Vulnerability-Lookup

URL	Tags
https://github.com/puma/puma/security/advisories/…	x_refsource_CONFIRM
https://lists.debian.org/debian-lts-announce/2022…	mailing-listx_refsource_MLIST

Vendor	Product	Version
puma	puma	Affected: < 4.3.1 , < 4.3.1 (custom)

OPENSUSE-SU-2024:11847-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

ruby3.1-rubygem-puma-5.6.2-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: ruby3.1-rubygem-puma-5.6.2-1.1 on GA media

Description of the patch: These are all security issues fixed in the ruby3.1-rubygem-puma-5.6.2-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-11847

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

CVE-2019-16770

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2020-11076

6.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2022-23634

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

13 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2019-16770/	self
https://www.suse.com/security/cve/CVE-2020-11076/	self
https://www.suse.com/security/cve/CVE-2022-23634/	self
https://www.suse.com/security/cve/CVE-2019-16770	external
https://bugzilla.suse.com/1158675	external
https://bugzilla.suse.com/1188527	external
https://www.suse.com/security/cve/CVE-2020-11076	external
https://bugzilla.suse.com/1172175	external
https://bugzilla.suse.com/1172176	external
https://www.suse.com/security/cve/CVE-2022-23634	external
https://bugzilla.suse.com/1196222	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ruby3.1-rubygem-puma-5.6.2-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ruby3.1-rubygem-puma-5.6.2-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-11847",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11847-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-16770 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-16770/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-11076 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-11076/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-23634 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-23634/"
      }
    ],
    "title": "ruby3.1-rubygem-puma-5.6.2-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:11847-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
                "product": {
                  "name": "ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
                  "product_id": "ruby3.1-rubygem-puma-5.6.2-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
                "product": {
                  "name": "ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
                  "product_id": "ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
                "product": {
                  "name": "ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
                  "product_id": "ruby3.1-rubygem-puma-5.6.2-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.1-rubygem-puma-5.6.2-1.1.x86_64",
                "product": {
                  "name": "ruby3.1-rubygem-puma-5.6.2-1.1.x86_64",
                  "product_id": "ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.1-rubygem-puma-5.6.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64"
        },
        "product_reference": "ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le"
        },
        "product_reference": "ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.1-rubygem-puma-5.6.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x"
        },
        "product_reference": "ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.1-rubygem-puma-5.6.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
        },
        "product_reference": "ruby3.1-rubygem-puma-5.6.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-16770",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-16770"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-16770",
          "url": "https://www.suse.com/security/cve/CVE-2019-16770"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1158675 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1158675"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1188527 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1188527"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-16770"
    },
    {
      "cve": "CVE-2020-11076",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-11076"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-11076",
          "url": "https://www.suse.com/security/cve/CVE-2020-11076"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172175 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172175"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172176 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172176"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-11076"
    },
    {
      "cve": "CVE-2022-23634",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-23634"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-23634",
          "url": "https://www.suse.com/security/cve/CVE-2022-23634"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1196222 for CVE-2022-23634",
          "url": "https://bugzilla.suse.com/1196222"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-23634"
    }
  ]
}

OPENSUSE-SU-2024:12592-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

ruby3.1-rubygem-puma-5-5.6.5-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: ruby3.1-rubygem-puma-5-5.6.5-1.1 on GA media

Description of the patch: These are all security issues fixed in the ruby3.1-rubygem-puma-5-5.6.5-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-12592

