CVE-2019-16770

NameCVE-2019-16770
DescriptionIn Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3023-1
Debian Bugs946312

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
puma (PTS)stretch (security), stretch (lts), stretch3.6.0-1+deb9u2fixed
buster (security), buster, buster (lts)3.12.0-2+deb10u3fixed
bullseye4.3.8-1+deb11u2fixed
bullseye (security)4.3.8-1+deb11u3fixed
bookworm5.6.5-3fixed
sid, trixie6.4.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pumasourcestretch3.6.0-1+deb9u2DLA-3023-1
pumasourcebuster3.12.0-2+deb10u1
pumasource(unstable)3.12.0-4946312

Notes

https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
https://github.com/puma/puma/commit/06053e60908074bb38293d4449ea261cb009b53e
This is an incomplete fix. When fixing this issue make sure to also apply
the fix for CVE-2021-29509 to not open that CVE.

Search for package or bug name: Reporting problems