Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3469 puma security update 8 October 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: puma Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-11077 CVE-2020-11076 Reference: ESB-2020.2571 Original Bulletin: https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2398-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA October 07, 2020 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : puma Version : 3.6.0-1+deb9u1 CVE ID : CVE-2020-11076 CVE-2020-11077 Several security vulnerabilities have been discovered in puma, highly concurrent HTTP server for Ruby/Rack applications. CVE-2020-11076 By using an invalid transfer-encoding header, an attacker could smuggle an HTTP response. CVE-2020-11077 client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. For Debian 9 stretch, this problem has been fixed in version 3.6.0-1+deb9u1. We recommend that you upgrade your puma packages. For the detailed security status of puma please refer to its security tracker page at: https://security-tracker.debian.org/tracker/puma Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl99oTUACgkQhj1N8u2c KO9RBg//dlVOP41CgoUs7hdfJDc8m3t68cFVatVq+0nXIO/ip/s7AlsTO1T/5yOU pKEUnLifkfuC1GGZ/l0F5FyaqKnwFzqVCgwCzl3y2S+AdmlbDrSqL+s+OgBvVZWs prespWiJMlkpdw1VkVj0tLYikrwBcVDdHEp+21ZKz2muTdNOqaHbqapbL2aGm7tn ZX3uVyN4J++f06hpfgsqrQnFxNxannm308gIicAvI4hb6nQy1qzJK9iR3v3r0rYH l9NPddVtTIXBurOLWjPrjGb7yjPaWrxSWg7kK38BiO6t1lvCqg0UL1xbDL2xHGwO fy/Qi+ccfrxjOc+nqXOIaZojXlntot8Nm7IHproKNN+JbtyOYreKRfh6ogIb0zhf PDtoNWVMQIqVF05lIaWY5PfljoOq9mIhojSRwU/RdaZPZWjQ0WJMkGYxIkphiSq0 fRU90q6P2gjwJ0MbEW/xMASkQSDb9cG5qTHH2q12RHjg0QjlMrMwTy98hIlM+/KT e755avOAzIHg/uBnNjK2+mu5MxJvB1g+tOEDhp6jPRraqPtFySV0MA6F2P0Ljz4s DqulOQhnhYpK1m8Aqfyn4eBNWv3uwYXgIMVB4S60NMg4HwlfdP8Auvh+ILeEJAJP qvAyW5s/+O2YRIpzzjGvQhtCX5c9Zk5MILsloJ4BroGNg6cfMsA= =BPss - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX35X+uNLKJtyKPYoAQi9rw//VK6F0DhEKTRzlX8FMSocBYSiCRHQk19a P3CeA5DPXYEIpNBj6VO/GfJZ0QnsItX1s1hkSStDCQbXbmCa+dWjtU5CsAb0vpTy KVYl7jNqUgmjCYzxBsW5+tfKF6kXFCu9F/34SsRd31UundmP8ctDwLcVvsatapT5 r2e87JQdTSYjM43kkTQ3Bg5hnCbmBuo/fb1uI8smw/6PUSAkJFI2tZ3IvzNideq3 S2X+ZYDi8RzMU7cIawf5guJgEPUv6QaienJafe8jxHROJaBlxgkrjPuUX3VRJDk8 iWgFtSI8MuOsmohG+xe4XdSalXrXKzLLSTjmqtGv8L9YZtuPo0PraZA4eoZ1R0/E 7GkBLfb6GQXrAQMXCKS4sBiMMSTIlccsrJEaxTjJ1XSbbanZT07U/GjlhBF/OB6B UN4NzRICQhoXXfAbLxguox+yaRJGE2kQZCHoT3tf4qbmof60Rc3r0urfFfO3Fnvl Nf2mmrb1DJsI79a+/zjNGopDd4ve9SLUXXRmyw2vcm1TsGlqs/juGWbsVFG0oX5l ahtgxEgVXldRbw2HHfDMHyKlFo1hk5lIf7aBlPQTUGfcm5hgZcr706V85ClluspY 4nY44Q3/POnqdbeW4fth3pwa4yhQq3x4VQV+p70VF8lL1a10h12fxwZR8YAGkEBs OAktfmCbiTY= =KtnI -----END PGP SIGNATURE-----