CVE-2019-16770

NameCVE-2019-16770
DescriptionIn Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs946312

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
puma (PTS)stretch3.6.0-1vulnerable
buster3.12.0-2vulnerable
bullseye, sid3.12.4-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pumasource(unstable)3.12.0-4946312

Notes

[buster] - puma <no-dsa> (Minor issue)
[stretch] - puma <no-dsa> (Minor issue)
https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
https://github.com/puma/puma/commit/06053e60908074bb38293d4449ea261cb009b53e

Search for package or bug name: Reporting problems