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

CVE-2019-16770

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2020-11076

6.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2021-29509

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2021-41136

3.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64	—	Vendor Fix

Threats

Impact low

CVE-2022-24790

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64	—	Vendor Fix

Threats

Impact important

References

19 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2019-16770/	self
https://www.suse.com/security/cve/CVE-2020-11076/	self
https://www.suse.com/security/cve/CVE-2021-29509/	self
https://www.suse.com/security/cve/CVE-2021-41136/	self
https://www.suse.com/security/cve/CVE-2022-24790/	self
https://www.suse.com/security/cve/CVE-2019-16770	external
https://bugzilla.suse.com/1158675	external
https://bugzilla.suse.com/1188527	external
https://www.suse.com/security/cve/CVE-2020-11076	external
https://bugzilla.suse.com/1172175	external
https://bugzilla.suse.com/1172176	external
https://www.suse.com/security/cve/CVE-2021-29509	external
https://bugzilla.suse.com/1188527	external
https://www.suse.com/security/cve/CVE-2021-41136	external
https://bugzilla.suse.com/1191681	external
https://www.suse.com/security/cve/CVE-2022-24790	external
https://bugzilla.suse.com/1197818	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ruby3.1-rubygem-puma-5-5.6.5-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ruby3.1-rubygem-puma-5-5.6.5-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-12592",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12592-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-16770 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-16770/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-11076 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-11076/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-29509 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-29509/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-41136 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-41136/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-24790 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-24790/"
      }
    ],
    "title": "ruby3.1-rubygem-puma-5-5.6.5-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:12592-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64",
                "product": {
                  "name": "ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64",
                  "product_id": "ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le",
                "product": {
                  "name": "ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le",
                  "product_id": "ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x",
                "product": {
                  "name": "ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x",
                  "product_id": "ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64",
                "product": {
                  "name": "ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64",
                  "product_id": "ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64"
        },
        "product_reference": "ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le"
        },
        "product_reference": "ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x"
        },
        "product_reference": "ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64"
        },
        "product_reference": "ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-16770",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-16770"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-16770",
          "url": "https://www.suse.com/security/cve/CVE-2019-16770"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1158675 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1158675"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1188527 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1188527"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-16770"
    },
    {
      "cve": "CVE-2020-11076",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-11076"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-11076",
          "url": "https://www.suse.com/security/cve/CVE-2020-11076"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172175 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172175"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172176 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172176"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-11076"
    },
    {
      "cve": "CVE-2021-29509",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-29509"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in `puma` 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-29509",
          "url": "https://www.suse.com/security/cve/CVE-2021-29509"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1188527 for CVE-2021-29509",
          "url": "https://bugzilla.suse.com/1188527"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-29509"
    },
    {
      "cve": "CVE-2021-41136",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-41136"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request\u0027s body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-41136",
          "url": "https://www.suse.com/security/cve/CVE-2021-41136"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1191681 for CVE-2021-41136",
          "url": "https://bugzilla.suse.com/1191681"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2021-41136"
    },
    {
      "cve": "CVE-2022-24790",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-24790"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-24790",
          "url": "https://www.suse.com/security/cve/CVE-2022-24790"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1197818 for CVE-2022-24790",
          "url": "https://bugzilla.suse.com/1197818"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5-5.6.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-24790"
    }
  ]
}

OPENSUSE-SU-2024:12900-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

ruby3.2-rubygem-puma-6.0.0-2.1 on GA media

Severity

Moderate

Notes

Title of the patch: ruby3.2-rubygem-puma-6.0.0-2.1 on GA media

Description of the patch: These are all security issues fixed in the ruby3.2-rubygem-puma-6.0.0-2.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-12900

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

CVE-2019-16770

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2020-11076

6.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2022-23634

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

13 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2019-16770/	self
https://www.suse.com/security/cve/CVE-2020-11076/	self
https://www.suse.com/security/cve/CVE-2022-23634/	self
https://www.suse.com/security/cve/CVE-2019-16770	external
https://bugzilla.suse.com/1158675	external
https://bugzilla.suse.com/1188527	external
https://www.suse.com/security/cve/CVE-2020-11076	external
https://bugzilla.suse.com/1172175	external
https://bugzilla.suse.com/1172176	external
https://www.suse.com/security/cve/CVE-2022-23634	external
https://bugzilla.suse.com/1196222	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ruby3.2-rubygem-puma-6.0.0-2.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ruby3.2-rubygem-puma-6.0.0-2.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-12900",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12900-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-16770 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-16770/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-11076 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-11076/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-23634 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-23634/"
      }
    ],
    "title": "ruby3.2-rubygem-puma-6.0.0-2.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:12900-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
                "product": {
                  "name": "ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
                  "product_id": "ruby3.2-rubygem-puma-6.0.0-2.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
                "product": {
                  "name": "ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
                  "product_id": "ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
                "product": {
                  "name": "ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
                  "product_id": "ruby3.2-rubygem-puma-6.0.0-2.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.2-rubygem-puma-6.0.0-2.1.x86_64",
                "product": {
                  "name": "ruby3.2-rubygem-puma-6.0.0-2.1.x86_64",
                  "product_id": "ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.2-rubygem-puma-6.0.0-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64"
        },
        "product_reference": "ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le"
        },
        "product_reference": "ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.2-rubygem-puma-6.0.0-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x"
        },
        "product_reference": "ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.2-rubygem-puma-6.0.0-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
        },
        "product_reference": "ruby3.2-rubygem-puma-6.0.0-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-16770",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-16770"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-16770",
          "url": "https://www.suse.com/security/cve/CVE-2019-16770"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1158675 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1158675"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1188527 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1188527"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-16770"
    },
    {
      "cve": "CVE-2020-11076",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-11076"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-11076",
          "url": "https://www.suse.com/security/cve/CVE-2020-11076"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172175 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172175"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172176 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172176"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-11076"
    },
    {
      "cve": "CVE-2022-23634",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-23634"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-23634",
          "url": "https://www.suse.com/security/cve/CVE-2022-23634"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1196222 for CVE-2022-23634",
          "url": "https://bugzilla.suse.com/1196222"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-23634"
    }
  ]
}

