Ruby/puma/5.6.7
Puma is a simple, fast, threaded, and highly parallel HTTP 1.1 server for Ruby/Rack applications. Puma is intended for use in both development and production environments. It's great for highly parallel Ruby implementations such as Rubinius and JRuby as well as as providing process worker support to support CRuby well.
https://rubygems.org/gems/puma
BSD-3-Clause
1 Security Vulnerabilities
Puma HTTP Request/Response Smuggling vulnerability
- https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2
- https://nvd.nist.gov/vuln/detail/CVE-2024-21647
- https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93
- https://github.com/puma/puma/commit/60d5ee3734adc8cee85c3f0561af392448fe19b7
- https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d
- https://github.com/advisories/GHSA-c2f4-cvqm-65w2
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-21647.yml
Impact
Prior to versions 6.4.2 and 5.6.8, puma exhibited dangerous behavior when parsing chunked transfer encoding bodies.
Fixed versions limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption.
Patches
The vulnerability has been fixed in 6.4.2 and 5.6.8.
Workarounds
No known workarounds.
References
- HTTP Request Smuggling
- Open an issue in Puma
- See our security policy
169 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
6.4.3 | BSD-3-Clause | 2024-09-19 - 05:50 | 2 days | |
6.4.2 | BSD-3-Clause | 1 | 2024-01-08 - 05:57 | 9 months |
6.4.1 | BSD-3-Clause | 3 | 2024-01-03 - 00:05 | 9 months |
6.4.0 | BSD-3-Clause | 3 | 2023-09-21 - 04:15 | about 1 year |
6.3.1 | BSD-3-Clause | 3 | 2023-08-18 - 01:22 | about 1 year |
6.3.0 | BSD-3-Clause | 5 | 2023-05-31 - 07:16 | over 1 year |
6.2.2 | BSD-3-Clause | 5 | 2023-04-17 - 22:44 | over 1 year |
6.2.1 | BSD-3-Clause | 5 | 2023-03-31 - 06:53 | over 1 year |
6.2.0 | BSD-3-Clause | 5 | 2023-03-29 - 06:55 | over 1 year |
6.1.1 | BSD-3-Clause | 5 | 2023-02-28 - 07:40 | over 1 year |
6.1.0 | BSD-3-Clause | 5 | 2023-02-12 - 04:58 | over 1 year |
6.0.2 | BSD-3-Clause | 5 | 2023-01-01 - 22:04 | over 1 year |
6.0.1 | BSD-3-Clause | 5 | 2022-12-20 - 20:21 | almost 2 years |
6.0.0 | BSD-3-Clause | 5 | 2022-10-14 - 02:33 | almost 2 years |
5.6.9 | BSD-3-Clause | 2024-09-19 - 05:41 | 2 days | |
5.6.8 | BSD-3-Clause | 2024-01-08 - 06:09 | 9 months | |
5.6.7 | BSD-3-Clause | 1 | 2023-08-18 - 05:58 | about 1 year |
5.6.6 | BSD-3-Clause | 1 | 2023-06-21 - 02:59 | over 1 year |
5.6.5 | BSD-3-Clause | 1 | 2022-08-23 - 06:04 | about 2 years |
5.6.4 | BSD-3-Clause | 1 | 2022-03-30 - 16:15 | over 2 years |
