"In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4."
"In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This is a similar but different vulnerability from CVE-2020-11076. The problem has been fixed in Puma 3.12.6 and Puma 4.3.5."
@maintainer(s), please bump to 4.3.5/3.12.6.
(In reply to Sam James from comment #1)
> @maintainer(s), please bump to 4.3.5/3.12.6.
Have they been released?
puma $ git tag -l | grep 3.12
puma $ git tag -l | grep 4.3
(In reply to John Helmert III (ajak) from comment #2)
> (In reply to Sam James from comment #1)
> > @maintainer(s), please bump to 4.3.5/3.12.6.
> Have they been released?
They are released on rubygems: https://rubygems.org/gems/puma/ but our ebuilds are based on the tagged versions in github since we want to run the test suite. I'll see if the changes can be backported.
The bug has been referenced in the following commit(s):
Author: Hans de Graaff <email@example.com>
AuthorDate: 2020-07-19 09:29:11 +0000
Commit: Hans de Graaff <firstname.lastname@example.org>
CommitDate: 2020-07-19 09:29:27 +0000
www-servers/puma: backport CVE-2020-11077 fixes
Upstream created releases but did not tag them so we cannot
use them for our ebuilds. Backport the patches to address the security
Package-Manager: Portage-2.3.103, Repoman-2.3.23
Signed-off-by: Hans de Graaff <email@example.com>
.../puma/files/puma-3.12.5-cve-2020-11077.patch | 114 ++++++++++++++++++++
.../puma/files/puma-4.3.4-cve-2020-11077.patch | 115 +++++++++++++++++++++
www-servers/puma/puma-3.12.5-r1.ebuild | 71 +++++++++++++
www-servers/puma/puma-4.3.4-r1.ebuild | 75 ++++++++++++++
4 files changed, 375 insertions(+)
(In reply to Hans de Graaff from comment #3)
> (In reply to John Helmert III (ajak) from comment #2)
> > (In reply to Sam James from comment #1)
> > > @maintainer(s), please bump to 4.3.5/3.12.6.
> > Have they been released?
> They are released on rubygems: https://rubygems.org/gems/puma/ but our
> ebuilds are based on the tagged versions in github since we want to run the
> test suite. I'll see if the changes can be backported.
Thank you for doing that. Let us know when it's ready for stabilisation.
ping, ready to stable?
Maintainer(s), please cleanup.
Security, please vote.
GLSA vote: no
Unable to check for sanity:
> no match for package: www-servers/puma-3.12.5-r1
(In reply to Hans de Graaff from comment #10)
> Cleanup done.
Thanks! noglsa, all done.
Oops, had to be reverted. :(
Author: Thomas Deutschmann <firstname.lastname@example.org>
Date: Fri Aug 14 01:09:28 2020 +0200
Revert "www-servers/puma: cleanup"
This reverts commit cada7bf5534e62ad776c0eccdd82d08219e0483c.
Removed www-servers/puma versions are still needed by
Signed-off-by: Thomas Deutschmann <email@example.com>
create mode 100644 www-servers/puma/puma-3.12.4.ebuild
create mode 100644 www-servers/puma/puma-3.12.5-r1.ebuild
create mode 100644 www-servers/puma/puma-4.3.3.ebuild
create mode 100644 www-servers/puma/puma-4.3.4.ebuild
Correct cleanup now done. Sorry for the additional noise.
(In reply to Hans de Graaff from comment #14)
> Correct cleanup now done. Sorry for the additional noise.
You maintain a large number of packages, always responsive, and are as quick as you can be with us regularly. The odd mistake doesn't matter at all!
All done, thanks!