CVE-2024-21647

Name	CVE-2024-21647
Description	Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. This vulnerability has been fixed in versions 6.4.2 and 5.6.8.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1060345

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
puma (PTS)	stretch (security), stretch (lts), stretch	3.6.0-1+deb9u2	vulnerable
	buster (security), buster, buster (lts)	3.12.0-2+deb10u3	vulnerable
	bullseye (security), bullseye	4.3.8-1+deb11u2	vulnerable
	bookworm	5.6.5-3	vulnerable
	sid, trixie	6.4.2-6	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
puma	source	stretch	(unfixed)	end-of-life
puma	source	(unstable)	6.4.2-1			1060345

Notes

[bookworm] - puma <no-dsa> (Minor issue)
[bullseye] - puma <no-dsa> (Minor issue)
[buster] - puma <no-dsa> (Minor issue)
https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2
https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d (v5.6.8)