5.6.2 | BSD-3-Clause | 3 | 2022-02-11 - 21:17 | over 2 years |
5.6.1 | BSD-3-Clause | 5 | 2022-01-27 - 00:40 | over 2 years |
5.6.0 | BSD-3-Clause | 5 | 2022-01-25 - 21:21 | over 2 years |
5.5.2 | BSD-3-Clause | 9 | 2021-10-12 - 23:08 | almost 3 years |
5.5.1 | BSD-3-Clause | 9 | 2021-10-12 - 15:11 | almost 3 years |
5.5.0 | BSD-3-Clause | 11 | 2021-09-19 - 20:09 | about 3 years |
5.4.0 | BSD-3-Clause | 11 | 2021-07-29 - 14:31 | about 3 years |
5.3.2 | BSD-3-Clause | 11 | 2021-05-21 - 17:17 | over 3 years |
5.3.1 | BSD-3-Clause | 11 | 2021-05-11 - 14:56 | over 3 years |
5.3.0 | BSD-3-Clause | 13 | 2021-05-07 - 15:01 | over 3 years |
5.2.2 | BSD-3-Clause | 13 | 2021-03-02 - 16:08 | over 3 years |
5.2.1 | BSD-3-Clause | 13 | 2021-02-05 - 22:28 | over 3 years |
5.2.0 | BSD-3-Clause | 13 | 2021-01-27 - 20:43 | over 3 years |
5.1.1 | BSD-3-Clause | 13 | 2020-12-10 - 15:28 | almost 4 years |
5.1.0 | BSD-3-Clause | 13 | 2020-11-30 - 17:33 | almost 4 years |
5.0.4 | BSD-3-Clause | 13 | 2020-10-27 - 14:18 | almost 4 years |
5.0.3 | BSD-3-Clause | 13 | 2020-10-26 - 13:05 | almost 4 years |
5.0.2 | BSD-3-Clause | 13 | 2020-09-28 - 15:19 | almost 4 years |
5.0.1 | BSD-3-Clause | 13 | 2020-09-28 - 13:48 | almost 4 years |
5.0.0 | BSD-3-Clause | 13 | 2020-09-17 - 17:06 | about 4 years |
5.0.0.beta2 | BSD-3-Clause | 9 | 2020-09-05 - 22:28 | about 4 years |
5.0.0.beta1 | BSD-3-Clause | 9 | 2020-05-12 - 01:49 | over 4 years |
4.3.12 | BSD-3-Clause | 5 | 2022-03-30 - 16:14 | over 2 years |
4.3.11 | BSD-3-Clause | 6 | 2022-02-11 - 21:21 | over 2 years |
4.3.10 | BSD-3-Clause | 7 | 2021-10-12 - 23:15 | almost 3 years |
4.3.9 | BSD-3-Clause | 7 | 2021-10-12 - 15:13 | almost 3 years |
4.3.8 | BSD-3-Clause | 8 | 2021-05-11 - 14:54 | over 3 years |
4.3.7 | BSD-3-Clause | 9 | 2020-11-30 - 16:54 | almost 4 years |
4.3.6 | BSD-3-Clause | 9 | 2020-09-05 - 21:12 | about 4 years |
4.3.5 | BSD-3-Clause | 9 | 2020-05-19 - 22:43 | over 4 years |
4.3.4 | BSD-3-Clause | 11 | 2020-05-19 - 00:09 | over 4 years |
4.3.3 | BSD-3-Clause | 13 | 2020-02-28 - 19:23 | over 4 years |
4.3.1 | BSD-3-Clause | 17 | 2019-12-05 - 07:38 | almost 5 years |
4.3.0 | BSD-3-Clause | 19 | 2019-11-07 - 21:05 | almost 5 years |
4.2.1 | BSD-3-Clause | 23 | 2019-10-07 - 09:44 | almost 5 years |
4.2.0 | BSD-3-Clause | 23 | 2019-09-23 - 09:25 | almost 5 years |
4.1.1 | BSD-3-Clause | 23 | 2019-09-09 - 12:20 | about 5 years |
4.1.0 | BSD-3-Clause | 23 | 2019-08-08 - 19:55 | about 5 years |
4.0.1 | BSD-3-Clause | 23 | 2019-07-11 - 17:52 | about 5 years |
4.0.0 | BSD-3-Clause | 23 | 2019-06-25 - 17:46 | about 5 years |
