Source: puma Version: 3.12.0-2 Severity: important Tags: security upstream Hi,
The following vulnerability was published for puma. CVE-2019-16770[0]: | In Puma before version 4.3.2, a poorly-behaved client could use | keepalive requests to monopolize Puma's reactor and create a denial of | service attack. If more keepalive connections to Puma are opened than | there are threads available, additional connections will wait | permanently if the attacker sends requests frequently enough. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-16770 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16770 [1] https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994 [2] https://github.com/puma/puma/commit/06053e60908074bb38293d4449ea261cb009b53e Please adjust the affected versions in the BTS as needed. Regards, Salvatore
