Debian Bug report logs -
#989054
puma: CVE-2021-29509: Keepalive Connections Causing Denial Of Service in puma
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
:
Bug#989054
; Package src:puma
.
(Mon, 24 May 2021 19:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
.
(Mon, 24 May 2021 19:18:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: puma
Version: 4.3.6-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for puma, it is caused due
to an incomplete fix for CVE-2019-16770.
CVE-2021-29509[0]:
| Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The
| fix for CVE-2019-16770 was incomplete. The original fix only protected
| existing connections that had already been accepted from having their
| requests starved by greedy persistent-connections saturating all
| threads in the same process. However, new connections may still be
| starved by greedy persistent-connections saturating all threads in all
| processes in the cluster. A `puma` server which received more
| concurrent `keep-alive` connections than the server had threads in its
| threadpool would service only a subset of connections, denying service
| to the unserved connections. This problem has been fixed in `puma`
| 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue.
| This is not advised when using `puma` without a reverse proxy, such as
| `nginx` or `apache`, because you will open yourself to slow client
| attacks (e.g. slowloris). The fix is very small and a git patch is
| available for those using unsupported versions of Puma.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-29509
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29509
[1] https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5
[2] https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue May 25 12:44:57 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.