Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 794034 (CVE-2021-29509)

Summary: <www-servers/puma-5.3.1: keepalive connections causing denial of service (CVE-2021-29509)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5
Whiteboard: B3 [glsa+]
Package list:
www-servers/puma-5.3.2-r1
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-03 13:21:37 UTC
CVE-2021-29509:

The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster.

A puma server which received more concurrent keep-alive connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections.


Please stabilize 5.3.1.
Comment 1 Agostino Sarubbo gentoo-dev 2021-06-06 07:15:15 UTC
amd64 stable
Comment 2 Agostino Sarubbo gentoo-dev 2021-06-06 07:16:27 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 3 Hans de Graaff gentoo-dev Security 2021-06-06 07:19:11 UTC
Cleanup done.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-06 15:35:38 UTC
Thank you!
Comment 5 NATTkA bot gentoo-dev 2021-06-22 18:20:26 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2022-02-05 07:00:46 UTC
Unable to check for sanity:

> no match for package: www-servers/puma-5.3.2-r1
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 05:05:17 UTC
GLSA request filed
Comment 8 Larry the Git Cow gentoo-dev 2022-08-14 21:43:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=74f54f14d9074878f0b2b711ab3064799b15e9cb

commit 74f54f14d9074878f0b2b711ab3064799b15e9cb
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 21:41:58 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-14 21:43:20 +0000

    [ GLSA 202208-28 ] Puma: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/794034
    Bug: https://bugs.gentoo.org/817893
    Bug: https://bugs.gentoo.org/833155
    Bug: https://bugs.gentoo.org/836431
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202208-28.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 21:43:50 UTC
GLSA done, all done.