Bugzilla – Bug 1188527
VUL-0: CVE-2021-29509: rubygem-puma: incomplete fix for allows Denial of Service (DoS)
Last modified: 2024-05-10 17:52:28 UTC
CVE-2021-29509 The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. External Reference: https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5 References: https://bugzilla.redhat.com/show_bug.cgi?id=1964874 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29509 https://github.com/puma/puma/security/policy https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5 http://www.cvedetails.com/cve/CVE-2021-29509/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29509 https://rubygems.org/gems/puma https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837
Upstream issue: https://github.com/puma/puma/issues/2625 Upstream commit: https://github.com/puma/puma/commit/df72887170c7ef3614c941c9bdefb4a1f3546ebf
SUSE:SLE-15:Update Affected [1] [1] according to upstream
SUSE-SU-2021:2761-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1188527 CVE References: CVE-2021-29509 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 8 (src): rubygem-puma-2.16.0-3.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
# maintenance_jira_update_notice SUSE-SU-2021:2914-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1188527 CVE References: CVE-2021-29509 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): rubygem-puma-2.16.0-4.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Fixes are available for both SOC 8 and SOC 9. Back to Security team.
SUSE-SU-2022:1515-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1188527,1191681,1196222 CVE References: CVE-2021-29509,CVE-2021-41136,CVE-2022-23634 JIRA References: Sources used: openSUSE Leap 15.4 (src): rubygem-puma-4.3.11-150000.3.6.2 openSUSE Leap 15.3 (src): rubygem-puma-4.3.11-150000.3.6.2 SUSE Linux Enterprise High Availability 15-SP4 (src): rubygem-puma-4.3.11-150000.3.6.2 SUSE Linux Enterprise High Availability 15-SP3 (src): rubygem-puma-4.3.11-150000.3.6.2 SUSE Linux Enterprise High Availability 15-SP2 (src): rubygem-puma-4.3.11-150000.3.6.2 SUSE Linux Enterprise High Availability 15-SP1 (src): rubygem-puma-4.3.11-150000.3.6.2 SUSE Linux Enterprise High Availability 15 (src): rubygem-puma-4.3.11-150000.3.6.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.