Bug 1158675 – VUL-1: CVE-2019-16770: rubygem-puma: A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack

Bug 1158675 - (CVE-2019-16770) VUL-1: CVE-2019-16770: rubygem-puma: A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack

(CVE-2019-16770)
Summary:	VUL-1: CVE-2019-16770: rubygem-puma: A poorly-behaved client could use keepal...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/248449/
Whiteboard:	CVSSv3.1:SUSE:CVE-2019-16770:7.5:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-12-06 14:19 UTC by Robert Frohl
Modified:	2021-07-20 16:06 UTC (History)
CC List:	2 users (show)

See Also:	CVE-2021-29509
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2019-12-06 14:19:31 UTC

CVE-2019-16770

A poorly-behaved client could use keepalive requests to monopolize Puma's
reactor and create a denial of service attack. If more keepalive connections to
Puma are opened than there are threads available, additional connections will
wait permanently if the attacker sends requests frequently enough.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16770
https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16770

Comment 3 Swamp Workflow Management 2020-01-13 14:13:50 UTC

SUSE-SU-2020:0081-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1157028,1157482,1158675,917802
CVE References: CVE-2015-3448,CVE-2019-13117,CVE-2019-16770
Sources used:
SUSE OpenStack Cloud 7 (src):    crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2, crowbar-openstack-4.0+git.1574869671.9c7bade2d-9.65.1, openstack-horizon-plugin-monasca-ui-1.5.5~dev3-8.1, openstack-monasca-api-1.7.1~dev18-12.1, openstack-monasca-log-api-1.4.3~dev3-5.1, openstack-neutron-9.4.2~dev21-7.38.1, openstack-neutron-doc-9.4.2~dev21-7.38.1, rubygem-puma-2.16.0-4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Swamp Workflow Management 2020-03-11 17:20:23 UTC

