* CVE-2020-11076 Description: "In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4." Advisory: https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h * CVE-2020-11077 Description: "In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This is a similar but different vulnerability from CVE-2020-11076. The problem has been fixed in Puma 3.12.6 and Puma 4.3.5." Advisory: https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm
@maintainer(s), please bump to 4.3.5/3.12.6.
(In reply to Sam James from comment #1) > @maintainer(s), please bump to 4.3.5/3.12.6. Have they been released? puma $ git tag -l | grep 3.12 v3.12.0 v3.12.1 v3.12.2 v3.12.3 v3.12.4 v3.12.5 puma $ git tag -l | grep 4.3 v4.3.0 v4.3.1 v4.3.2 v4.3.3 v4.3.4
(In reply to John Helmert III (ajak) from comment #2) > (In reply to Sam James from comment #1) > > @maintainer(s), please bump to 4.3.5/3.12.6. > > Have they been released? They are released on rubygems: https://rubygems.org/gems/puma/ but our ebuilds are based on the tagged versions in github since we want to run the test suite. I'll see if the changes can be backported.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=866b1c92b435b1c6d03ed2e4dfb664a073ad089c commit 866b1c92b435b1c6d03ed2e4dfb664a073ad089c Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2020-07-19 09:29:11 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2020-07-19 09:29:27 +0000 www-servers/puma: backport CVE-2020-11077 fixes Upstream created releases but did not tag them so we cannot use them for our ebuilds. Backport the patches to address the security issue. Bug: https://bugs.gentoo.org/724800 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Hans de Graaff <graaff@gentoo.org> .../puma/files/puma-3.12.5-cve-2020-11077.patch | 114 ++++++++++++++++++++ .../puma/files/puma-4.3.4-cve-2020-11077.patch | 115 +++++++++++++++++++++ www-servers/puma/puma-3.12.5-r1.ebuild | 71 +++++++++++++ www-servers/puma/puma-4.3.4-r1.ebuild | 75 ++++++++++++++ 4 files changed, 375 insertions(+)
(In reply to Hans de Graaff from comment #3) > (In reply to John Helmert III (ajak) from comment #2) > > (In reply to Sam James from comment #1) > > > @maintainer(s), please bump to 4.3.5/3.12.6. > > > > Have they been released? > > They are released on rubygems: https://rubygems.org/gems/puma/ but our > ebuilds are based on the tagged versions in github since we want to run the > test suite. I'll see if the changes can be backported. Thank you for doing that. Let us know when it's ready for stabilisation.
ping, ready to stable?
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
GLSA vote: no
Cleanup done.
Unable to check for sanity: > no match for package: www-servers/puma-3.12.5-r1
(In reply to Hans de Graaff from comment #10) > Cleanup done. Thanks! noglsa, all done.
Oops, had to be reverted. :( https://qa-reports.gentoo.org/output/gentoo-ci/e816065322/output.html commit b843f088a13cf821b48c650e46224c2291bb1a87 Author: Thomas Deutschmann <whissi@gentoo.org> Date: Fri Aug 14 01:09:28 2020 +0200 Revert "www-servers/puma: cleanup" This reverts commit cada7bf5534e62ad776c0eccdd82d08219e0483c. Removed www-servers/puma versions are still needed by - dev-ruby/actionpack - dev-ruby/capybara - dev-ruby/patron Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> create mode 100644 www-servers/puma/puma-3.12.4.ebuild create mode 100644 www-servers/puma/puma-3.12.5-r1.ebuild create mode 100644 www-servers/puma/puma-4.3.3.ebuild create mode 100644 www-servers/puma/puma-4.3.4.ebuild
Correct cleanup now done. Sorry for the additional noise.
(In reply to Hans de Graaff from comment #14) > Correct cleanup now done. Sorry for the additional noise. You maintain a large number of packages, always responsive, and are as quick as you can be with us regularly. The odd mistake doesn't matter at all! All done, thanks!