An update for rubygem-puma is now available for openEuler-20.03-LTS-SP1
Security Advisory
openeuler-security@openeuler.org
openEuler security committee
openEuler-SA-2021-1203
Final
1.0
1.0
2021-06-07
Initial
2021-06-07
2021-06-07
openEuler SA Tool V1.0
2021-06-07
rubygem-puma security update
An update for rubygem-puma is now available for openEuler-20.03-LTS-SP1.
A simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications.
Security Fix(es):
Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in `puma` 4.3.8 and 5.3.1. Setting `queue_requests False` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma.(CVE-2021-29509)
An update for rubygem-puma is now available for openEuler-20.03-LTS-SP1.
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
High
rubygem-puma
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1203
https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-29509
https://nvd.nist.gov/vuln/detail/CVE-2021-29509
openEuler-20.03-LTS-SP1
rubygem-puma-3.12.6-2.oe1.aarch64.rpm
rubygem-puma-debugsource-3.12.6-2.oe1.aarch64.rpm
rubygem-puma-debuginfo-3.12.6-2.oe1.aarch64.rpm
rubygem-puma-doc-3.12.6-2.oe1.noarch.rpm
rubygem-puma-3.12.6-2.oe1.src.rpm
rubygem-puma-debugsource-3.12.6-2.oe1.x86_64.rpm
rubygem-puma-3.12.6-2.oe1.x86_64.rpm
rubygem-puma-debuginfo-3.12.6-2.oe1.x86_64.rpm
Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in `puma` 4.3.8 and 5.3.1. Setting `queue_requests False` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma.
2021-06-07
CVE-2021-29509
openEuler-20.03-LTS-SP1
High
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
rubygem-puma security update
2021-06-07
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1203