OPENSUSE-SU-2024:13166-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

ruby3.2-rubygem-puma-5-5.6.5-1.7 on GA media

Severity

Moderate

Notes

Title of the patch: ruby3.2-rubygem-puma-5-5.6.5-1.7 on GA media

Description of the patch: These are all security issues fixed in the ruby3.2-rubygem-puma-5-5.6.5-1.7 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-13166

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

CVE-2019-16770

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2020-11076

6.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2021-29509

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2021-41136

3.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64	—	Vendor Fix

Threats

Impact low

CVE-2022-24790

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64	—	Vendor Fix

Threats

Impact important

References

19 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2019-16770/	self
https://www.suse.com/security/cve/CVE-2020-11076/	self
https://www.suse.com/security/cve/CVE-2021-29509/	self
https://www.suse.com/security/cve/CVE-2021-41136/	self
https://www.suse.com/security/cve/CVE-2022-24790/	self
https://www.suse.com/security/cve/CVE-2019-16770	external
https://bugzilla.suse.com/1158675	external
https://bugzilla.suse.com/1188527	external
https://www.suse.com/security/cve/CVE-2020-11076	external
https://bugzilla.suse.com/1172175	external
https://bugzilla.suse.com/1172176	external
https://www.suse.com/security/cve/CVE-2021-29509	external
https://bugzilla.suse.com/1188527	external
https://www.suse.com/security/cve/CVE-2021-41136	external
https://bugzilla.suse.com/1191681	external
https://www.suse.com/security/cve/CVE-2022-24790	external
https://bugzilla.suse.com/1197818	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ruby3.2-rubygem-puma-5-5.6.5-1.7 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ruby3.2-rubygem-puma-5-5.6.5-1.7 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-13166",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13166-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-16770 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-16770/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-11076 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-11076/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-29509 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-29509/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-41136 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-41136/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-24790 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-24790/"
      }
    ],
    "title": "ruby3.2-rubygem-puma-5-5.6.5-1.7 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:13166-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64",
                "product": {
                  "name": "ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64",
                  "product_id": "ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le",
                "product": {
                  "name": "ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le",
                  "product_id": "ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x",
                "product": {
                  "name": "ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x",
                  "product_id": "ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64",
                "product": {
                  "name": "ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64",
                  "product_id": "ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64"
        },
        "product_reference": "ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le"
        },
        "product_reference": "ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x"
        },
        "product_reference": "ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64"
        },
        "product_reference": "ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-16770",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-16770"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-16770",
          "url": "https://www.suse.com/security/cve/CVE-2019-16770"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1158675 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1158675"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1188527 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1188527"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-16770"
    },
    {
      "cve": "CVE-2020-11076",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-11076"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-11076",
          "url": "https://www.suse.com/security/cve/CVE-2020-11076"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172175 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172175"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172176 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172176"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-11076"
    },
    {
      "cve": "CVE-2021-29509",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-29509"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in `puma` 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-29509",
          "url": "https://www.suse.com/security/cve/CVE-2021-29509"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1188527 for CVE-2021-29509",
          "url": "https://bugzilla.suse.com/1188527"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-29509"
    },
    {
      "cve": "CVE-2021-41136",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-41136"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request\u0027s body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-41136",
          "url": "https://www.suse.com/security/cve/CVE-2021-41136"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1191681 for CVE-2021-41136",
          "url": "https://bugzilla.suse.com/1191681"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2021-41136"
    },
    {
      "cve": "CVE-2022-24790",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-24790"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-24790",
          "url": "https://www.suse.com/security/cve/CVE-2022-24790"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1197818 for CVE-2022-24790",
          "url": "https://bugzilla.suse.com/1197818"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-5-5.6.5-1.7.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-24790"
    }
  ]
}

OPENSUSE-SU-2024:13720-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

ruby3.3-rubygem-puma-6.4.2-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: ruby3.3-rubygem-puma-6.4.2-1.1 on GA media

Description of the patch: These are all security issues fixed in the ruby3.3-rubygem-puma-6.4.2-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-13720

