| Name | CVE-2019-16770 |
| Description | In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3023-1 |
| Debian Bugs | 946312 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| puma (PTS) | stretch (security), stretch (lts), stretch | 3.6.0-1+deb9u2 | fixed |
| buster (security), buster, buster (lts) | 3.12.0-2+deb10u3 | fixed |
| bullseye | 4.3.8-1+deb11u2 | fixed |
| bullseye (security) | 4.3.8-1+deb11u3 | fixed |
| bookworm | 5.6.5-3 | fixed |
| sid, trixie | 6.4.3-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| puma | source | stretch | 3.6.0-1+deb9u2 | | DLA-3023-1 | |
| puma | source | buster | 3.12.0-2+deb10u1 | | | |
| puma | source | (unstable) | 3.12.0-4 | | | 946312 |
Notes
https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
https://github.com/puma/puma/commit/06053e60908074bb38293d4449ea261cb009b53e
This is an incomplete fix. When fixing this issue make sure to also apply
the fix for CVE-2021-29509 to not open that CVE.