SUSE-SU-2020:0642-1: An update that solves three vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 1117080,1152007,1154235,1156305,1156914,1157028,1157206,1157482,1158581,1158675,1161351,1161721
CVE References: CVE-2018-17954,CVE-2019-13117,CVE-2019-16770
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    crowbar-core-6.0+git.1582892022.cbd70e833-3.19.3, crowbar-ha-6.0+git.1574286261.6fd1a34-3.13.2, crowbar-openstack-6.0+git.1580922461.67fb3c087-3.19.2, crowbar-ui-1.3.0+git.1575896697.a01a3a08-17.1, keepalived-2.0.19-3.3.1, openstack-barbican-7.0.1~dev24-3.6.4, openstack-ceilometer-11.0.2~dev21-3.10.3, openstack-cinder-13.0.9~dev11-3.16.3, openstack-dashboard-14.1.1~dev1-3.12.2, openstack-dashboard-theme-SUSE-2018.2+git.1555335229.5c8dec9-3.3.1, openstack-designate-7.0.1~dev23-3.13.3, openstack-heat-11.0.3~dev31-3.13.3, openstack-horizon-plugin-designate-ui-7.0.1~dev8-3.6.1, openstack-horizon-plugin-ironic-ui-3.3.1~dev14-3.3.1, openstack-horizon-plugin-neutron-lbaas-ui-5.0.1~dev8-11.1, openstack-horizon-plugin-octavia-ui-2.0.2~dev1-1.3.2, openstack-ironic-11.1.4~dev22-3.13.2, openstack-ironic-python-agent-3.3.3~dev6-3.13.2, openstack-keystone-14.1.1~dev36-3.19.3, openstack-magnum-7.2.1~dev1-3.10.3, openstack-monasca-agent-2.8.1~dev13-3.6.2, openstack-neutron-13.0.7~dev48-3.19.3, openstack-neutron-fwaas-13.0.3~dev4-3.9.2, openstack-neutron-gbp-5.0.1~dev491-3.16.1, openstack-neutron-vpnaas-13.0.2~dev6-3.6.2, openstack-nova-18.2.4~dev63-3.19.3, openstack-octavia-3.2.2~dev8-3.19.1, openstack-octavia-amphora-image-0.1.2-7.6.3, openstack-sahara-9.0.2~dev15-3.9.2, openstack-swift-2.19.2~dev48-3.3.1, python-amqp-2.4.2-4.3.1, python-ironic-lib-2.14.2-3.3.1, python-keystoneauth1-3.10.1~dev10-3.3.1, python-keystoneclient-3.17.1~dev5-3.3.1, python-keystonemiddleware-5.2.2~dev3-14.2, python-ovs-2.9.0-3.3.1, rubygem-crowbar-client-3.9.1-3.3.1, rubygem-puma-2.16.0-4.3.1, supportutils-plugin-suse-openstack-cloud-9.0.1574431436.987b47d-3.6.1
SUSE OpenStack Cloud 9 (src):    ardana-ansible-9.0+git.1581611758.f694f7d-3.16.1, ardana-cinder-9.0+git.1579256229.c8b4b38-3.10.1, ardana-cobbler-9.0+git.1574950066.a3c4be4-3.10.1, ardana-db-9.0+git.1578936438.b9a9b95-3.16.1, ardana-horizon-9.0+git.1575562864.8ed5e10-3.13.1, ardana-input-model-9.0+git.1580403439.d425462-3.13.1, ardana-monasca-9.0+git.1579273481.4b8c46f-3.13.1, ardana-mq-9.0+git.1581024903.8e74867-3.10.1, ardana-nova-9.0+git.1580304673.6c668eb-3