Bug 702316 (CVE-2019-16770)

Summary:	<www-servers/puma-3.12.2: Denial of Service vulnerability (CVE-2019-16770)
Product:	Gentoo Security	Reporter:	Hans de Graaff <graaff>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	ruby
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
Whiteboard:	B3 [noglsa]
Package list:	www-servers/puma-3.12.2	Runtime testing required:	---

Description Hans de Graaff gentoo-dev

2019-12-09 05:26:48 UTC

Impact

A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack.

If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
Patches

This vulnerability is patched in Puma 4.3.1 and 3.12.2.

Workarounds

Reverse proxies in front of Puma could be configured to always allow less than X keepalive connections to a Puma cluster or process, where X is the number of threads configured in Puma's thread pool.

Comment 1 Hans de Graaff gentoo-dev

2019-12-09 05:45:26 UTC

puma 3.12.2 and puma 4.3.1 have been added.

Comment 2 Agostino Sarubbo gentoo-dev

2019-12-09 14:39:11 UTC

amd64 stable

Comment 3 Agostino Sarubbo gentoo-dev

2019-12-10 09:46:16 UTC

x86 stable.

Maintainer(s), please cleanup.

Comment 4 Hans de Graaff gentoo-dev

2019-12-14 09:40:01 UTC

Cleanup done.

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-17 14:30:59 UTC

GLSA Vote: No!

Repository is clean, all done.