Operating System:

[Debian]

Published:

30 August 2022

Protect yourself against future threats.

//Service

Malicious URL Feed

Add this Australian-based feed to your firewall blacklist and SIEM to prevent compromises to your network.

Read more
Resources > Security Bulletins > ESB-2022.4262 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.4262
                           puma security update
                              30 August 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           puma
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-24790 CVE-2022-23634 CVE-2021-41136
                   CVE-2021-29509  

Original Bulletin: 
   https://www.debian.org/lts/security/2022/dla-3083

Comment: CVSS (Max):  7.5 CVE-2022-24790 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
         CVSS Source: [NVD], Red Hat
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-3083-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Abhijith PA
August 28, 2022                               https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : puma
Version        : 3.12.0-2+deb10u3
CVE ID         : CVE-2021-29509 CVE-2021-41136 CVE-2022-23634 
                 CVE-2022-24790

Multiple security issues have been found in puma, a web server for 
ruby/rack applications.

CVE-2021-29509

    Keepalive Connections Causing Denial Of Service in puma.

CVE-2021-41136

    puma with a proxy which forwards HTTP header values which contain 
    the LF character could allow HTTP request smugggling. A client 
    could smuggle a request through a proxy, causing the proxy to send 
    a response back to another unknown client.

CVE-2022-23634

    puma may not always call `close` on the response body. Rails, 
    prior to version `7.0.2.2`, depended on the response body being 
    closed in order for its `CurrentAttributes` implementation to work 
    correctly. The combination of these two behaviors (Puma not 
    closing the body + Rails' Executor implementation) causes 
    information leakage.

CVE-2022-24790

    using Puma behind a proxy that does not properly validate that the 
    incoming HTTP request matches the RFC7230 standard, Puma and the 
    frontend proxy may disagree on where a request starts and ends. 
    This would allow requests to be smuggled via the front-end proxy 
    to Puma

For Debian 10 buster, these problems have been fixed in version
3.12.0-2+deb10u3.

We recommend that you upgrade your puma packages.

For the detailed security status of puma please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/puma

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmMKa4AACgkQhj1N8u2c
KO/g0RAAlWwo15hwfcDDYvECOydh4HYBcK9Z/lpSSHwDWFJ69eS2djnicDVVYGbu
7Ic/c7zLZy8nJ10UcyZ/9OarJbZ2N22sTPI7R5Rii3PqxSj6FRxB3IGVtrylIFdr
9i0qH4ONa2DHUqyJV8UzN+NWy55KdDnPz2+GGXKtzOTDEutSBQNwsXkM07SJ9YDp
6TUCegbAjlOZxKzh3HAANAQ/Ua0//3m8ofaoDJb9pfsAuxNrOhxNbCzVRH7qBYqd
87cnfnwX8AWNKree9OZWxLMh2gXgbgzJmwzcJjkQeN8JWMp+74yzAlN2/37yU/2d
JSfyAqQCwOfe73x09T4v74IBKitVf0eDxgEzi1R8gfe2V7s3mNF7mAkvtt3mkRGi
URsVhJUr0G4vQ2/UOFpeTAn/yIVv7eLOIDSsiMSJBfefmZPM2zrrrxjb1uAQ7cps
U6LnMOr4M+w6Huq2K19T1scLomaEml3lZHbR4lJStRIVxmiJOo6NBBVYlv1P9VyO
kChxXd2odH75EsILYVKIZa8GIXo1Gzm3Z2hVQim+pu2pSGYMWS16QVGr3jbNflEg
TXjcMl2ED5iw7MxYZl6t2DUKgD3XcYPEd5da7OvPj+PxG+1tdZFc0g8K96ssGlyy
tjHlJBEiGqoxjBzrEYVrWuSrSNoYXfZ+cy+iBiEXci247CPk4/I=
=Y4/2
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYw1wgskNZI30y1K9AQgEJA//XZu68c9LSoub+0E5vDmU20gswPoyBB/m
+urkNDg43bdBPSIKsf195PuoBT/UwV2VUb6bvky2FtI3eWJekS5Z5VHV0mV07IXd
34tvanbDlI7hvlQBKfHa1j1PVVFpiWv6snL7pdUlL9kShZyXtj0cnzy9ui6vkPAZ
/dMADALzgPxaY+LhS/2O7DdEDOhJe6hbSYs47Wqfh8wQDVVIF16C0W4VGviiCUuZ
FbHDxpPZuR4/YjK+sN5lunD+SYyvDCNdgJCrn8kPwVc5eXPXCixPrQ1bP7tdbQ+8
ZgkrVgCwcshMrvtqcyqdVc33tT3GH1jHbulBoXhLziarfwUwYtKYnhL16g90N1gk
adW0HCP75j6DF3DpT87sh9ZCFTcuqi/GglgF0zo67VNHUzSOKhs6KUTAFykIZZc/
ki+IB+1Xme37TzIkZyKry1x6jL4msFcax6of4AYjxPeSDWv87hS/axQbXJj0/O1T
vXZr5G2H/RbHXsVlxpA3ESS9oLgaV9+QxTZCkuHB06m/FstbMa1uUo8uH+vlnUuw
GIrIxDqQgalk4VHZULdSvIjEsxMSEFaQzYwsSkKj8bmTNTh5xKHjGacW4C7Ko41U
4J9ovplfXQ6tpScbySxG9y6dGTAQaK9XYUY8FkZ6NHfUOZZgcvdvdCSp5mt/o93r
TMaB3zFW6zc=
=fv3R
-----END PGP SIGNATURE-----