.16.1, ardana-octavia-9.0+git.1576074489.62de7e2-3.13.1, ardana-osconfig-9.0+git.1580235830.0dca223-3.13.1, ardana-tempest-9.0+git.1578932816.e299c08-3.10.1, ardana-tls-9.0+git.1575296665.3fdfe45-3.9.1, keepalived-2.0.19-3.3.1, openstack-barbican-7.0.1~dev24-3.6.4, openstack-ceilometer-11.0.2~dev21-3.10.3, openstack-cinder-13.0.9~dev11-3.16.3, openstack-dashboard-14.1.1~dev1-3.12.2, openstack-dashboard-theme-SUSE-2018.2+git.1555335229.5c8dec9-3.3.1, openstack-designate-7.0.1~dev23-3.13.3, openstack-heat-11.0.3~dev31-3.13.3, openstack-horizon-plugin-designate-ui-7.0.1~dev8-3.6.1, openstack-horizon-plugin-ironic-ui-3.3.1~dev14-3.3.1, openstack-horizon-plugin-neutron-lbaas-ui-5.0.1~dev8-11.1, openstack-horizon-plugin-octavia-ui-2.0.2~dev1-1.3.2, openstack-ironic-11.1.4~dev22-3.13.2, openstack-ironic-python-agent-3.3.3~dev6-3.13.2, openstack-keystone-14.1.1~dev36-3.19.3, openstack-magnum-7.2.1~dev1-3.10.3, openstack-monasca-agent-2.8.1~dev13-3.6.2, openstack-neutron-13.0.7~dev48-3.19.3, openstack-neutron-fwaas-13.0.3~dev4-3.9.2, openstack-neutron-gbp-5.0.1~dev491-3.16.1, openstack-neutron-vpnaas-13.0.2~dev6-3.6.2, openstack-nova-18.2.4~dev63-3.19.3, openstack-octavia-3.2.2~dev8-3.19.1, openstack-octavia-amphora-image-0.1.2-7.6.3, openstack-sahara-9.0.2~dev15-3.9.2, openstack-swift-2.19.2~dev48-3.3.1, python-amqp-2.4.2-4.3.1, python-ironic-lib-2.14.2-3.3.1, python-keystoneauth1-3.10.1~dev10-3.3.1, python-keystoneclient-3.17.1~dev5-3.3.1, python-keystonemiddleware-5.2.2~dev3-14.2, python-ovs-2.9.0-3.3.1, supportutils-plugin-suse-openstack-cloud-9.0.1574431436.987b47d-3.6.1, venv-openstack-barbican-7.0.1~dev24-3.15.1, venv-openstack-cinder-13.0.9~dev11-3.15.1, venv-openstack-designate-7.0.1~dev23-3.15.1, venv-openstack-glance-17.0.1~dev30-3.13.1, venv-openstack-heat-11.0.3~dev31-3.15.1, venv-openstack-horizon-14.1.1~dev1-4.14.2, venv-openstack-ironic-11.1.4~dev22-4.11.1, venv-openstack-keystone-14.1.1~dev36-3.15.1, venv-openstack-magnum-7.2.1~dev1-4.15.1, venv-openstack-manila-7.3.1~dev15-3.15.1, venv-openstack-monasca-2.7.1~dev10-3.13.1, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.15.1, venv-openstack-neutron-13.0.7~dev48-6.15.1, venv-openstack-nova-18.2.4~dev63-3.15.1, venv-openstack-octavia-3.2.2~dev8-4.15.1, venv-openstack-sahara-9.0.2~dev15-3.15.1, venv-openstack-swift-2.19.2~dev48-2.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Swamp Workflow Management 2020-03-11 17:36:57 UTC

