Your message dated Thu, 05 Mar 2020 01:52:36 +0000
with message-id <[email protected]>
and subject line Bug#952766: fixed in puma 4.3.3-1
has caused the Debian Bug report #952766,
regarding puma: CVE-2020-5247
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
952766: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952766
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: puma
Version: 3.12.0-4
Severity: important
Tags: security upstream
Control: found -1 4.3.1-1
Control: found -1 3.12.0-2
Hi,
The following vulnerability was published for puma.
CVE-2020-5247[0]:
| In Puma (RubyGem) before 4.3.2 and 3.12.2, if an application using
| Puma allows untrusted input in a response header, an attacker can use
| newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header
| and inject malicious content, such as additional headers or an
| entirely new response body. This vulnerability is known as HTTP
| Response Splitting. While not an attack in itself, response splitting
| is a vector for several other attacks, such as cross-site scripting
| (XSS). This is related to CVE-2019-16254, which fixed this
| vulnerability for the WEBrick Ruby web server. This has been fixed in
| versions 4.3.2 and 3.12.3 by checking all headers for line endings and
| rejecting headers with those characters.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-5247
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5247
[1] https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: puma
Source-Version: 4.3.3-1
Done: Daniel Leidert <[email protected]>
We believe that the bug you reported is fixed in the latest version of
puma, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Leidert <[email protected]> (supplier of updated puma package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 05 Mar 2020 01:34:17 +0100
Source: puma
Architecture: source
Version: 4.3.3-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers
<[email protected]>
Changed-By: Daniel Leidert <[email protected]>
Closes: 952766 953122
Changes:
puma (4.3.3-1) experimental; urgency=medium
.
* Team upload.
* New upstream release.
- Fixes CVE-2020-5247 (closes: #952766).
- Fixes CVE-2020-5249 (closes: #953122).
* d/control (Section): Change to web.
(Vcs-Git): Indicate branch name via -b debian/experimental.
(Homepage): Use secure URL.
(Depends): Use ${ruby:Depends}.
* d/copyright (Source): Use secure URL.
* d/rules: Add override to install upstream changelog.
* d/watch: Use package name for tarball.
Checksums-Sha1:
029b8ef6ac37b936b3292a7b08d5878164dac9ad 2005 puma_4.3.3-1.dsc
37c2dc90580b7b3680ef880452efa6c7be69071d 241756 puma_4.3.3.orig.tar.gz
25d0a96f4423aeddae51e9a62623becf6907c7ce 7568 puma_4.3.3-1.debian.tar.xz
69505e4827af62432f2fc4d967f2dba80f7d549f 9322 puma_4.3.3-1_amd64.buildinfo
Checksums-Sha256:
62b648f63565034c2d0d71158b5ff4f8c9ffec1830c85c7ed9dfe74048b51f0b 2005
puma_4.3.3-1.dsc
e1836f7f7da8e02e5917a0e3961898e90f991a1f38f555fb065b2af9337e4d18 241756
puma_4.3.3.orig.tar.gz
7f707b3a6ec3c4b3eebb66b90ba665929a5b5d4ebca720df270c99e81c6d4dbf 7568
puma_4.3.3-1.debian.tar.xz
d77bb6f81dc0b262e107be856b587957702d587798ae08ca6e202766e85b7ac8 9322
puma_4.3.3-1_amd64.buildinfo
Files:
ef449c497d2a3c1c2bfc90839a0b7187 2005 web optional puma_4.3.3-1.dsc
9fc257856760445fe3c57fb69bd4ec77 241756 web optional puma_4.3.3.orig.tar.gz
bcfeb57ea790cec5c06c26716e3d9449 7568 web optional puma_4.3.3-1.debian.tar.xz
e191419125dbc902b8cdee525dea450f 9322 web optional puma_4.3.3-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAl5gVQEACgkQS80FZ8KW
0F2EvQ/+LawEeaerAHmyHCfJnldqoucV+Ibn5CqgVbaoEMo4s7aF1seM1QUVYipW
n8tdmleEXW4C/0inWBQo3XCr+oB3tXbspqWZieSky0mLDx4j2aiCIR6jO0wX8OHb
NI+QfPPS4wB1IV50SSs3ImPnKh5AWyyyR5LWY7DlqlyMqtilf4vAUKQtjs+RipIW
KrDNRJCeyn5lYWnz7umz/fRyiV//dpDghTCR6LzC8kGhPZ6JVT2weTl/s0oxAlz2
3BGEtlPYgB3h89+ji9r9KJTB6cbWjUMy4D5q4fLnJpAyFM9aKGmcz1cpJ5KAj2f/
DTSkJSHkvwcnQs5Sxu8nVeahC2ek2oiYHlGRlu/g1NkqIEDbFp6VQwLyi8CzgIGk
m3IzryFkxMzYKcKwTV5z+BwTOAc+nZWt9cgmO2SBt3kVdDd7nGkXvQKIlCXfIrw7
NTeesT5oikaDtrXyc9rIj/XFqJuHZMli9l2dXNi/nSeWIbRZ3vQVDUEErSly2Do8
rPx7/lAm7LOHeJbk/eqmirL36tyKeToXztLga1PxAmiW5fhiZyOnpNCrP4YmD94T
MUzLU43uOVEwfQpdsL8zyg70i+c5oKK9Ul7U7m790xi33LN20UD/Eg+GDdmVvcDz
aM5bmUQnttaEJGse3sv7c+x0m+w0iXb/7BxnhERuY3fgPfSwfkU=
=/6hM
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