3.12.6 | BSD-3-Clause | 13 | 2020-05-19 - 22:43 | over 4 years |
3.12.5 | BSD-3-Clause | 14 | 2020-05-19 - 00:08 | over 4 years |
3.12.4 | BSD-3-Clause | 15 | 2020-02-28 - 19:49 | over 4 years |
3.12.2 | BSD-3-Clause | 17 | 2019-12-05 - 07:43 | almost 5 years |
3.12.1 | BSD-3-Clause | 18 | 2019-03-19 - 18:07 | over 5 years |
3.12.0 | BSD-3-Clause | 18 | 2018-07-13 - 16:10 | about 6 years |
3.11.4 | BSD-3-Clause | 23 | 2018-04-12 - 19:40 | over 6 years |
3.11.3 | BSD-3-Clause | 23 | 2018-03-06 - 05:42 | over 6 years |
3.11.2 | BSD-3-Clause | 23 | 2018-01-19 - 19:24 | over 6 years |
3.11.1 | BSD-3-Clause | 23 | 2018-01-19 - 04:49 | over 6 years |
3.11.0 | BSD-3-Clause | 23 | 2017-11-20 - 16:29 | almost 7 years |
3.10.0 | BSD-3-Clause | 23 | 2017-08-17 - 19:25 | about 7 years |
3.9.1 | BSD-3-Clause | 23 | 2017-06-03 - 14:04 | over 7 years |
3.9.0 | BSD-3-Clause | 23 | 2017-06-01 - 15:40 | over 7 years |
3.8.2 | BSD-3-Clause | 23 | 2017-03-14 - 17:57 | over 7 years |
3.8.1 | BSD-3-Clause | 23 | 2017-03-10 - 17:20 | over 7 years |
3.8.0 | BSD-3-Clause | 23 | 2017-03-09 - 22:28 | over 7 years |
3.7.1 | BSD-3-Clause | 23 | 2017-02-20 - 15:19 | over 7 years |
3.7.0 | BSD-3-Clause | 23 | 2017-01-28 - 00:36 | over 7 years |
3.6.2 | BSD-3-Clause | 23 | 2016-11-22 - 23:57 | almost 8 years |
3.6.1 | BSD-3-Clause | 23 | 2016-11-21 - 19:08 | almost 8 years |
3.6.0 | BSD-3-Clause | 23 | 2016-07-25 - 05:18 | about 8 years |
3.5.2 | BSD-3-Clause | 23 | 2016-07-20 - 17:59 | about 8 years |
3.5.1 | BSD-3-Clause | 23 | 2016-07-20 - 17:55 | about 8 years |
3.5.0 | BSD-3-Clause | 23 | 2016-07-19 - 05:08 | about 8 years |
3.4.0 | BSD-3-Clause | 23 | 2016-04-07 - 22:07 | over 8 years |
3.3.0 | BSD-3-Clause | 23 | 2016-04-05 - 16:29 | over 8 years |
3.2.0 | BSD-3-Clause | 23 | 2016-03-20 - 21:21 | over 8 years |
3.1.1 | BSD-3-Clause | 23 | 2016-03-18 - 04:33 | over 8 years |
3.1.0 | BSD-3-Clause | 23 | 2016-03-06 - 00:34 | over 8 years |
3.0.2 | BSD-3-Clause | 23 | 2016-02-26 - 18:39 | over 8 years |
3.0.1 | BSD-3-Clause | 23 | 2016-02-26 - 03:44 | over 8 years |
3.0.0 | BSD-3-Clause | 23 | 2016-02-25 - 22:25 | over 8 years |
3.0.0.rc1 | BSD-3-Clause | 23 | 2016-02-20 - 01:27 | over 8 years |
2.16.0 | BSD-3-Clause | 23 | 2016-01-28 - 03:58 | over 8 years |
2.15.3 | BSD-3-Clause | 23 | 2015-11-07 - 17:19 | almost 9 years |
2.15.2 | BSD-3-Clause | 23 | 2015-11-06 - 23:35 | almost 9 years |
2.15.1 | BSD-3-Clause | 23 | 2015-11-06 - 23:31 | almost 9 years |
2.15.0 | BSD-3-Clause | 23 | 2015-11-06 - 19:08 | almost 9 years |
2.14.0 | BSD-3-Clause | 23 | 2015-09-18 - 16:57 | about 9 years |