SUSE-SU-2020:0640-1: An update that solves 14 vulnerabilities and has 10 fixes is now available.

Category: security (important)
Bug References: 1077717,1117080,1117840,1123191,1148158,1152007,1154235,1155089,1155942,1156305,1156669,1156914,1157028,1157206,1157482,1158675,1160048,1160878,1160883,1160895,1160912,1161351,1161517,1162388
CVE References: CVE-2017-1002201,CVE-2018-17954,CVE-2019-13117,CVE-2019-16770,CVE-2019-18901,CVE-2019-2737,CVE-2019-2739,CVE-2019-2740,CVE-2019-2758,CVE-2019-2805,CVE-2019-2938,CVE-2019-2974,CVE-2020-2574,CVE-2020-7595
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    crowbar-core-5.0+git.1582968668.1a55c77c5-3.35.4, crowbar-ha-5.0+git.1574286229.e0364c3-3.29.3, crowbar-openstack-5.0+git.1582911795.5081ef1da-4.34.3, crowbar-ui-1.2.0+git.1575896697.a01a3a08-3.15.3, keepalived-2.0.19-3.6.3, mariadb-10.2.31-4.17.3, openstack-cinder-11.2.3~dev23-3.24.4, openstack-cinder-doc-11.2.3~dev23-3.24.3, openstack-dashboard-12.0.5~dev2-3.23.4, openstack-dashboard-theme-SUSE-2017.2+git.1573629528.6b21fa5-7.14.3, openstack-heat-9.0.8~dev22-3.27.4, openstack-heat-doc-9.0.8~dev22-3.27.3, openstack-heat-templates-0.0.0+git.1560033670.e3b5a52-3.12.3, openstack-horizon-plugin-designate-ui-5.0.3~dev2-3.9.3, openstack-horizon-plugin-neutron-lbaas-ui-3.0.3~dev5-3.14.3, openstack-ironic-9.1.8~dev8-3.24.4, openstack-ironic-doc-9.1.8~dev8-3.24.3, openstack-keystone-12.0.4~dev5-5.30.4, openstack-keystone-doc-12.0.4~dev5-5.30.3, openstack-monasca-agent-2.2.5~dev5-3.15.2, openstack-neutron-11.0.9~dev60-3.27.4, openstack-neutron-doc-11.0.9~dev60-3.27.3, openstack-neutron-gbp-7.3.1~dev72-3.12.3, openstack-neutron-vsphere-2.0.1~dev133-3.12.3, openstack-nova-16.1.9~dev49-3.32.4, openstack-nova-doc-16.1.9~dev49-3.32.3, openstack-octavia-1.0.6~dev3-4.21.3, openstack-octavia-amphora-image-0.1.2-3.9.3, openstack-resource-agents-1.0+git.1569436425.8b9c49f-3.3.3, openstack-sahara-7.0.5~dev4-3.12.4, openstack-sahara-doc-7.0.5~dev4-3.12.3, openstack-trove-8.0.2~dev2-3.12.3, openstack-trove-doc-8.0.2~dev2-3.12.3, python-congressclient-1.8.1-3.3.4, python-designateclient-2.7.1-3.3.4, python-freezegun-0.3.9-1.3.3, python-ironic-lib-2.10.2-3.3.3, python-networking-cisco-6.1.1~dev65-3.3.3, python-osc-lib-1.7.1-3.3.3, python-oslo.context-2.17.2-3.3.3, python-oslo.rootwrap-5.9.3-3.3.3, python-oslo.serialization-2.20.3-3.3.3, python-oslo.service-1.25.2-3.3.3, python-stevedore-1.25.2-3.3.3, python-taskflow-2.14.2-3.3.3, rubygem-crowbar-client-3.9.1-3.9.3, rubygem-puma-2.16.0-3.3.3
SUSE OpenStack Cloud 8 (src):    ardana-cinder-8.0+git.1579279939.ee7da88-3.39.3, ardana-cobbler-8.0+git.1575037115.0326803-3.41.3, ardana-designate-8.0+git.1573597788.15b7984-3.17.3, ardana-extensions-example-8.0+git.1534266307.db1ec28-3.3.3, ardana-extensions-nsx-8.0+git.1567529036.a41a037-3.6.4, ardana-glance-8.0+git.1571846045.ab9e3ea-3.20.3, ardana-heat-8.0+git.1571777596.14dce6a-3.15.3, ardana-input-model-8.0+git.1582147997.b9ed134-3.36.3, ardana-ironic-8.0+git.1571845225.006843d-3.9.3, ardana-keystone-8.0+git.1573147067.09e3ea0-3.27.3, ardana-logging-8.0+git.1572452293.e65d714-3.21.3, ardana-monasca-8.0+git.1572527728.9b34bdf-3.21.3, ardana-monasca-transform-8.0+git.1571845965.97714fb-3.12.3, ardana-mq-8.0+git.1581024906.fbf0be3-3.16.3, ardana-neutron-8.0+git.1573050365.ff6fa06-3.36.3, ardana-nova-8.0+git.1571846125.584d988-3.38.3, ardana-octavia-8.0+git.1575642049.1f321d0-3.23.3, ardana-osconfig-8.0+git.1581015942.2d21e63-3.42.3, ardana-tempest-8.0+git.1579261264.7dd