Overview

File _patchinfo of Package patchinfo.40797

<patchinfo incident="40797">
  <issue tracker="bnc" id="1218638">VUL-0: CVE-2024-21647: rubygem-puma: DoS when parsing chunked Transfer-Encoding bodies</issue>
  <issue tracker="bnc" id="1230848">VUL-0: CVE-2024-45614: rubygem-puma: Header normalization allows for client to clobber proxy set headers</issue>
  <issue tracker="bnc" id="1214425">VUL-0: CVE-2023-40175: rubygem-puma: HTTP request smuggling when parsing chunked transfer encoding bodies and zero-length content-length headers</issue>
  <issue tracker="cve" id="2024-45614"/>
  <issue tracker="cve" id="2024-21647"/>
  <issue tracker="cve" id="2023-40175"/>
  <packager>aburlakov</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for rubygem-puma</summary>
  <description>This update for rubygem-puma fixes the following issues:

Update to version 5.6.9.

- CVE-2024-45614: improper header normalization allows for clients to clobber proxy set headers, which can lead to
  information leaks (bsc#1230848, fixed in an earlier update).
- CVE-2024-21647: unbounded resource consumption due to invalid parsing of chunked encoding in HTTP/1.1 can lead to
  denial-of-service attacks (bsc#1218638, fixed in an earlier update)
- CVE-2023-40175: incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length
  headers can lead to HTTP request smuggling attacks (bsc#1214425, fixed in an earlier update).
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places