[DRE-maint] Bug#952766: puma: CVE-2020-5247
Salvatore Bonaccorso
carnil at debian.org
Fri Feb 28 20:27:21 GMT 2020
Source: puma
Version: 3.12.0-4
Severity: important
Tags: security upstream
Control: found -1 4.3.1-1
Control: found -1 3.12.0-2
Hi,
The following vulnerability was published for puma.
CVE-2020-5247[0]:
| In Puma (RubyGem) before 4.3.2 and 3.12.2, if an application using
| Puma allows untrusted input in a response header, an attacker can use
| newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header
| and inject malicious content, such as additional headers or an
| entirely new response body. This vulnerability is known as HTTP
| Response Splitting. While not an attack in itself, response splitting
| is a vector for several other attacks, such as cross-site scripting
| (XSS). This is related to CVE-2019-16254, which fixed this
| vulnerability for the WEBrick Ruby web server. This has been fixed in
| versions 4.3.2 and 3.12.3 by checking all headers for line endings and
| rejecting headers with those characters.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-5247
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5247
[1] https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list