE: https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
 	NOTE: https://github.com/puma/puma/commit/1b17e85a06183cd169b41ca719928c26d44a6e03 (3.12.3)
 	NOTE: https://github.com/puma/puma/commit/694feafcd4fdcea786a0730701dad933f7547bea (4.3.2)
@@ -189179,7 +189180,6 @@ CVE-2019-16771 (Versions of Armeria 0.85.0 through and including 0.96.0 are vuln
 CVE-2019-16770 (In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client coul ...)
 	- puma 3.12.0-4 (bug #946312)
 	[buster] - puma 3.12.0-2+deb10u1
-	[stretch] - puma <no-dsa> (Minor issue)
 	NOTE: https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
 	NOTE: https://github.com/puma/puma/commit/06053e60908074bb38293d4449ea261cb009b53e
 	NOTE: This is an incomplete fix. When fixing this issue make sure to also apply


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[26 May 2022] DLA-3023-1 puma - security update
+	{CVE-2019-16770 CVE-2020-5247 CVE-2022-23634}
+	[stretch] - puma 3.6.0-1+deb9u2
 [25 May 2022] DLA-3022-1 dpkg - security update
 	{CVE-2022-1664}
 	[stretch] - dpkg 1.18.26


=====================================
data/dla-needed.txt
=====================================
@@ -211,8 +211,6 @@ postgresql-9.6
   NOTE: 20220523: Christoph Berg won't handle this update (Beuc/front-desk)
   NOTE: 20220523: https://lists.debian.org/debian-lts/2022/05/msg00054.html
 --
-puma (Markus Koschany)
---
 puppet-module-puppetlabs-firewall
   NOTE: 20220402: no Debian maintainers activity since 2018 (Beuc/front-desk)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5c5c0f1163d86480b8940f88cdd8539f5e5f79fb...1851ca487ca36847ae270779b7f7348349f678df

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5c5c0f1163d86480b8940f88cdd8539f5e5f79fb...1851ca487ca36847ae270779b7f7348349f678df
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220525/75a2bc25/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list