subject:"Bug#950795\: buster\-pu\: package puma\/3.12.0\-2"

Bug#950795: buster-pu: package puma/3.12.0-2

2020-03-03 Thread Daniel Leidert

Am Dienstag, den 03.03.2020, 20:37 + schrieb Adam D. Barratt:
> On Thu, 2020-02-06 at 17:33 +0100, Daniel Leidert wrote:
> > The proposed update will fix CVE-2019-16770 (#946312) for Buster
> > users. The security team marked the issue no-dsa and asked to
> > schedule the fix via the next point release. The debdiff is attached.
> > The patch to fix the CVE has been taken from upstream's Git
> > repository.
> 
> +puma (3.12.0-2+deb10u1) buster-security; urgency=medium
> 
> Just "buster" for p-u, please.

Yes I already saw it. I prepared the upload first for security. But they asked
me to do the upload via p-u. I'll fix this.

> +Subject: Merge pull request from GHSA-7xx3-m584-x994
> +
> +could monopolize a thread. Previously, this could make a DoS attack more
> +severe.
> 
> Is there a missing line (or at least words) before "could monopolize"
> there?

No. This is the original commit message I kept from upstream. 

> In any case, please go ahead (with the fixed distribution).

Thanks.

Regards, Daniel


signature.asc
Description: This is a digitally signed message part

Processed: Re: Bug#950795: buster-pu: package puma/3.12.0-2

2020-03-03 Thread Debian Bug Tracking System

Processing control commands:

> tags -1 + confirmed
Bug #950795 [release.debian.org] buster-pu: package puma/3.12.0-2
Added tag(s) confirmed.

-- 
950795: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950795
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#950795: buster-pu: package puma/3.12.0-2

2020-03-03 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Thu, 2020-02-06 at 17:33 +0100, Daniel Leidert wrote:
> The proposed update will fix CVE-2019-16770 (#946312) for Buster
> users. The security team marked the issue no-dsa and asked to
> schedule the fix via the next point release. The debdiff is attached.
> The patch to fix the CVE has been taken from upstream's Git
> repository.

+puma (3.12.0-2+deb10u1) buster-security; urgency=medium

Just "buster" for p-u, please.

+Subject: Merge pull request from GHSA-7xx3-m584-x994
+
+could monopolize a thread. Previously, this could make a DoS attack more
+severe.

Is there a missing line (or at least words) before "could monopolize"
there?

In any case, please go ahead (with the fixed distribution).

Regards,

Adam

Bug#950795: buster-pu: package puma/3.12.0-2

2020-02-06 Thread Daniel Leidert

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

The proposed update will fix CVE-2019-16770 (#946312) for Buster users. The
security team marked the issue no-dsa and asked to schedule the fix via the
next point release. The debdiff is attached. The patch to fix the CVE has been
taken from upstream's Git repository.

The debdiff is attached.

Please let me know, how to proceed.

Regards, Daniel


- -- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.3.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAl48P9cACgkQS80FZ8KW
0F2aKQ//VCdYXCl4gK1NSWOH5NtwoyIFoUcC6ofglL+shomnFMbvwr3V7H4rpVta
7oOysLOfGEmsCJXL5kcl0awijAmFz58dmlRmeSAOlirJ+09eyS56v/gSVPODueTA
7UjvjPQV3gJRgA0bsLEjTfIyyE9S17ylxDF9t1FRYGqngkTM3aYaz4NR5WMrFWGs
b0ogyJxjpDW3VHgy2b0smrED5j2/Amo11DIg9CYhNyV5zAoNmH93cMlS+67p7CDK
WIghSH4BoMjv0THRh521HK7hVywKFKhCHhG/fXCAEQnPgfP9umtBaM1eQeItpRRf
A5MGtYBDLrvm8YLbtL0Fl8TsEYjdJmEUoS4Pr1HtVC4TiFLei6QxmriAY2pv+7h0
XtMyZ/L4dCCiilSUd58cnLBSdCm8OTf/NUI7m7zdCBDwG76ewbeuWQ59X6a8j+oH
uOGeOjJJvxKlO1ngyLrPC8jZOcKNwGwdsBpI6YgOvSGWbQU3RWjlzmw+M/YgVaHL
zIg5nEJHnTmdZUr22e4vaQ0kwH73Ggst+hA68LdZ9auDlb+o/37Rp8tz7M966c/x
Tcoduwr5TLDMzLBtDYMpqw+8jakdpwACWGErqR46XcUtUtjQAy0GMQXucgQNwIw/
mZp5UDEsKR7RE6baUPMcQKMcU0W7AIWXGD2LrYMW/WmV9HverYY=
=Fie4
-END PGP SIGNATURE-
diff -Nru puma-3.12.0/debian/changelog puma-3.12.0/debian/changelog
--- puma-3.12.0/debian/changelog2019-02-10 14:26:47.0 +0100
+++ puma-3.12.0/debian/changelog2020-02-06 13:25:24.0 +0100
@@ -1,3 +1,12 @@
+puma (3.12.0-2+deb10u1) buster-security; urgency=medium
+
+  * Team upload.
+  * d/patches/CVE-2019-16770.patch: Add patch.
+- Backport fix for CVE-2019-16770 from upstream (closes: #946312).
+  * d/patches/series: Add patch.
+
+ -- Daniel Leidert   Thu, 06 Feb 2020 13:25:24 +0100
+
 puma (3.12.0-2) unstable; urgency=medium
 
