[DRE-maint] Bug#953122: puma: CVE-2020-5249

Salvatore Bonaccorso carnil at debian.org
Wed Mar 4 20:58:43 GMT 2020


Source: puma
Version: 3.12.0-4
Severity: important
Tags: security upstream
Control: found -1 3.12.0-2

Hi,

The following vulnerability was published for puma, it is fixed
upstream in 4.3.3 and 3.12.4.

CVE-2020-5249[0]:
| In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using
| Puma allows untrusted input in an early-hints header, an attacker can
| use a carriage return character to end the header and inject malicious
| content, such as additional headers or an entirely new response body.
| This vulnerability is known as HTTP Response Splitting. While not an
| attack in itself, response splitting is a vector for several other
| attacks, such as cross-site scripting (XSS). This is related to
| CVE-2020-5247, which fixed this vulnerability but only for regular
| responses. This has been fixed in 4.3.3 and 3.12.4.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-5249
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5249
[1] https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



More information about the Pkg-ruby-extras-maintainers mailing list