CVE-2021-29509

Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A puma server which received more concurrent keep-alive connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in puma 4.3.8 and 5.3.1. Setting queue_requests false also fixes the issue. This is not advised when using puma without a reverse proxy, such as nginx or apache, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma.

References

Affected packages

Git / github.com/puma/puma

Affected ranges

Type

GIT

Repo

https://github.com/puma/puma

Events

Introduced

Fixed

b911c13f8797aacaa8decf8532d6d7d45fda334f

Introduced

13e18e8078c800adfc52af687acc1d8de5f3988d

Fixed

1c91a4f1af23328118dbfe5b615f812af5e817ef

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.3.8"
        },
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.3.1"
        }
    ]
}

Affected versions

v5.*

v5.0.0

v5.0.1

v5.0.2

v5.0.3

v5.1.0

v5.2.0

v5.2.1

v5.2.2

v5.3.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-29509.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "10.0"
            }
        ]
    }
]