- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3947-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Abhijith PA
November 06, 2024                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : puma
Version        : 4.3.8-1+deb11u3
CVE ID         : CVE-2024-21647 CVE-2024-45614


Two vulnerabilities have been fixed in puma, a threaded HTTP server
for Ruby/Rack applications. 

CVE-2024-21647

    Incorrect behavior when parsing chunked transfer encoding bodies
    in a way that allowed HTTP request smuggling. Fixed versions
    limits the size of chunk extensions. Without this limit, an
    attacker could cause unbounded resource (CPU, network bandwidth)
    consumption.

CVE-2024-45614

    Clients could clobber values set by intermediate proxies (such as
    X-Forwarded-For) by providing a underscore version of the same
    header (X-Forwarded_For). Any users relying on proxy set variables
    is affected.

For Debian 11 bullseye, these problems have been fixed in version
4.3.8-1+deb11u3.

We recommend that you upgrade your puma packages.

For the detailed security status of puma please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/puma

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS