Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard. https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5 https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9
Created golang-k8s-kubernetes tracking bugs for this issue: Affects: fedora-all [bug 2071623] Created origin tracking bugs for this issue: Affects: fedora-all [bug 2071624] Created rubygem-puma tracking bugs for this issue: Affects: fedora-all [bug 2071625]
Note the current rawhide build is rubygem-puma-5.5.2-2.fc36 . https://src.fedoraproject.org/rpms/rubygem-puma https://rubygems.org/gems/puma
FEDORA-2022-de968d1b6c has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2022-52d0032596 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Satellite 6.9 for RHEL 7 Via RHSA-2022:8532 https://access.redhat.com/errata/RHSA-2022:8532
This issue has been addressed in the following products: Red Hat Gluster Storage 3.5 for RHEL 7 Via RHSA-2023:1486 https://access.redhat.com/errata/RHSA-2023:1486
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-24790