Bugzilla – Bug 1191681
VUL-1: CVE-2021-41136: rubygem-puma: request smuggling if HTTP header value contains the LF character
Last modified: 2022-05-04 13:17:17 UTC
Using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. Upstream Advisory: https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx References: https://bugzilla.redhat.com/show_bug.cgi?id=2013495 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41136 https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136
Affected packages: - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/rubygem-puma 2.16.0 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/rubygem-puma 2.16.0 - SUSE:SLE-15:Update/rubygem-puma 4.3.5 - openSUSE:Backports:SLE-15-SP2/rubygem-puma 3.11.0 - openSUSE:Factory/rubygem-puma 5.5.0 - openSUSE:Factory/rubygem-puma-4 4.3.8 - openSUSE:Factory/rubygem-puma-4.1 4.1.1 Upstream fix: https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f
SUSE-SU-2021:3729-1: An update that solves four vulnerabilities, contains one feature and has one errata is now available. Category: security (moderate) Bug References: 1180837,1185836,1186868,1189052,1191681 CVE References: CVE-2020-26298,CVE-2021-21419,CVE-2021-22141,CVE-2021-41136 JIRA References: SOC-11543 Sources used: SUSE OpenStack Cloud Crowbar 9 (src): crowbar-openstack-6.0+git.1630614261.26948f746-3.37.2, influxdb-1.3.8-4.6.1, kibana-4.6.6-4.12.1, openstack-cinder-13.0.10~dev23-3.31.2, openstack-ec2-api-7.1.1~dev6-3.3.2, openstack-heat-gbp-12.0.1~dev4-3.6.1, openstack-heat-templates-0.0.0+git.1628179051.7d761bff-3.12.1, openstack-horizon-plugin-gbp-ui-12.0.1~dev5-3.6.1, openstack-keystone-14.2.1~dev7-3.25.2, openstack-neutron-gbp-14.0.1~dev19-3.28.1, openstack-nova-18.3.1~dev91-3.40.1, python-eventlet-0.20.0-8.3.1, rubygem-puma-2.16.0-4.15.1, rubygem-redcarpet-3.2.3-4.3.1 SUSE OpenStack Cloud 9 (src): ardana-ansible-9.0+git.1628097238.f6cbb0e-3.29.1, ardana-monasca-9.0+git.1627995376.30bdf85-3.25.1, influxdb-1.3.8-4.6.1, kibana-4.6.6-4.12.1, openstack-cinder-13.0.10~dev23-3.31.2, openstack-ec2-api-7.1.1~dev6-3.3.2, openstack-heat-gbp-12.0.1~dev4-3.6.1, openstack-heat-templates-0.0.0+git.1628179051.7d761bff-3.12.1, openstack-horizon-plugin-gbp-ui-12.0.1~dev5-3.6.1, openstack-keystone-14.2.1~dev7-3.25.2, openstack-neutron-gbp-14.0.1~dev19-3.28.1, openstack-nova-18.3.1~dev91-3.40.1, python-eventlet-0.20.0-8.3.1, venv-openstack-barbican-7.0.1~dev24-3.25.1, venv-openstack-cinder-13.0.10~dev23-3.28.1, venv-openstack-designate-7.0.2~dev2-3.25.1, venv-openstack-glance-17.0.1~dev30-3.23.1, venv-openstack-heat-11.0.4~dev4-3.25.1, venv-openstack-horizon-14.1.1~dev11-4.29.1, venv-openstack-ironic-11.1.5~dev17-4.23.1, venv-openstack-keystone-14.2.1~dev7-3.26.1, venv-openstack-magnum-7.2.1~dev1-4.25.1, venv-openstack-manila-7.4.2~dev60-3.31.1, venv-openstack-monasca-2.7.1~dev10-3.23.1, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.25.1, venv-openstack-neutron-13.0.8~dev164-6.29.1, venv-openstack-nova-18.3.1~dev91-3.29.1, venv-openstack-octavia-3.2.3~dev7-4.25.1, venv-openstack-sahara-9.0.2~dev15-3.25.1, venv-openstack-swift-2.19.2~dev48-2.