213a-3.30.3, keepalived-2.0.19-3.6.3, mariadb-10.2.31-4.17.3, openstack-cinder-11.2.3~dev23-3.24.4, openstack-cinder-doc-11.2.3~dev23-3.24.3, openstack-dashboard-12.0.5~dev2-3.23.4, openstack-dashboard-theme-SUSE-2017.2+git.1573629528.6b21fa5-7.14.3, openstack-heat-9.0.8~dev22-3.27.4, openstack-heat-doc-9.0.8~dev22-3.27.3, openstack-heat-templates-0.0.0+git.1560033670.e3b5a52-3.12.3, openstack-horizon-plugin-designate-ui-5.0.3~dev2-3.9.3, openstack-horizon-plugin-neutron-lbaas-ui-3.0.3~dev5-3.14.3, openstack-ironic-9.1.8~dev8-3.24.4, openstack-ironic-doc-9.1.8~dev8-3.24.3, openstack-keystone-12.0.4~dev5-5.30.4, openstack-keystone-doc-12.0.4~dev5-5.30.3, openstack-monasca-agent-2.2.5~dev5-3.15.2, openstack-neutron-11.0.9~dev60-3.27.4, openstack-neutron-doc-11.0.9~dev60-3.27.3, openstack-neutron-gbp-7.3.1~dev72-3.12.3, openstack-neutron-vsphere-2.0.1~dev133-3.12.3, openstack-nova-16.1.9~dev49-3.32.4, openstack-nova-doc-16.1.9~dev49-3.32.3, openstack-octavia-1.0.6~dev3-4.21.3, openstack-octavia-amphora-image-0.1.2-3.9.3, openstack-resource-agents-1.0+git.1569436425.8b9c49f-3.3.3, openstack-sahara-7.0.5~dev4-3.12.4, openstack-sahara-doc-7.0.5~dev4-3.12.3, openstack-trove-8.0.2~dev2-3.12.3, openstack-trove-doc-8.0.2~dev2-3.12.3, python-cinderlm-0.0.2+git.1571845893.27f0b7b-3.9.3, python-congressclient-1.8.1-3.3.4, python-designateclient-2.7.1-3.3.4, python-freezegun-0.3.9-1.3.3, python-ironic-lib-2.10.2-3.3.3, python-networking-cisco-6.1.1~dev65-3.3.3, python-osc-lib-1.7.1-3.3.3, python-oslo.context-2.17.2-3.3.3, python-oslo.rootwrap-5.9.3-3.3.3, python-oslo.serialization-2.20.3-3.3.3, python-oslo.service-1.25.2-3.3.3, python-stevedore-1.25.2-3.3.3, python-taskflow-2.14.2-3.3.3, venv-openstack-aodh-5.1.1~dev7-12.22.2, venv-openstack-barbican-5.0.2~dev3-12.23.2, venv-openstack-ceilometer-9.0.8~dev7-12.20.2, venv-openstack-cinder-11.2.3~dev23-14.23.2, venv-openstack-designate-5.0.3~dev7-12.21.2, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.18.2, venv-openstack-glance-15.0.3~dev3-12.21.2, venv-openstack-heat-9.0.8~dev22-12.23.2, venv-openstack-horizon-12.0.5~dev2-14.28.2, venv-openstack-ironic-9.1.8~dev8-12.23.2, venv-openstack-keystone-12.0.4~dev5-11.24.2, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.22.2, venv-openstack-manila-5.1.1~dev2-12.25.2, venv-openstack-monasca-2.2.2~dev1-11.20.2, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.18.2, venv-openstack-murano-4.0.2~dev2-12.18.2, venv-openstack-neutron-11.0.9~dev60-13.26.2, venv-openstack-nova-16.1.9~dev49-11.24.2, venv-openstack-octavia-1.0.6~dev3-12.23.2, venv-openstack-sahara-7.0.5~dev4-11.22.2, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.16.3, venv-openstack-trove-8.0.2~dev2-11.22.2
HPE Helion Openstack 8 (src):    ardana-cinder-8.0+git.1579279939.ee7da88-3.39.3, ardana-cobbler-8.0+git.1575037115.0326803-3.41.3, ardana-designate-8.0+git.1573597788.15b7984-3.17.3, ardana-extensions-example-8.0+git.1534266307.db1ec28-3.3.3, ardana-extensions-nsx-8.0+git.1567529036.a41a037-3.6.4, ardana-glance-8.0+git.1571846045.ab9e3ea-3.20.3, ardana-heat-8.0+git.1571777596.14dce6a-3.15.3, ardana-input-model-8.0+git.1582147997.b9ed134-3.36.3, ardana-ironic-8.0+git.1571845225.006843d-3.9.3, ardana-keystone-8.0+git.1573147067.09e3ea0-3.27.3, ardana-logging-8.0+git.1572452293.e65d714-3.21.3, ardana-monasca-8.0+git.1572527728.9b34bdf-3.21.3, ardana-monasca-transform-8.0+git.1571845965.97714fb-3.12.3, ardana-mq-8.0+git.1581024906.fbf0be3-3.16.3, ardana-neutron-8.0+git.1573050365.ff6