Using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. Upstream Advisory: https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx
Created rubygem-puma tracking bugs for this issue: Affects: fedora-all [bug 2013497]
Upstream patch: https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f
External references: https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx
Note the current Fedora rawhide is rubygem-puma-5.5.2-2.fc36 . https://src.fedoraproject.org/rpms/rubygem-puma
This issue has been addressed in the following products: Red Hat Satellite 6.11 for RHEL 7 Red Hat Satellite 6.11 for RHEL 8 Via RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-41136