[DRE-maint] Bug#989054: puma: CVE-2021-29509: Keepalive Connections Causing Denial Of Service in puma

[Salvatore Bonaccorso]

Source: puma
Version: 4.3.6-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for puma, it is caused due
to an incomplete fix for CVE-2019-16770.

CVE-2021-29509[0]:
| Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The
| fix for CVE-2019-16770 was incomplete. The original fix only protected
| existing connections that had already been accepted from having their
| requests starved by greedy persistent-connections saturating all
| threads in the same process. However, new connections may still be
| starved by greedy persistent-connections saturating all threads in all
| processes in the cluster. A `puma` server which received more
| concurrent `keep-alive` connections than the server had threads in its
| threadpool would service only a subset of connections, denying service
| to the unserved connections. This problem has been fixed in `puma`
| 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue.
| This is not advised when using `puma` without a reverse proxy, such as
| `nginx` or `apache`, because you will open yourself to slow client
| attacks (e.g. slowloris). The fix is very small and a git patch is
| available for those using unsupported versions of Puma.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-29509
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29509
[1] https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5
[2] https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore