Package: puma / 3.12.0-2+deb10u2

Metadata

Package Version Patches format
puma 3.12.0-2+deb10u2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0002 test_integration disable test that fails randomly.patch | (download)

test/test_integration.rb | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 test_integration: disable test that fails randomly


0003 test_cli disable test that rails randomly.patch | (download)

test/test_cli.rb | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 test_cli: disable test that rails randomly


0004 puma.gemspec drop git usage.patch | (download)

puma.gemspec | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

 puma.gemspec: drop git usage


0005 test_puma_server disable test that fails randomly.patch | (download)

test/test_puma_server.rb | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 test_puma_server: disable test that fails randomly


0006 test helper.rb drop bundler usage.patch | (download)

test/helper.rb | 6 0 + 6 - 0 !
1 file changed, 6 deletions(-)

 test/helper.rb: drop bundler usage


0007 test test_cli.rb disable test that fails randomly.patch | (download)

test/test_cli.rb | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 test/test_cli.rb: disable test that fails randomly


0008 fix ssl tests.patch | (download)

test/helper.rb | 27 23 + 4 - 0 !
test/test_binder.rb | 10 4 + 6 - 0 !
test/test_cli.rb | 9 6 + 3 - 0 !
test/test_integration.rb | 18 9 + 9 - 0 !
test/test_puma_server_ssl.rb | 22 16 + 6 - 0 !
test/test_rack_handler.rb | 2 1 + 1 - 0 !
test/test_unix_socket.rb | 42 20 + 22 - 0 !
7 files changed, 79 insertions(+), 51 deletions(-)

 [patch] update test files

1. Update skip handling
2. Stability changes
3. Add Ruby & OpenSSL version info output
4. Bypassed SSL tests on DISABLE_SSL ?

0009 disable tests failing in single cpu.patch | (download)

test/test_pumactl.rb | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 disable-tests-failing-in-single-cpu

Disable test failing on single cpu

Bug-Debian: https://bugs.debian.org/921931

CVE 2019 16770.patch | (download)

lib/puma/const.rb | 7 7 + 0 - 0 !
lib/puma/server.rb | 16 15 + 1 - 0 !
2 files changed, 22 insertions(+), 1 deletion(-)

 merge pull request from ghsa-7xx3-m584-x994

could monopolize a thread. Previously, this could make a DoS attack more
severe.

Co-authored-by: Evan Phoenix <evan@phx.io>

Debian-Bug: https://bugs.debian.org/946312
CVE 2020 5247.patch | (download)

lib/puma/const.rb | 1 1 + 0 - 0 !
lib/puma/server.rb | 2 2 + 0 - 0 !
test/test_puma_server.rb | 19 19 + 0 - 0 !
3 files changed, 22 insertions(+)

 [patch] merge pull request from ghsa-84j7-475p-hp8v

header value could inject a CR or LF and inject their own HTTP response.
(actually the patch to fix CVE-CVE-2020-5249 superseedes these changes)

CVE 2020 5249.patch | (download)

lib/puma/const.rb | 2 1 + 1 - 0 !
lib/puma/server.rb | 10 8 + 2 - 0 !
test/test_puma_server.rb | 76 66 + 10 - 0 !
3 files changed, 75 insertions(+), 13 deletions(-)

 [patch] http injection - fix bug + 1 more vector (#2136)

+ Fixes a problem in 4.3.2/3.12.3 where we were not splitting newlines in headers according to Rack spec
+ Fixes another vector for HTTP injection - early hints

CVE 2020 11076.patch | (download)

lib/puma/client.rb | 12 10 + 2 - 0 !
1 file changed, 10 insertions(+), 2 deletions(-)

 [patch] better handle client input

CVE 2020 11077.patch | (download)

ext/puma_http11/http11_parser.c | 4 3 + 1 - 0 !
ext/puma_http11/http11_parser.rl | 4 3 + 1 - 0 !
lib/puma/server.rb | 31 31 + 0 - 0 !
test/test_puma_server.rb | 3 2 + 1 - 0 !
4 files changed, 39 insertions(+), 3 deletions(-)

 [patch] reduce ambiguity of headers

The patch also requires to fix a test not handled in upstream's patch:
https://github.com/puma/puma/commit/0a3c09a0603857f088571d0eb69e0b9adee0fed1