Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 711336 (CVE-2020-5249) - <www-servers/puma-{3.12.4,4.3.3}: HTTP response splitting (CVE-2020-5249)
Summary: <www-servers/puma-{3.12.4,4.3.3}: HTTP response splitting (CVE-2020-5249)
Status: RESOLVED FIXED
Alias: CVE-2020-5249
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://github.com/puma/puma/security...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-02 17:24 UTC by Sam James
Modified: 2020-03-15 02:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-02 17:24:15 UTC 
Description:
"In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses. This has been fixed in 4.3.3 and 3.12.4."

Patch: https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 02:08:01 UTC 
GLSA Vote: No!

Repository is clean, all done!