Your message dated Fri, 16 Oct 2020 17:17:12 +0000
with message-id <[email protected]>
and subject line Bug#952766: fixed in puma 3.12.0-2+deb10u2
has caused the Debian Bug report #952766,
regarding puma: CVE-2020-5247
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
952766: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952766
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: puma
Version: 3.12.0-4
Severity: important
Tags: security upstream
Control: found -1 4.3.1-1
Control: found -1 3.12.0-2
Hi,
The following vulnerability was published for puma.
CVE-2020-5247[0]:
| In Puma (RubyGem) before 4.3.2 and 3.12.2, if an application using
| Puma allows untrusted input in a response header, an attacker can use
| newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header
| and inject malicious content, such as additional headers or an
| entirely new response body. This vulnerability is known as HTTP
| Response Splitting. While not an attack in itself, response splitting
| is a vector for several other attacks, such as cross-site scripting
| (XSS). This is related to CVE-2019-16254, which fixed this
| vulnerability for the WEBrick Ruby web server. This has been fixed in
| versions 4.3.2 and 3.12.3 by checking all headers for line endings and
| rejecting headers with those characters.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-5247
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5247
[1] https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: puma
Source-Version: 3.12.0-2+deb10u2
Done: Daniel Leidert <[email protected]>
We believe that the bug you reported is fixed in the latest version of
puma, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Leidert <[email protected]> (supplier of updated puma package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 15 Oct 2020 23:39:36 +0200
Source: puma
Architecture: source
Version: 3.12.0-2+deb10u2
Distribution: buster
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers
<[email protected]>
Changed-By: Daniel Leidert <[email protected]>
Closes: 952766 953122 972102
Changes:
puma (3.12.0-2+deb10u2) buster; urgency=medium
.
* Team upload.
* d/patches/0009-disable-tests-failing-in-single-cpu.patch: Add author and
bug tracker information.
* d/patches/CVE-2020-5247.patch: Add patch to fix CVE-2020-5247.
- Fix header value could inject their own HTTP response (closes: #952766).
* d/patches/CVE-2020-5249.patch: Add patch to fix CVE-2020-5249.
- Fix splitting newlines in headers and another vector for HTTP injection
(closes: #953122).
* d/patches/CVE-2020-11076.patch: Add patch to fix CVE-2020-11076.
- Better handle client input to fix HTTP Smuggling via Transfer-Encoding
header (closes: #972102).
* d/patches/CVE-2020-11077.patch: Add patch to fix CVE-2020-11077.
- Reduce ambiguity of headers to fix HTTP Smuggling via Transfer-Encoding
header (closes: #972102).
* d/patches/series: Enable new patches.
Checksums-Sha1:
01ccd216dfa13d28e10ca56c2c46b936aaae7d19 2004 puma_3.12.0-2+deb10u2.dsc
1ea15fbb2128dc63de8550c97d6f6c3dc26fa1b9 11800
puma_3.12.0-2+deb10u2.debian.tar.xz
22c9901bf839b62cf20ec908cf946580102ce750 9200
puma_3.12.0-2+deb10u2_amd64.buildinfo
Checksums-Sha256:
2654a528baa52d73dc0b6c916f0229cc2f7a98ff18eb59606d9c7c2fb35c024f 2004
puma_3.12.0-2+deb10u2.dsc
6bd83f1e75d4c8470afd919f17407edade486a2c739ac58777f351c7a69bf22d 11800
puma_3.12.0-2+deb10u2.debian.tar.xz
2f7c12fb2afebbb9b4adbfe382c917f3c08820d79f2e4841a175a040d850b528 9200
puma_3.12.0-2+deb10u2_amd64.buildinfo
Files:
63fc92aeffdba960c6e68651e4abacbc 2004 ruby optional puma_3.12.0-2+deb10u2.dsc
7c294152781f4c567daf0ca2018f1d2b 11800 ruby optional
puma_3.12.0-2+deb10u2.debian.tar.xz
9384d28942172e7c2afae50e105fcf67 9200 ruby optional
puma_3.12.0-2+deb10u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAl+I6L4ACgkQS80FZ8KW
0F2vCg//befP8Y/o2PIhOBoRvhmko380+TimC0LMGAAWpjSBX4t9izMYpJTiishA
bfWHctD9fCtzRfqxXwKgILd1YmpcGqbZdDBlxgBuSUcTXb5YM5DpPocFwCtBQx5o
mGlGaHMvZZ9K4BYVg/pTW0e+RicfN7saVHZ2/0WlKT3av6PTCYrR7FsQbLVfl57q
G/N42UfNy/nB6YJuqHu3Co+cQaVxcwIfUS2FM2ON2To8EnCMj8guAaFHvhplYFo8
LHjmzBv6KxCXT3b8KLk9E3wcaACSryt3AgZhC8bbozUdJel11xrMwC7GJIA2UptQ
1SkW21KIYb5q6uBhf3LLM/CNRXn8YPenU7DIfAfu9tx7t4EzKwFU31qLe9ieT99A
QPsYIQy7sja0zsTFOnR5CGCg8TnXoN2qpN609tWh56QZcN3RCxxHLCznLPakUTUZ
OsiBlN7blyrvJB7tIK0Y4B4FKiy7Mpy2ESq2huALdoNWyf1NcQye12Q6IxTJoatj
+ps5OSHtWzbDG4yptjRxNYT31qEpTrUF1jLgSDnRjnbYjGJuVJTU7qkidlxNBWZ7
clqJdAU5qKO60RPvREwOAe/YyCc3v+Cl0e2HsDXQnymYDpqgYtcnYwvKOCcWoMVr
GDdHr3I55dkfDc3ADfBrrIOSCJnXR/VoITr7FwChAkjJ3Sn15o8=
=S7/T
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
