SUSE-SU-2020:2060-1

Source
https://www.suse.com/support/update/announcement/2020/suse-su-20202060-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2020:2060-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2020:2060-1
Related
Published
2020-07-28T15:54:20Z
Modified
2020-07-28T15:54:20Z
Summary
Security update for rubygem-puma
Details

This update for rubygem-puma fixes the following issues:

  • Add patches for disabling TLSv1.0 and TLSv1.1 (jsc#SLE-6965):
  • Add CVE-2020-11077.patch (bsc#1172175, CVE-2020-11077)
  • Add CVE-2020-11076.patch (bsc#1172176, CVE-2020-11076)
  • Add CVE-2020-5247.patch (bsc#1165402) 'Fixes a problem where we were not splitting newlines in headers according to Rack spec' The patch is reduced compared to the upstream version, which was patching also the parts that are not implemented in our old Puma version. This applies to unit test as well.
  • Add CVE-2019-16770.patch (bsc#1158675, SOC-10999, CVE-2019-16770) This patch fixes a DoS vulnerability a malicious client could use to block a large amount of threads.
References

Affected packages

SUSE:OpenStack Cloud 6-LTSS / rubygem-puma

Package

Name
rubygem-puma
Purl
purl:rpm/suse/rubygem-puma&distro=SUSE%20OpenStack%20Cloud%206-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.16.0-4.3.1

Ecosystem specific

{
    "binaries": [
        {
            "ruby2.1-rubygem-puma": "2.16.0-4.3.1"
        }
    ]
}