   * Disable tests failing in single cpu (Closes: #921931)
diff -Nru puma-3.12.0/debian/patches/CVE-2019-16770.patch 
puma-3.12.0/debian/patches/CVE-2019-16770.patch
--- puma-3.12.0/debian/patches/CVE-2019-16770.patch 1970-01-01 
01:00:00.0 +0100
+++ puma-3.12.0/debian/patches/CVE-2019-16770.patch 2020-02-06 
13:25:24.0 +0100
@@ -0,0 +1,69 @@
+From: Nate Berkopec 
+Date: Thu, 5 Dec 2019 14:19:32 +0700
+Subject: Merge pull request from GHSA-7xx3-m584-x994
+
+could monopolize a thread. Previously, this could make a DoS attack more
+severe.
+
+Co-authored-by: Evan Phoenix 
+
+Debian-Bug: https://bugs.debian.org/946312
+Acked-By: Daniel Leidert 
+Origin: 
https://github.com/puma/puma/commit/06053e60908074bb38293d4449ea261cb009b53e.patch
+---
+ lib/puma/const.rb  |  7 +++
+ lib/puma/server.rb | 16 +++-
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/lib/puma/const.rb b/lib/puma/const.rb
+index f9e0a2a..7fc105c 100644
+--- a/lib/puma/const.rb
 b/lib/puma/const.rb
+@@ -116,6 +116,13 @@ module Puma
+ # sending data back
+ WRITE_TIMEOUT = 10
+ 
++# How many requests to attempt inline before sending a client back to
++# the reactor to be subject to normal ordering. The idea here is that
++# we amortize the cost of going back to the reactor for a well behaved
++# but very "greedy" client across 10 requests. This prevents a not
++# well behaved client from monopolizing the thread forever.
++MAX_FAST_INLINE = 10
++
+ # The original URI requested by the client.
+ REQUEST_URI= 'REQUEST_URI'.freeze
+ REQUEST_PATH = 'REQUEST_PATH'.freeze
+diff --git a/lib/puma/server.rb b/lib/puma/server.rb
+index e2e862f..66a982a 100644
+--- a/lib/puma/server.rb
 b/lib/puma/server.rb
+@@ -468,6 +468,8 @@ module Puma
+ clean_thread_locals = @options[:clean_thread_locals]
+ close_socket = true
+ 
++requests = 0
++
+ while true
+   case handle_request(client, buffer)
+   when false
+@@ -481,7 +483,19 @@ module Puma
+ 
+ ThreadPool.clean_thread_locals if clean_thread_locals
+ 
+-unless client.reset(@status == :run)
++requests += 1
++
++check_for_more_data = @status == :run
++
++if requests >= MAX_FAST_INLINE
++  # This will mean that reset will only try to use the data it 
already
++  # has buffered and won't try to read more data. What this means 
is that
++  # every client, independent of their request speed, gets 
treated like a slow
++  # one once every

Bug#950795: buster-pu: package puma/3.12.0-2

Processed: Re: Bug#950795: buster-pu: package puma/3.12.0-2

Bug#950795: buster-pu: package puma/3.12.0-2

Bug#950795: buster-pu: package puma/3.12.0-2

4 matches

Site Navigation

Mail list logo

Footer information