Debian 11: DLA-3947-1 critical: puma request smuggling and proxy issue
debian lts
November 6, 2024
Two vulnerabilities have been fixed in puma, a threaded HTTP server for Ruby/Rack applications
Summary
Two vulnerabilities have been fixed in puma, a threaded HTTP server
for Ruby/Rack applications.
CVE-2024-21647
Incorrect behavior when parsing chunked transfer encoding bodies
in a way that allowed HTTP request smuggling. Fixed versions
limits the size of chunk extensions. Without this limit, an
attacker could cause unbounded resource (CPU, network bandwidth)
consumption.
CVE-2024-45614
Clients could clobber values set by intermediate proxies (such as
X-Forwarded-For) by providing a underscore version of the same
header (X-Forwarded_For). Any users relying on proxy set variables
is affected.
For Debian 11 bullseye, these problems have been fixed in version
4.3.8-1+deb11u3.
We recommend that you upgrade your puma packages.
For the detailed security status of puma please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/puma
Further information about Debian LTS security advisories, how to apply
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: puma
Version: 4.3.8-1+deb11u3
CVE ID: CVE-2024-21647 CVE-2024-45614
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!