939950 – (CVE-2024-45614) <www-servers/puma-6.4.3: Header normalization allows for client to clobber proxy set headers

Bug 939950 (CVE-2024-45614) - <www-servers/puma-6.4.3: Header normalization allows for client to clobber proxy set headers

Summary: <www-servers/puma-6.4.3: Header normalization allows for client to clobber pr...

Status:	CONFIRMED

Alias:	CVE-2024-45614

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://github.com/puma/puma/security...
Whiteboard:	B4 [glsa?]
Keywords:

Depends on:	941220
Blocks:
	Show dependency tree

Reported:	2024-09-21 06:18 UTC by Hans de Graaff
Modified:	2024-11-01 10:00 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hans de Graaff gentoo-dev

2024-09-21 06:18:03 UTC

Impact

Clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users trusting headers set by their proxy may be affected. Attackers may be able to downgrade connections to HTTP (non-SSL) or redirect responses, which could cause confidentiality leaks if combined with a separate MITM attack.
Patches

v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win.
Workarounds

Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level.

Any users that are implicitly trusting the proxy defined headers for security or availability should immediately cease doing so until upgraded to the fixed versions.

Comment 1 Larry the Git Cow gentoo-dev

2024-09-22 05:34:29 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=62081c0524120d1b1b4a1ab858eb84f0e9e17f9a

commit 62081c0524120d1b1b4a1ab858eb84f0e9e17f9a
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2024-09-22 05:33:18 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-22 05:34:19 +0000

    www-servers/puma: add 6.4.3
    
    Bug: https://bugs.gentoo.org/939950
    Closes: https://bugs.gentoo.org/939786
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 www-servers/puma/Manifest          |  1 +
 www-servers/puma/puma-6.4.3.ebuild | 83 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 84 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2024-11-01 10:00:04 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=622d77b81dbc631fc957590965452b0244a60a76

commit 622d77b81dbc631fc957590965452b0244a60a76
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2024-11-01 09:59:13 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-11-01 09:59:45 +0000

    www-servers/puma: drop 6.3.1, 6.4.2
    
    Bug: https://bugs.gentoo.org/939950
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 www-servers/puma/Manifest          |  2 --
 www-servers/puma/puma-6.3.1.ebuild | 67 -------------------------------------
 www-servers/puma/puma-6.4.2.ebuild | 68 --------------------------------------
 3 files changed, 137 deletions(-)