Impact Prior to version 6.3.1, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling. The following vulnerabilities are addressed by this advisory: Incorrect parsing of trailing fields in chunked transfer encoding bodies Parsing of blank/zero-length Content-Length headers Patches The vulnerability has been fixed in 6.3.1 and 5.6.7.
puma 6.3.1 has been added. A stable bug will be filed in a few days. puma 5.6.7 has not been published yet and 5.6.6 (not added) has various test failures, so the plan is to remove the puma 5.x versions altogether and just keep puma 6.x.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=040b95932b83a009e841367e126ce69de245b4e5 commit 040b95932b83a009e841367e126ce69de245b4e5 Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2023-09-22 05:53:57 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-09-22 05:54:50 +0000 www-servers/puma: drop 5.6.5, 6.1.1-r1, 6.2.2, 6.3.0 Bug: https://bugs.gentoo.org/912424 Signed-off-by: Hans de Graaff <graaff@gentoo.org> www-servers/puma/Manifest | 4 --- www-servers/puma/puma-5.6.5.ebuild | 59 -------------------------------- www-servers/puma/puma-6.1.1-r1.ebuild | 62 --------------------------------- www-servers/puma/puma-6.2.2.ebuild | 64 ----------------------------------- www-servers/puma/puma-6.3.0.ebuild | 64 ----------------------------------- 5 files changed, 253 deletions(-)
GLSA vote: no.