Security update for rubygem-puma SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:1001-1 Final 1 1 2020-07-18T18:27:45Z current 2020-07-18T18:27:45Z 2020-07-18T18:27:45Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rubygem-puma This update for rubygem-puma to version 4.3.5 fixes the following issues: - CVE-2020-11077: Fixed a HTTP smuggling issue related to proxy usage (bsc#1172175). - CVE-2020-11076: Fixed a HTTP smuggling issue when using an invalid transfer-encoding header (bsc#1172176). - Disabled TLSv1.0 and TLSv1.1 (jsc#SLE-6965). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-1001 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M45HASKBK5DTMENRJIYQEDWU3B4X4DUN/ E-Mail link for openSUSE-SU-2020:1001-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1172175 SUSE Bug 1172175 https://bugzilla.suse.com/1172176 SUSE Bug 1172176 https://www.suse.com/security/cve/CVE-2020-11076/ SUSE CVE CVE-2020-11076 page https://www.suse.com/security/cve/CVE-2020-11077/ SUSE CVE CVE-2020-11077 page openSUSE Leap 15.2 ruby2.5-rubygem-puma-4.3.5-lp152.4.3.1 ruby2.5-rubygem-puma-doc-4.3.5-lp152.4.3.1 ruby2.5-rubygem-puma-4.3.5-lp152.4.3.1 as a component of openSUSE Leap 15.2 ruby2.5-rubygem-puma-doc-4.3.5-lp152.4.3.1 as a component of openSUSE Leap 15.2 In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4. CVE-2020-11076 openSUSE Leap 15.2:ruby2.5-rubygem-puma-4.3.5-lp152.4.3.1 openSUSE Leap 15.2:ruby2.5-rubygem-puma-doc-4.3.5-lp152.4.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M45HASKBK5DTMENRJIYQEDWU3B4X4DUN/ https://www.suse.com/security/cve/CVE-2020-11076.html CVE-2020-11076 https://bugzilla.suse.com/1172175 SUSE Bug 1172175 https://bugzilla.suse.com/1172176 SUSE Bug 1172176 In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This is a similar but different vulnerability from CVE-2020-11076. The problem has been fixed in Puma 3.12.6 and Puma 4.3.5. CVE-2020-11077 openSUSE Leap 15.2:ruby2.5-rubygem-puma-4.3.5-lp152.4.3.1 openSUSE Leap 15.2:ruby2.5-rubygem-puma-doc-4.3.5-lp152.4.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M45HASKBK5DTMENRJIYQEDWU3B4X4DUN/ https://www.suse.com/security/cve/CVE-2020-11077.html CVE-2020-11077 https://bugzilla.suse.com/1172175 SUSE Bug 1172175 https://bugzilla.suse.com/1172176 SUSE Bug 1172176