Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 702316 (CVE-2019-16770) - <www-servers/puma-3.12.2: Denial of Service vulnerability (CVE-2019-16770)
Summary: <www-servers/puma-3.12.2: Denial of Service vulnerability (CVE-2019-16770)
Status: RESOLVED FIXED
Alias: CVE-2019-16770
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/puma/puma/security...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-12-09 05:26 UTC by Hans de Graaff
Modified: 2020-03-17 14:30 UTC (History)
1 user (show)

See Also:
Package list:
www-servers/puma-3.12.2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev 2019-12-09 05:26:48 UTC
Impact

A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack.

If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
Patches

This vulnerability is patched in Puma 4.3.1 and 3.12.2.

Workarounds

Reverse proxies in front of Puma could be configured to always allow less than X keepalive connections to a Puma cluster or process, where X is the number of threads configured in Puma's thread pool.
Comment 1 Hans de Graaff gentoo-dev 2019-12-09 05:45:26 UTC
puma 3.12.2 and puma 4.3.1 have been added.
Comment 2 Agostino Sarubbo gentoo-dev 2019-12-09 14:39:11 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2019-12-10 09:46:16 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 4 Hans de Graaff gentoo-dev 2019-12-14 09:40:01 UTC
Cleanup done.
Comment 5 Thomas Deutschmann gentoo-dev Security 2020-03-17 14:30:59 UTC
GLSA Vote: No!

Repository is clean, all done.