Your message dated Thu, 05 Mar 2020 00:51:41 +0000
with message-id <[email protected]>
and subject line Bug#952766: fixed in puma 3.12.4-1
has caused the Debian Bug report #952766,
regarding puma: CVE-2020-5247
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
952766: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952766
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: puma
Version: 3.12.0-4
Severity: important
Tags: security upstream
Control: found -1 4.3.1-1
Control: found -1 3.12.0-2
Hi,
The following vulnerability was published for puma.
CVE-2020-5247[0]:
| In Puma (RubyGem) before 4.3.2 and 3.12.2, if an application using
| Puma allows untrusted input in a response header, an attacker can use
| newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header
| and inject malicious content, such as additional headers or an
| entirely new response body. This vulnerability is known as HTTP
| Response Splitting. While not an attack in itself, response splitting
| is a vector for several other attacks, such as cross-site scripting
| (XSS). This is related to CVE-2019-16254, which fixed this
| vulnerability for the WEBrick Ruby web server. This has been fixed in
| versions 4.3.2 and 3.12.3 by checking all headers for line endings and
| rejecting headers with those characters.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-5247
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5247
[1] https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: puma
Source-Version: 3.12.4-1
Done: Daniel Leidert <[email protected]>
We believe that the bug you reported is fixed in the latest version of
puma, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Leidert <[email protected]> (supplier of updated puma package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 04 Mar 2020 23:09:16 +0100
Source: puma
Architecture: source
Version: 3.12.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers
<[email protected]>
Changed-By: Daniel Leidert <[email protected]>
Closes: 952766 953122
Changes:
puma (3.12.4-1) unstable; urgency=medium
.
* Team upload.
* New upstream release.
- Fixes CVE-2020-5247 (closes: #952766).
- Fixes CVE-2020-5249 (closes: #953122).
* d/control (Section): Changed to web.
(Homepage): Use secure URL.
(Depends): Add ${ruby:Depends}.
* d/copyright (Source): Use secure URL.
* d/ruby-tests.rake: Disable test/test_puma_server_ssl.rb for the moment.
These tests fail due to openssl being configured to use SECLEVEL2
(https://github.com/puma/puma/issues/2147).
* d/rules: Add override to install upstream changelog.
* d/watch: Rename downloaded tarball to include package name.
* d/patches/0008-fix-ssl-tests.patch: Remove patch. Applied upstream.
* d/patches/CVE-2019-16770.patch: Ditto.
* d/patches/*.patch: Refresh patches.
* d/patches/series: Adjust.
Checksums-Sha1:
089b7f9ba2fcfd6f0016c8df4b738c4602b2fca8 1957 puma_3.12.4-1.dsc
6740532784a8759fc0a42edc7381eb9ead324878 219148 puma_3.12.4.orig.tar.gz
7de203baa232ca3bef90bc58b47729108b026696 8300 puma_3.12.4-1.debian.tar.xz
c7c06aca58758a0f6069061b6ac8a06bdaf606c0 8949 puma_3.12.4-1_amd64.buildinfo
Checksums-Sha256:
2977d86d40311d1b83f244a75b9d316c6a6adaad8b551e679f6bf8125064a139 1957
puma_3.12.4-1.dsc
41c0ccb465bf0ddaaa32ada40415c2fdb5076ae0bb0037f7093efc6d49086c50 219148
puma_3.12.4.orig.tar.gz
140a008877cfbd01191ff0051a0fbceada0a14976e618d1651e941e8d588fab8 8300
puma_3.12.4-1.debian.tar.xz
a12b0cc60dc4bde9544866c4fdbf2e1050fee78d917df56b8e7e6d12dfc8a7d0 8949
puma_3.12.4-1_amd64.buildinfo
Files:
d3ef8f66ff0849f239b786c7c401410e 1957 web optional puma_3.12.4-1.dsc
6ae3801f9368cc3153feec6d07fc3879 219148 web optional puma_3.12.4.orig.tar.gz
c7e59e989fc1e0b3d638dacafbffd3f1 8300 web optional puma_3.12.4-1.debian.tar.xz
f51e03b82d34eca86bfa69c6d0c78314 8949 web optional
puma_3.12.4-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAl5gR6AACgkQS80FZ8KW
0F06xhAApNf7ekbhNS159ajic8tI0KO5NbOWtqg/+pDfAySb79tLWqBovk22rAt/
g9NLuEgs6QR62oQcYzpQ6GxeADfobxJYBMM2v4MeP0szk4D9lNMGYUfChu2cBrcB
dr58UiaDJLcY3vybd8DwVPYvGJjYA8uWZ6HcDgco9AElhUGLMM/f4UydvdTkf/il
UgctLKgwH/UZSY9MmGMT8tJBB7CgPeEcJJdzD0vQVqYy7TcUF0aKm7PUL0LmXvKD
JEe+pNRmbK+Udl5iUdqAtmWRPvOilO+cIwTZZLEe2BpO10CCwxKJblstw/RG9Sxx
4bkqdo7BLrCRDfOfVwTgSPpEBIeNDwIj15DSuBEFY6ATsZ8Tvz6mktliJt3zJ2ra
O11AAtUo70Bw8SUhcuHEYgFBz/4M0NsX09VA3uv1AkaiSButzK5FZD/QD92wl9Lc
X7uGnc81vsU12s9laKvxhpucAG7bwQLIhvY1nfIqXpk+SqchGrA/RT0a9j0XJet8
+XuOIVd4T3lNvSHamfug2rr87WG4x7Lt4FXOHKUUnCL87mjnFYgkj5PUqf0l9T1L
6091Y81aa6cH059I/eY0/GvG0if3cHttUTuI6EQmGwqdYGyPb4g68ubX5jIHCWle
1oiydZtK/t1hMMDME+UbQi0gymQccfn9m6oC0dLCZgP0H5QLEWY=
=JdV+
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
