Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The proposed update will fix CVE-2019-16770 (#946312) for Buster users. The security team marked the issue no-dsa and asked to schedule the fix via the next point release. The debdiff is attached. The patch to fix the CVE has been taken from upstream's Git repository. The debdiff is attached. Please let me know, how to proceed. Regards, Daniel - -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.3.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAl48P9cACgkQS80FZ8KW 0F2aKQ//VCdYXCl4gK1NSWOH5NtwoyIFoUcC6ofglL+shomnFMbvwr3V7H4rpVta 7oOysLOfGEmsCJXL5kcl0awijAmFz58dmlRmeSAOlirJ+09eyS56v/gSVPODueTA 7UjvjPQV3gJRgA0bsLEjTfIyyE9S17ylxDF9t1FRYGqngkTM3aYaz4NR5WMrFWGs b0ogyJxjpDW3VHgy2b0smrED5j2/Amo11DIg9CYhNyV5zAoNmH93cMlS+67p7CDK WIghSH4BoMjv0THRh521HK7hVywKFKhCHhG/fXCAEQnPgfP9umtBaM1eQeItpRRf A5MGtYBDLrvm8YLbtL0Fl8TsEYjdJmEUoS4Pr1HtVC4TiFLei6QxmriAY2pv+7h0 XtMyZ/L4dCCiilSUd58cnLBSdCm8OTf/NUI7m7zdCBDwG76ewbeuWQ59X6a8j+oH uOGeOjJJvxKlO1ngyLrPC8jZOcKNwGwdsBpI6YgOvSGWbQU3RWjlzmw+M/YgVaHL zIg5nEJHnTmdZUr22e4vaQ0kwH73Ggst+hA68LdZ9auDlb+o/37Rp8tz7M966c/x Tcoduwr5TLDMzLBtDYMpqw+8jakdpwACWGErqR46XcUtUtjQAy0GMQXucgQNwIw/ mZp5UDEsKR7RE6baUPMcQKMcU0W7AIWXGD2LrYMW/WmV9HverYY= =Fie4 -----END PGP SIGNATURE-----
diff -Nru puma-3.12.0/debian/changelog puma-3.12.0/debian/changelog --- puma-3.12.0/debian/changelog 2019-02-10 14:26:47.000000000 +0100 +++ puma-3.12.0/debian/changelog 2020-02-06 13:25:24.000000000 +0100 @@ -1,3 +1,12 @@ +puma (3.12.0-2+deb10u1) buster-security; urgency=medium + + * Team upload. + * d/patches/CVE-2019-16770.patch: Add patch. + - Backport fix for CVE-2019-16770 from upstream (closes: #946312). + * d/patches/series: Add patch. + + -- Daniel Leidert <dleid...@debian.org> Thu, 06 Feb 2020 13:25:24 +0100 + puma (3.12.0-2) unstable; urgency=medium * Disable tests failing in single cpu (Closes: #921931) diff -Nru puma-3.12.0/debian/patches/CVE-2019-16770.patch puma-3.12.0/debian/patches/CVE-2019-16770.patch --- puma-3.12.0/debian/patches/CVE-2019-16770.patch 1970-01-01 01:00:00.000000000 +0100 +++ puma-3.12.0/debian/patches/CVE-2019-16770.patch 2020-02-06 13:25:24.000000000 +0100 @@ -0,0 +1,69 @@ +From: Nate Berkopec <nate.berko...@gmail.com> +Date: Thu, 5 Dec 2019 14:19:32 +0700 +Subject: Merge pull request from GHSA-7xx3-m584-x994 + +could monopolize a thread. Previously, this could make a DoS attack more +severe. + +Co-authored-by: Evan Phoenix <e...@phx.io> + +Debian-Bug: https://bugs.debian.org/946312 +Acked-By: Daniel Leidert <dleid...@debian.org> +Origin: https://github.com/puma/puma/commit/06053e60908074bb38293d4449ea261cb009b53e.patch +--- + lib/puma/const.rb | 7 +++++++ + lib/puma/server.rb | 16 +++++++++++++++- + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/lib/puma/const.rb b/lib/puma/const.rb +index f9e0a2a..7fc105c 100644 +--- a/lib/puma/const.rb ++++ b/lib/puma/const.rb +@@ -116,6 +116,13 @@ module Puma + # sending data back + WRITE_TIMEOUT = 10 + ++ # How many requests to attempt inline before sending a client back to ++ # the reactor to be subject to normal ordering. The idea here is that ++ # we amortize the cost of going back to the reactor for a well behaved ++ # but very "greedy" client across 10 requests. This prevents a not ++ # well behaved client from monopolizing the thread forever. ++ MAX_FAST_INLINE = 10 ++ + # The original URI requested by the client. + REQUEST_URI= 'REQUEST_URI'.freeze + REQUEST_PATH = 'REQUEST_PATH'.freeze +diff --git a/lib/puma/server.rb b/lib/puma/server.rb +index e2e862f..66a982a 100644 +--- a/lib/puma/server.rb ++++ b/lib/puma/server.rb +@@ -468,6 +468,8 @@ module Puma + clean_thread_locals = @options[:clean_thread_locals] + close_socket = true + ++ requests = 0 ++ + while true + case handle_request(client, buffer) + when false +@@ -481,7 +483,19 @@ module Puma + + ThreadPool.clean_thread_locals if clean_thread_locals + +- unless client.reset(@status == :run) ++ requests += 1 ++ ++ check_for_more_data = @status == :run ++ ++ if requests >= MAX_FAST_INLINE ++ # This will mean that reset will only try to use the data it already ++ # has buffered and won't try to read more data. What this means is that ++ # every client, independent of their request speed, gets treated like a slow ++ # one once every MAX_FAST_INLINE requests. ++ check_for_more_data = false ++ end ++ ++ unless client.reset(check_for_more_data) + close_socket = false + client.set_timeout @persistent_timeout + @reactor.add client diff -Nru puma-3.12.0/debian/patches/series puma-3.12.0/debian/patches/series --- puma-3.12.0/debian/patches/series 2019-02-10 14:18:23.000000000 +0100 +++ puma-3.12.0/debian/patches/series 2020-02-06 13:25:24.000000000 +0100 @@ -6,3 +6,4 @@ 0007-test-test_cli.rb-disable-test-that-fails-randomly.patch 0008-fix-ssl-tests.patch 0009-disable-tests-failing-in-single-cpu.patch +CVE-2019-16770.patch