Debian Package Tracker
Register | Log in
Subscribe

puma

threaded HTTP 1.1 server for Ruby/Rack applications

Choose email to subscribe with

general
  • source: puma (main)
  • version: 5.6.4-1
  • maintainer: Debian Ruby Team (archive) (DMD)
  • uploaders: Pirate Praveen [DMD]
  • arch: any
  • std-ver: 4.6.0
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 3.6.0-1
  • o-o-sec: 3.6.0-1+deb9u2
  • oldstable: 3.12.0-2+deb10u2
  • stable: 4.3.8-1
  • stable-sec: 4.3.8-1+deb11u2
  • testing: 5.6.4-1
  • unstable: 5.6.4-1
versioned links
  • 3.6.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 3.6.0-1+deb9u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 3.12.0-2+deb10u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 4.3.8-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 4.3.8-1+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 4.3.8-1+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 5.6.4-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • puma (1 bugs: 0, 0, 1, 0)
action needed
The VCS repository is not up to date, push the missing commits. high
vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.
Created: 2020-03-10 Last update: 2022-08-08 22:36
2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:
  • CVE-2022-23634: Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.
  • CVE-2022-24790: Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.
Created: 2022-07-04 Last update: 2022-08-01 13:40
4 security issues in buster high

There are 4 open security issues in buster.

4 important issues:
  • CVE-2021-29509: Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in `puma` 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma.
  • CVE-2021-41136: Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`.
  • CVE-2022-23634: Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.
  • CVE-2022-24790: Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.
Created: 2022-07-04 Last update: 2022-08-01 13:40
2 security issues in bookworm high

There are 2 open security issues in bookworm.

2 important issues:
  • CVE-2022-23634: Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.
  • CVE-2022-24790: Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.
Created: 2022-07-04 Last update: 2022-08-01 13:40
Fails to build during reproducibility testing normal
A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!
Created: 2021-11-12 Last update: 2022-08-15 03:32
lintian reports 2 warnings normal
Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2022-07-30 Last update: 2022-07-30 12:16
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.6.0).
Created: 2022-05-11 Last update: 2022-05-11 23:24
testing migrations
  • This package will soon be part of the ruby3.1-add transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
news
[rss feed]
  • [2022-06-11] puma 5.6.4-1 MIGRATED to testing (Debian testing watch)
  • [2022-05-25] Accepted puma 3.6.0-1+deb9u2 (source) into oldoldstable (Markus Koschany)
  • [2022-05-24] Accepted puma 4.3.8-1+deb11u2 (source amd64) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Praveen Arimbrathodiyil)
  • [2022-05-24] Accepted puma 4.3.8-1+deb11u1 (source amd64) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Praveen Arimbrathodiyil)
  • [2022-04-04] Accepted puma 5.6.4-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2021-12-02] puma 5.5.2-2 MIGRATED to testing (Debian testing watch)
  • [2021-11-02] Accepted puma 5.5.2-2 (source) into unstable (Antonio Terceiro)
  • [2021-11-02] Accepted puma 5.5.2-1 (source) into unstable (Antonio Terceiro)
  • [2021-10-11] Accepted puma 5.3.2-3 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2021-10-10] Accepted puma 5.3.2-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2021-06-06] puma 4.3.8-1 MIGRATED to testing (Debian testing watch)
  • [2021-05-28] Accepted puma 5.3.2-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2021-05-27] Accepted puma 4.3.8-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2021-03-08] Accepted puma 5.2.2-2 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2021-03-07] Accepted puma 5.2.2-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2020-10-18] puma 4.3.6-1 MIGRATED to testing (Debian testing watch)
  • [2020-10-16] Accepted puma 3.12.0-2+deb10u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Daniel Leidert)
  • [2020-10-16] Accepted puma 4.3.6-1 (source) into unstable (Daniel Leidert)
  • [2020-10-07] Accepted puma 3.6.0-1+deb9u1 (source amd64) into oldstable (Abhijith PA)
  • [2020-08-30] puma 4.3.3-3 MIGRATED to testing (Debian testing watch)
  • [2020-08-17] Accepted puma 4.3.3-3 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2020-08-03] Accepted puma 4.3.3-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2020-03-07] puma 3.12.4-1 MIGRATED to testing (Debian testing watch)
  • [2020-03-05] Accepted puma 3.12.0-2+deb10u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Daniel Leidert)
  • [2020-03-05] Accepted puma 4.3.3-1 (source) into experimental (Daniel Leidert)
  • [2020-03-05] Accepted puma 3.12.4-1 (source) into unstable (Daniel Leidert)
  • [2020-02-08] puma 3.12.0-4 MIGRATED to testing (Debian testing watch)
  • [2020-02-06] Accepted puma 3.12.0-4 (source) into unstable (Daniel Leidert)
  • [2020-02-06] Accepted puma 4.3.1-1 (source) into experimental (Daniel Leidert)
  • [2020-02-05] Accepted puma 3.12.0-3 (source) into unstable (Daniel Leidert)
  • 1
  • 2
bugs [bug history graph]
  • all: 6
  • RC: 1
  • I&N: 4
  • M&W: 1
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian (0, 2)
  • buildd: logs, clang, reproducibility, cross
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • screenshots
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 5.5.2-2ubuntu2
  • patches for 5.5.2-2ubuntu2

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing