[gentoo-announce] [ GLSA 202208-28 ] Puma: Multiple Vulnerabilities - gentoo-announce

From:	glsamaker@g.o
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 202208-28 ] Puma: Multiple Vulnerabilities
Date:	Sun, 14 Aug 2022 21:44:14
Message-Id:	`166051340510.12.9602443197763892536@7b72ab9f548d`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 202208-28

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Low

8

    Title: Puma: Multiple Vulnerabilities

9

     Date: August 14, 2022

10

     Bugs: #794034, #817893, #833155, #836431

11

       ID: 202208-28

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been discovered in Puma, the worst of

19

which could result in denial of service.

20

21

Background

22

==========

23

24

Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server

25

for Ruby/Rack.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package              /     Vulnerable     /            Unaffected

32

    -------------------------------------------------------------------

33

  1  www-servers/puma           < 5.6.4                      >= 5.6.4

34

35

Description

36

===========

37

38

Multiple vulnerabilities have been discovered in Puma. Please review the

39

CVE identifiers referenced below for details.

40

41

Impact

42

======

43

44

Please review the referenced CVE identifiers for details.

45

46

Workaround

47

==========

48

49

There is no known workaround at this time.

50

51

Resolution

52

==========

53

54

All Puma users should upgrade to the latest version:

55

56

  # emerge --sync

57

  # emerge --ask --oneshot --verbose ">=www-servers/puma-5.6.4"

58

59

References

60

==========

61

62

[ 1 ] CVE-2021-29509

63

      https://nvd.nist.gov/vuln/detail/CVE-2021-29509

64

[ 2 ] CVE-2021-41136

65

      https://nvd.nist.gov/vuln/detail/CVE-2021-41136

66

[ 3 ] CVE-2022-23634

67

      https://nvd.nist.gov/vuln/detail/CVE-2022-23634

68

[ 4 ] CVE-2022-24790

69

      https://nvd.nist.gov/vuln/detail/CVE-2022-24790

70

71

Availability

72

============

73

74

This GLSA and any updates to it are available for viewing at

75

the Gentoo Security Website:

76

77

 https://security.gentoo.org/glsa/202208-28

78

79

Concerns?

80

=========

81

82

Security is a primary focus of Gentoo Linux and ensuring the

83

confidentiality and security of our users' machines is of utmost

84

importance to us. Any security concerns should be addressed to

85

security@g.o or alternatively, you may file a bug at

86

https://bugs.gentoo.org.

87

88

License

89

=======

90

91

Copyright 2022 Gentoo Foundation, Inc; referenced text

92

belongs to its owner(s).

93

94

The contents of this document are licensed under the

95

Creative Commons - Attribution / Share Alike license.

96

97

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 202208-28
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Low
8	Title: Puma: Multiple Vulnerabilities
9	Date: August 14, 2022
10	Bugs: #794034, #817893, #833155, #836431
11	ID: 202208-28
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been discovered in Puma, the worst of
19	which could result in denial of service.
20
21	Background
22	==========
23
24	Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server
25	for Ruby/Rack.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 www-servers/puma < 5.6.4 >= 5.6.4
34
35	Description
36	===========
37
38	Multiple vulnerabilities have been discovered in Puma. Please review the
39	CVE identifiers referenced below for details.
40
41	Impact
42	======
43
44	Please review the referenced CVE identifiers for details.
45
46	Workaround
47	==========
48
49	There is no known workaround at this time.
50
51	Resolution
52	==========
53
54	All Puma users should upgrade to the latest version:
55
56	# emerge --sync
57	# emerge --ask --oneshot --verbose ">=www-servers/puma-5.6.4"
58
59	References
60	==========
61
62	[ 1 ] CVE-2021-29509
63	https://nvd.nist.gov/vuln/detail/CVE-2021-29509
64	[ 2 ] CVE-2021-41136
65	https://nvd.nist.gov/vuln/detail/CVE-2021-41136
66	[ 3 ] CVE-2022-23634
67	https://nvd.nist.gov/vuln/detail/CVE-2022-23634
68	[ 4 ] CVE-2022-24790
69	https://nvd.nist.gov/vuln/detail/CVE-2022-24790
70
71	Availability
72	============
73
74	This GLSA and any updates to it are available for viewing at
75	the Gentoo Security Website:
76
77	https://security.gentoo.org/glsa/202208-28
78
79	Concerns?
80	=========
81
82	Security is a primary focus of Gentoo Linux and ensuring the
83	confidentiality and security of our users' machines is of utmost
84	importance to us. Any security concerns should be addressed to
85	security@g.o or alternatively, you may file a bug at
86	https://bugs.gentoo.org.
87
88	License
89	=======
90
91	Copyright 2022 Gentoo Foundation, Inc; referenced text
92	belongs to its owner(s).
93
94	The contents of this document are licensed under the
95	Creative Commons - Attribution / Share Alike license.
96
97	https://creativecommons.org/licenses/by-sa/2.5