puma: CVE-2020-5249

Debian Bug report logs - #953122
puma: CVE-2020-5249

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: puma: CVE-2020-5249

Date: Wed, 04 Mar 2020 21:58:43 +0100

Source: puma
Version: 3.12.0-4
Severity: important
Tags: security upstream
Control: found -1 3.12.0-2

Hi,

The following vulnerability was published for puma, it is fixed
upstream in 4.3.3 and 3.12.4.

CVE-2020-5249[0]:
| In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using
| Puma allows untrusted input in an early-hints header, an attacker can
| use a carriage return character to end the header and inject malicious
| content, such as additional headers or an entirely new response body.
| This vulnerability is known as HTTP Response Splitting. While not an
| attack in itself, response splitting is a vector for several other
| attacks, such as cross-site scripting (XSS). This is related to
| CVE-2020-5247, which fixed this vulnerability but only for regular
| responses. This has been fixed in 4.3.3 and 3.12.4.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-5249
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5249
[1] https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 953122-submitter@bugs.debian.org (full text, mbox, reply):

From: Daniel Leidert <noreply@salsa.debian.org>

To: 953122-submitter@bugs.debian.org

Subject: Bug#953122 marked as pending in puma

Date: Wed, 04 Mar 2020 22:23:47 +0000

Control: tag -1 pending

Hello,

Bug #953122 in puma reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/ruby-team/puma/-/commit/963be53d8900b7efdccbb2edeeadc0181ecb6a30

------------------------------------------------------------------------
puma (3.12.4-1) UNRELEASED

  * New upstream release.
    - Fixes CVE-2020-5247 (closes: #952766).
    - Fixes CVE-2020-5249 (closes: #953122).
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/953122

Message #17 received at 953122-submitter@bugs.debian.org (full text, mbox, reply):

From: Daniel Leidert <noreply@salsa.debian.org>

To: 953122-submitter@bugs.debian.org

Subject: Bug#953122 marked as pending in puma

Date: Thu, 05 Mar 2020 00:39:56 +0000

Control: tag -1 pending

Hello,

Bug #953122 in puma reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/ruby-team/puma/-/commit/166344008bc1c8e4aebb02a81557b5acae8b29f5

------------------------------------------------------------------------
puma (4.3.3-1) UNRELEASED

  * New upstream release.
    - Fixes CVE-2020-5247 (closes: #952766).
    - Fixes CVE-2020-5249 (closes: #953122).
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/953122

Message #22 received at 953122-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 953122-close@bugs.debian.org

