CVE-2019-16770

NameCVE-2019-16770
DescriptionIn Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs946312

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
puma (PTS)stretch3.6.0-1vulnerable
stretch (security)3.6.0-1+deb9u1vulnerable
buster3.12.0-2+deb10u2fixed
bookworm, bullseye4.3.8-1fixed
sid5.5.2-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pumasourcebuster3.12.0-2+deb10u1
pumasource(unstable)3.12.0-4946312

Notes

[stretch] - puma <no-dsa> (Minor issue)
https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
https://github.com/puma/puma/commit/06053e60908074bb38293d4449ea261cb009b53e
This is an incomplete fix. When fixing this issue make sure to also apply
the fix for CVE-2021-29509 to not open that CVE.

Search for package or bug name: Reporting problems