[DRE-maint] Bug#946312: puma: CVE-2019-16770
Salvatore Bonaccorso
carnil at debian.org
Fri Dec 6 22:15:58 GMT 2019
Source: puma
Version: 3.12.0-2
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for puma.
CVE-2019-16770[0]:
| In Puma before version 4.3.2, a poorly-behaved client could use
| keepalive requests to monopolize Puma's reactor and create a denial of
| service attack. If more keepalive connections to Puma are opened than
| there are threads available, additional connections will wait
| permanently if the attacker sends requests frequently enough.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-16770
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16770
[1] https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
[2] https://github.com/puma/puma/commit/06053e60908074bb38293d4449ea261cb009b53e
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list