Subject: Bug#953122: fixed in puma 3.12.4-1

Date: Thu, 05 Mar 2020 00:51:41 +0000

Source: puma
Source-Version: 3.12.4-1
Done: Daniel Leidert <dleidert@debian.org>

We believe that the bug you reported is fixed in the latest version of
puma, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 953122@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Leidert <dleidert@debian.org> (supplier of updated puma package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 04 Mar 2020 23:09:16 +0100
Source: puma
Architecture: source
Version: 3.12.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Daniel Leidert <dleidert@debian.org>
Closes: 952766 953122
Changes:
 puma (3.12.4-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release.
     - Fixes CVE-2020-5247 (closes: #952766).
     - Fixes CVE-2020-5249 (closes: #953122).
   * d/control (Section): Changed to web.
     (Homepage): Use secure URL.
     (Depends): Add ${ruby:Depends}.
   * d/copyright (Source): Use secure URL.
   * d/ruby-tests.rake: Disable test/test_puma_server_ssl.rb for the moment.
     These tests fail due to openssl being configured to use SECLEVEL2
     (https://github.com/puma/puma/issues/2147).
   * d/rules: Add override to install upstream changelog.
   * d/watch: Rename downloaded tarball to include package name.
   * d/patches/0008-fix-ssl-tests.patch: Remove patch. Applied upstream.
   * d/patches/CVE-2019-16770.patch: Ditto.
   * d/patches/*.patch: Refresh patches.
   * d/patches/series: Adjust.
Checksums-Sha1:
 089b7f9ba2fcfd6f0016c8df4b738c4602b2fca8 1957 puma_3.12.4-1.dsc
 6740532784a8759fc0a42edc7381eb9ead324878 219148 puma_3.12.4.orig.tar.gz
 7de203baa232ca3bef90bc58b47729108b026696 8300 puma_3.12.4-1.debian.tar.xz
 c7c06aca58758a0f6069061b6ac8a06bdaf606c0 8949 puma_3.12.4-1_amd64.buildinfo
Checksums-Sha256:
 2977d86d40311d1b83f244a75b9d316c6a6adaad8b551e679f6bf8125064a139 1957 puma_3.12.4-1.dsc
 41c0ccb465bf0ddaaa32ada40415c2fdb5076ae0bb0037f7093efc6d49086c50 219148 puma_3.12.4.orig.tar.gz
 140a008877cfbd01191ff0051a0fbceada0a14976e618d1651e941e8d588fab8 8300 puma_3.12.4-1.debian.tar.xz
 a12b0cc60dc4bde9544866c4fdbf2e1050fee78d917df56b8e7e6d12dfc8a7d0 8949 puma_3.12.4-1_amd64.buildinfo
Files:
 d3ef8f66ff0849f239b786c7c401410e 1957 web optional puma_3.12.4-1.dsc
 6ae3801f9368cc3153feec6d07fc3879 219148 web optional puma_3.12.4.orig.tar.gz
 c7e59e989fc1e0b3d638dacafbffd3f1 8300 web optional puma_3.12.4-1.debian.tar.xz
 f51e03b82d34eca86bfa69c6d0c78314 8949 web optional puma_3.12.4-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAl5gR6AACgkQS80FZ8KW
0F06xhAApNf7ekbhNS159ajic8tI0KO5NbOWtqg/+pDfAySb79tLWqBovk22rAt/
g9NLuEgs6QR62oQcYzpQ6GxeADfobxJYBMM2v4MeP0szk4D9lNMGYUfChu2cBrcB
dr58UiaDJLcY3vybd8DwVPYvGJjYA8uWZ6HcDgco9AElhUGLMM/f4UydvdTkf/il
UgctLKgwH/UZSY9MmGMT8tJBB7CgPeEcJJdzD0vQVqYy7TcUF0aKm7PUL0LmXvKD
JEe+pNRmbK+Udl5iUdqAtmWRPvOilO+cIwTZZLEe2BpO10CCwxKJblstw/RG9Sxx
4bkqdo7BLrCRDfOfVwTgSPpEBIeNDwIj15DSuBEFY6ATsZ8Tvz6mktliJt3zJ2ra
O11AAtUo70Bw8SUhcuHEYgFBz/4M0NsX09VA3uv1AkaiSButzK5FZD/QD92wl9Lc
X7uGnc81vsU12s9laKvxhpucAG7bwQLIhvY1nfIqXpk+SqchGrA/RT0a9j0XJet8
+XuOIVd4T3lNvSHamfug2rr87WG4x7Lt4FXOHKUUnCL87mjnFYgkj5PUqf0l9T1L
6091Y81aa6cH059I/eY0/GvG0if3cHttUTuI6EQmGwqdYGyPb4g68ubX5jIHCWle
1oiydZtK/t1hMMDME+UbQi0gymQccfn9m6oC0dLCZgP0H5QLEWY=
=JdV+
-----END PGP SIGNATURE-----

Message #27 received at 953122-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 953122-close@bugs.debian.org