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:3728-1: An update that fixes two vulnerabilities, contains one feature is now available. Category: security (moderate) Bug References: 1180837,1191681 CVE References: CVE-2020-26298,CVE-2021-41136 JIRA References: SOC-11543 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): documentation-suse-openstack-cloud-deployment-8.20210806-1.35.1, documentation-suse-openstack-cloud-supplement-8.20210806-1.35.1, documentation-suse-openstack-cloud-upstream-admin-8.20210806-1.35.1, documentation-suse-openstack-cloud-upstream-user-8.20210806-1.35.1, openstack-ec2-api-5.0.1~dev12-4.9.1, openstack-heat-templates-0.0.0+git.1628179051.7d761bf-3.24.1, python-Django-1.11.29-3.28.1, python-monasca-common-2.3.1~dev4-4.9.1, rubygem-puma-2.16.0-3.15.1, rubygem-redcarpet-3.2.3-3.3.1 SUSE OpenStack Cloud 8 (src): ardana-ansible-8.0+git.1632499354.a56668f-3.82.1, ardana-monasca-8.0+git.1627997000.6c3bc04-3.30.1, documentation-suse-openstack-cloud-installation-8.20210806-1.35.1, documentation-suse-openstack-cloud-operations-8.20210806-1.35.1, documentation-suse-openstack-cloud-opsconsole-8.20210806-1.35.1, documentation-suse-openstack-cloud-planning-8.20210806-1.35.1, documentation-suse-openstack-cloud-security-8.20210806-1.35.1, documentation-suse-openstack-cloud-supplement-8.20210806-1.35.1, documentation-suse-openstack-cloud-upstream-admin-8.20210806-1.35.1, documentation-suse-openstack-cloud-upstream-user-8.20210806-1.35.1, documentation-suse-openstack-cloud-user-8.20210806-1.35.1, openstack-ec2-api-5.0.1~dev12-4.9.1, openstack-heat-templates-0.0.0+git.1628179051.7d761bf-3.24.1, python-Django-1.11.29-3.28.1, python-monasca-common-2.3.1~dev4-4.9.1, venv-openstack-heat-9.0.8~dev22-12.35.1, venv-openstack-horizon-12.0.5~dev6-14.38.2, venv-openstack-monasca-2.2.2~dev1-11.30.1 HPE Helion Openstack 8 (src): ardana-ansible-8.0+git.1632499354.a56668f-3.82.1, ardana-monasca-8.0+git.1627997000.6c3bc04-3.30.1, documentation-hpe-helion-openstack-installation-8.20210806-1.35.1, documentation-hpe-helion-openstack-operations-8.20210806-1.35.1, documentation-hpe-helion-openstack-opsconsole-8.20210806-1.35.1, documentation-hpe-helion-openstack-planning-8.20210806-1.35.1, documentation-hpe-helion-openstack-security-8.20210806-1.35.1, documentation-hpe-helion-openstack-user-8.20210806-1.35.1, openstack-ec2-api-5.0.1~dev12-4.9.1, openstack-heat-templates-0.0.0+git.1628179051.7d761bf-3.24.1, python-Django-1.11.29-3.28.1, python-monasca-common-2.3.1~dev4-4.9.1, venv-openstack-heat-9.0.8~dev22-12.35.1, venv-openstack-horizon-hpe-12.0.5~dev6-14.38.1, venv-openstack-monasca-2.2.2~dev1-11.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SOC fixes delivered in the last MU. Back to Security team.
SUSE-SU-2022:1515-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1188527,1191681,1196222 CVE References: CVE-2021-29509,CVE-2021-41136,CVE-2022-23634 JIRA References: Sources used: openSUSE Leap 15.4 (src): rubygem-puma-4.3.11-150000.3.6.2 openSUSE Leap 15.3 (src): rubygem-puma-4.3.11-150000.3.6.2 SUSE Linux Enterprise High Availability 15-SP4 (src): rubygem-puma-4.3.11-150000.3.6.2 SUSE Linux Enterprise High Availability 15-SP3 (src): rubygem-puma-4.3.11-150000.3.6.2 SUSE Linux Enterprise High Availability 15-SP2 (src): rubygem-puma-4.3.11-150000.3.6.2 SUSE Linux Enterprise High Availability 15-SP1 (src): rubygem-puma-4.3.11-150000.3.6.2 SUSE Linux Enterprise High Availability 15 (src): rubygem-puma-4.3.11-150000.3.6.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.