DEBIAN-CVE-2021-29509
- Source
- https://security-tracker.debian.org/tracker/CVE-2021-29509
- Import Source
- https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2021-29509.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2021-29509
- Upstream
- Published
- 2021-05-11T17:15:07Z
- Modified
- 2025-09-19T06:03:26Z
- Summary
- [none]
- Details
-
Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A
pumaserver which received more concurrentkeep-aliveconnections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed inpuma4.3.8 and 5.3.1. Settingqueue_requests falsealso fixes the issue. This is not advised when usingpumawithout a reverse proxy, such asnginxorapache, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma. - References
Affected packages
Debian:11 / puma
Package
- Name
- puma
- Purl
- pkg:deb/debian/puma?arch=source
Debian:12 / puma
Package
- Name
- puma
- Purl
- pkg:deb/debian/puma?arch=source
Debian:13 / puma
Package
- Name
- puma
- Purl
- pkg:deb/debian/puma?arch=source
Debian:14 / puma
Package
- Name
- puma
- Purl
- pkg:deb/debian/puma?arch=source