Subject: Bug#953122: fixed in puma 4.3.3-1

Date: Thu, 05 Mar 2020 01:52:36 +0000

Source: puma
Source-Version: 4.3.3-1
Done: Daniel Leidert <dleidert@debian.org>

We believe that the bug you reported is fixed in the latest version of
puma, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 953122@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Leidert <dleidert@debian.org> (supplier of updated puma package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 05 Mar 2020 01:34:17 +0100
Source: puma
Architecture: source
Version: 4.3.3-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Daniel Leidert <dleidert@debian.org>
Closes: 952766 953122
Changes:
 puma (4.3.3-1) experimental; urgency=medium
 .
   * Team upload.
   * New upstream release.
     - Fixes CVE-2020-5247 (closes: #952766).
     - Fixes CVE-2020-5249 (closes: #953122).
   * d/control (Section): Change to web.
     (Vcs-Git): Indicate branch name via -b debian/experimental.
     (Homepage): Use secure URL.
     (Depends): Use ${ruby:Depends}.
   * d/copyright (Source): Use secure URL.
   * d/rules: Add override to install upstream changelog.
   * d/watch: Use package name for tarball.
Checksums-Sha1:
 029b8ef6ac37b936b3292a7b08d5878164dac9ad 2005 puma_4.3.3-1.dsc
 37c2dc90580b7b3680ef880452efa6c7be69071d 241756 puma_4.3.3.orig.tar.gz
 25d0a96f4423aeddae51e9a62623becf6907c7ce 7568 puma_4.3.3-1.debian.tar.xz
 69505e4827af62432f2fc4d967f2dba80f7d549f 9322 puma_4.3.3-1_amd64.buildinfo
Checksums-Sha256:
 62b648f63565034c2d0d71158b5ff4f8c9ffec1830c85c7ed9dfe74048b51f0b 2005 puma_4.3.3-1.dsc
 e1836f7f7da8e02e5917a0e3961898e90f991a1f38f555fb065b2af9337e4d18 241756 puma_4.3.3.orig.tar.gz
 7f707b3a6ec3c4b3eebb66b90ba665929a5b5d4ebca720df270c99e81c6d4dbf 7568 puma_4.3.3-1.debian.tar.xz
 d77bb6f81dc0b262e107be856b587957702d587798ae08ca6e202766e85b7ac8 9322 puma_4.3.3-1_amd64.buildinfo
Files:
 ef449c497d2a3c1c2bfc90839a0b7187 2005 web optional puma_4.3.3-1.dsc
 9fc257856760445fe3c57fb69bd4ec77 241756 web optional puma_4.3.3.orig.tar.gz
 bcfeb57ea790cec5c06c26716e3d9449 7568 web optional puma_4.3.3-1.debian.tar.xz
 e191419125dbc902b8cdee525dea450f 9322 web optional puma_4.3.3-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAl5gVQEACgkQS80FZ8KW
0F2EvQ/+LawEeaerAHmyHCfJnldqoucV+Ibn5CqgVbaoEMo4s7aF1seM1QUVYipW
n8tdmleEXW4C/0inWBQo3XCr+oB3tXbspqWZieSky0mLDx4j2aiCIR6jO0wX8OHb
NI+QfPPS4wB1IV50SSs3ImPnKh5AWyyyR5LWY7DlqlyMqtilf4vAUKQtjs+RipIW
KrDNRJCeyn5lYWnz7umz/fRyiV//dpDghTCR6LzC8kGhPZ6JVT2weTl/s0oxAlz2
3BGEtlPYgB3h89+ji9r9KJTB6cbWjUMy4D5q4fLnJpAyFM9aKGmcz1cpJ5KAj2f/
DTSkJSHkvwcnQs5Sxu8nVeahC2ek2oiYHlGRlu/g1NkqIEDbFp6VQwLyi8CzgIGk
m3IzryFkxMzYKcKwTV5z+BwTOAc+nZWt9cgmO2SBt3kVdDd7nGkXvQKIlCXfIrw7
NTeesT5oikaDtrXyc9rIj/XFqJuHZMli9l2dXNi/nSeWIbRZ3vQVDUEErSly2Do8
rPx7/lAm7LOHeJbk/eqmirL36tyKeToXztLga1PxAmiW5fhiZyOnpNCrP4YmD94T
MUzLU43uOVEwfQpdsL8zyg70i+c5oKK9Ul7U7m790xi33LN20UD/Eg+GDdmVvcDz
aM5bmUQnttaEJGse3sv7c+x0m+w0iXb/7BxnhERuY3fgPfSwfkU=
=/6hM
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.