fa06-3.36.3, ardana-nova-8.0+git.1571846125.584d988-3.38.3, ardana-octavia-8.0+git.1575642049.1f321d0-3.23.3, ardana-osconfig-8.0+git.1581015942.2d21e63-3.42.3, ardana-tempest-8.0+git.1579261264.7dd213a-3.30.3, keepalived-2.0.19-3.6.3, mariadb-10.2.31-4.17.3, openstack-cinder-11.2.3~dev23-3.24.4, openstack-cinder-doc-11.2.3~dev23-3.24.3, openstack-dashboard-12.0.5~dev2-3.23.4, openstack-heat-9.0.8~dev22-3.27.4, openstack-heat-doc-9.0.8~dev22-3.27.3, openstack-heat-templates-0.0.0+git.1560033670.e3b5a52-3.12.3, openstack-horizon-plugin-designate-ui-5.0.3~dev2-3.9.3, openstack-horizon-plugin-neutron-lbaas-ui-3.0.3~dev5-3.14.3, openstack-ironic-9.1.8~dev8-3.24.4, openstack-ironic-doc-9.1.8~dev8-3.24.3, openstack-keystone-12.0.4~dev5-5.30.4, openstack-keystone-doc-12.0.4~dev5-5.30.3, openstack-monasca-agent-2.2.5~dev5-3.15.2, openstack-neutron-11.0.9~dev60-3.27.4, openstack-neutron-doc-11.0.9~dev60-3.27.3, openstack-neutron-gbp-7.3.1~dev72-3.12.3, openstack-neutron-vsphere-2.0.1~dev133-3.12.3, openstack-nova-16.1.9~dev49-3.32.4, openstack-nova-doc-16.1.9~dev49-3.32.3, openstack-octavia-1.0.6~dev3-4.21.3, openstack-octavia-amphora-image-0.1.2-3.9.3, openstack-resource-agents-1.0+git.1569436425.8b9c49f-3.3.3, openstack-sahara-7.0.5~dev4-3.12.4, openstack-sahara-doc-7.0.5~dev4-3.12.3, openstack-trove-8.0.2~dev2-3.12.3, openstack-trove-doc-8.0.2~dev2-3.12.3, python-cinderlm-0.0.2+git.1571845893.27f0b7b-3.9.3, python-congressclient-1.8.1-3.3.4, python-designateclient-2.7.1-3.3.4, python-ironic-lib-2.10.2-3.3.3, python-networking-cisco-6.1.1~dev65-3.3.3, python-osc-lib-1.7.1-3.3.3, python-oslo.context-2.17.2-3.3.3, python-oslo.rootwrap-5.9.3-3.3.3, python-oslo.serialization-2.20.3-3.3.3, python-oslo.service-1.25.2-3.3.3, python-stevedore-1.25.2-3.3.3, python-taskflow-2.14.2-3.3.3, venv-openstack-aodh-5.1.1~dev7-12.22.2, venv-openstack-barbican-5.0.2~dev3-12.23.2, venv-openstack-ceilometer-9.0.8~dev7-12.20.2, venv-openstack-cinder-11.2.3~dev23-14.23.2, venv-openstack-designate-5.0.3~dev7-12.21.2, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.18.2, venv-openstack-glance-15.0.3~dev3-12.21.2, venv-openstack-heat-9.0.8~dev22-12.23.2, venv-openstack-horizon-hpe-12.0.5~dev2-14.28.2, venv-openstack-ironic-9.1.8~dev8-12.23.2, venv-openstack-keystone-12.0.4~dev5-11.24.2, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.22.2, venv-openstack-manila-5.1.1~dev2-12.25.2, venv-openstack-monasca-2.2.2~dev1-11.20.2, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.18.2, venv-openstack-murano-4.0.2~dev2-12.18.2, venv-openstack-neutron-11.0.9~dev60-13.26.2, venv-openstack-nova-16.1.9~dev49-11.24.2, venv-openstack-octavia-1.0.6~dev3-12.23.2, venv-openstack-sahara-7.0.5~dev4-11.22.2, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.16.3, venv-openstack-trove-8.0.2~dev2-11.22.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Swamp Workflow Management 2020-07-28 19:12:30 UTC

SUSE-SU-2020:2060-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1158675,1165402,1172175,1172176
CVE References: CVE-2019-16770,CVE-2020-11076,CVE-2020-11077,CVE-2020-5247
JIRA References: 
Sources used:
SUSE OpenStack Cloud 6-LTSS (src):    rubygem-puma-2.16.0-4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Wolfgang Frisch 2021-07-20 16:06:54 UTC

Released.

It appears the upstream fix for this CVE was not complete:
VUL-0: CVE-2021-29509: rubygem-puma: incomplete fix for CVE-2019-16770 allows Denial of Service (DoS)

https://bugzilla.suse.com/show_bug.cgi?id=1188527