Bug 2071616 (CVE-2022-24790)
Summary: | CVE-2022-24790 puma-5.6.4: http request smuggling vulnerabilities | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vipul Nair <vinair> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | admiller, akarol, aos-bugs, bbuckingham, bcourt, btotty, caswilli, dmetzger, ehelms, gmccullo, go-sig, gtanzill, jaruga, jcajka, jfrey, jhardy, jsherril, jwong, kaycoth, kshier, lmeyer, lzap, mhulan, mvanderw, nmoumoul, obarenbo, openshift-release-oversight, orabin, pcreech, pvalena, rchan, roliveri, ruby-packagers-sig, simaishi, smallamp, vondruch, zebob.m |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | puma 5.6.4, puma 4.3.12 | Doc Type: | If docs needed, set a value |
Doc Text: |
A HTTP request smuggling flaw was found in puma. This issue occurs when using puma behind a proxy. Puma does not validate incoming HTTP requests, as per RFC specification, leading to loss of integrity.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2023-03-28 03:45:56 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2071623, 2071624, 2071625, 2071628, 2073319, 2073320, 2073321, 2073322, 2073323 | ||
Bug Blocks: | 2071621 |
Description
Vipul Nair
2022-04-04 11:22:25 UTC
Created golang-k8s-kubernetes tracking bugs for this issue: Affects: fedora-all [bug 2071623] Created origin tracking bugs for this issue: Affects: fedora-all [bug 2071624] Created rubygem-puma tracking bugs for this issue: Affects: fedora-all [bug 2071625] Note the current rawhide build is rubygem-puma-5.5.2-2.fc36 . https://src.fedoraproject.org/rpms/rubygem-puma https://rubygems.org/gems/puma FEDORA-2022-de968d1b6c has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2022-52d0032596 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Satellite 6.9 for RHEL 7 Via RHSA-2022:8532 https://access.redhat.com/errata/RHSA-2022:8532 This issue has been addressed in the following products: Red Hat Gluster Storage 3.5 for RHEL 7 Via RHSA-2023:1486 https://access.redhat.com/errata/RHSA-2023:1486 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-24790 |