Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.4262 puma security update 30 August 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: puma Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-24790 CVE-2022-23634 CVE-2021-41136 CVE-2021-29509 Original Bulletin: https://www.debian.org/lts/security/2022/dla-3083 Comment: CVSS (Max): 7.5 CVE-2022-24790 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) CVSS Source: [NVD], Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3083-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA August 28, 2022 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : puma Version : 3.12.0-2+deb10u3 CVE ID : CVE-2021-29509 CVE-2021-41136 CVE-2022-23634 CVE-2022-24790 Multiple security issues have been found in puma, a web server for ruby/rack applications. CVE-2021-29509 Keepalive Connections Causing Denial Of Service in puma. CVE-2021-41136 puma with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. CVE-2022-23634 puma may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. CVE-2022-24790 using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma For Debian 10 buster, these problems have been fixed in version 3.12.0-2+deb10u3. We recommend that you upgrade your puma packages. For the detailed security status of puma please refer to its security tracker page at: https://security-tracker.debian.org/tracker/puma Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmMKa4AACgkQhj1N8u2c KO/g0RAAlWwo15hwfcDDYvECOydh4HYBcK9Z/lpSSHwDWFJ69eS2djnicDVVYGbu 7Ic/c7zLZy8nJ10UcyZ/9OarJbZ2N22sTPI7R5Rii3PqxSj6FRxB3IGVtrylIFdr 9i0qH4ONa2DHUqyJV8UzN+NWy55KdDnPz2+GGXKtzOTDEutSBQNwsXkM07SJ9YDp 6TUCegbAjlOZxKzh3HAANAQ/Ua0//3m8ofaoDJb9pfsAuxNrOhxNbCzVRH7qBYqd 87cnfnwX8AWNKree9OZWxLMh2gXgbgzJmwzcJjkQeN8JWMp+74yzAlN2/37yU/2d JSfyAqQCwOfe73x09T4v74IBKitVf0eDxgEzi1R8gfe2V7s3mNF7mAkvtt3mkRGi URsVhJUr0G4vQ2/UOFpeTAn/yIVv7eLOIDSsiMSJBfefmZPM2zrrrxjb1uAQ7cps U6LnMOr4M+w6Huq2K19T1scLomaEml3lZHbR4lJStRIVxmiJOo6NBBVYlv1P9VyO kChxXd2odH75EsILYVKIZa8GIXo1Gzm3Z2hVQim+pu2pSGYMWS16QVGr3jbNflEg TXjcMl2ED5iw7MxYZl6t2DUKgD3XcYPEd5da7OvPj+PxG+1tdZFc0g8K96ssGlyy tjHlJBEiGqoxjBzrEYVrWuSrSNoYXfZ+cy+iBiEXci247CPk4/I= =Y4/2 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYw1wgskNZI30y1K9AQgEJA//XZu68c9LSoub+0E5vDmU20gswPoyBB/m +urkNDg43bdBPSIKsf195PuoBT/UwV2VUb6bvky2FtI3eWJekS5Z5VHV0mV07IXd 34tvanbDlI7hvlQBKfHa1j1PVVFpiWv6snL7pdUlL9kShZyXtj0cnzy9ui6vkPAZ /dMADALzgPxaY+LhS/2O7DdEDOhJe6hbSYs47Wqfh8wQDVVIF16C0W4VGviiCUuZ FbHDxpPZuR4/YjK+sN5lunD+SYyvDCNdgJCrn8kPwVc5eXPXCixPrQ1bP7tdbQ+8 ZgkrVgCwcshMrvtqcyqdVc33tT3GH1jHbulBoXhLziarfwUwYtKYnhL16g90N1gk adW0HCP75j6DF3DpT87sh9ZCFTcuqi/GglgF0zo67VNHUzSOKhs6KUTAFykIZZc/ ki+IB+1Xme37TzIkZyKry1x6jL4msFcax6of4AYjxPeSDWv87hS/axQbXJj0/O1T vXZr5G2H/RbHXsVlxpA3ESS9oLgaV9+QxTZCkuHB06m/FstbMa1uUo8uH+vlnUuw GIrIxDqQgalk4VHZULdSvIjEsxMSEFaQzYwsSkKj8bmTNTh5xKHjGacW4C7Ko41U 4J9ovplfXQ6tpScbySxG9y6dGTAQaK9XYUY8FkZ6NHfUOZZgcvdvdCSp5mt/o93r TMaB3zFW6zc= =fv3R -----END PGP SIGNATURE-----