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

CVE-2019-16770

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2020-11076

6.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2022-23634

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

13 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2019-16770/	self
https://www.suse.com/security/cve/CVE-2020-11076/	self
https://www.suse.com/security/cve/CVE-2022-23634/	self
https://www.suse.com/security/cve/CVE-2019-16770	external
https://bugzilla.suse.com/1158675	external
https://bugzilla.suse.com/1188527	external
https://www.suse.com/security/cve/CVE-2020-11076	external
https://bugzilla.suse.com/1172175	external
https://bugzilla.suse.com/1172176	external
https://www.suse.com/security/cve/CVE-2022-23634	external
https://bugzilla.suse.com/1196222	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ruby3.3-rubygem-puma-6.4.2-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ruby3.3-rubygem-puma-6.4.2-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-13720",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13720-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-16770 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-16770/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-11076 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-11076/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-23634 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-23634/"
      }
    ],
    "title": "ruby3.3-rubygem-puma-6.4.2-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:13720-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
                "product": {
                  "name": "ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
                  "product_id": "ruby3.3-rubygem-puma-6.4.2-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
                "product": {
                  "name": "ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
                  "product_id": "ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
                "product": {
                  "name": "ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
                  "product_id": "ruby3.3-rubygem-puma-6.4.2-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-puma-6.4.2-1.1.x86_64",
                "product": {
                  "name": "ruby3.3-rubygem-puma-6.4.2-1.1.x86_64",
                  "product_id": "ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-puma-6.4.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64"
        },
        "product_reference": "ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le"
        },
        "product_reference": "ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-puma-6.4.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x"
        },
        "product_reference": "ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-puma-6.4.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
        },
        "product_reference": "ruby3.3-rubygem-puma-6.4.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-16770",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-16770"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-16770",
          "url": "https://www.suse.com/security/cve/CVE-2019-16770"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1158675 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1158675"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1188527 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1188527"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-16770"
    },
    {
      "cve": "CVE-2020-11076",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-11076"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-11076",
          "url": "https://www.suse.com/security/cve/CVE-2020-11076"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172175 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172175"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172176 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172176"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-11076"
    },
    {
      "cve": "CVE-2022-23634",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-23634"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-23634",
          "url": "https://www.suse.com/security/cve/CVE-2022-23634"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1196222 for CVE-2022-23634",
          "url": "https://bugzilla.suse.com/1196222"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-23634"
    }
  ]
}

OPENSUSE-SU-2024:13721-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

ruby3.3-rubygem-puma-5-5.6.8-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: ruby3.3-rubygem-puma-5-5.6.8-1.1 on GA media

Description of the patch: These are all security issues fixed in the ruby3.3-rubygem-puma-5-5.6.8-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-13721

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

CVE-2019-16770

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2020-11076

6.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2021-29509

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2021-41136

3.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64	—	Vendor Fix

Threats

Impact low

CVE-2022-24790

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64	—	Vendor Fix

Threats

Impact important

References

19 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2019-16770/	self
https://www.suse.com/security/cve/CVE-2020-11076/	self
https://www.suse.com/security/cve/CVE-2021-29509/	self
https://www.suse.com/security/cve/CVE-2021-41136/	self
https://www.suse.com/security/cve/CVE-2022-24790/	self
https://www.suse.com/security/cve/CVE-2019-16770	external
https://bugzilla.suse.com/1158675	external
https://bugzilla.suse.com/1188527	external
https://www.suse.com/security/cve/CVE-2020-11076	external
https://bugzilla.suse.com/1172175	external
https://bugzilla.suse.com/1172176	external
https://www.suse.com/security/cve/CVE-2021-29509	external
https://bugzilla.suse.com/1188527	external
https://www.suse.com/security/cve/CVE-2021-41136	external
https://bugzilla.suse.com/1191681	external
https://www.suse.com/security/cve/CVE-2022-24790	external
https://bugzilla.suse.com/1197818	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ruby3.3-rubygem-puma-5-5.6.8-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ruby3.3-rubygem-puma-5-5.6.8-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-13721",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13721-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-16770 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-16770/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-11076 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-11076/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-29509 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-29509/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-41136 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-41136/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-24790 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-24790/"
      }
    ],
    "title": "ruby3.3-rubygem-puma-5-5.6.8-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:13721-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64",
                "product": {
                  "name": "ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64",
                  "product_id": "ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le",
                "product": {
                  "name": "ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le",
                  "product_id": "ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x",
                "product": {
                  "name": "ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x",
                  "product_id": "ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64",
                "product": {
                  "name": "ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64",
                  "product_id": "ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64"
        },
        "product_reference": "ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le"
        },
        "product_reference": "ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x"
        },
        "product_reference": "ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64"
        },
        "product_reference": "ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-16770",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-16770"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-16770",
          "url": "https://www.suse.com/security/cve/CVE-2019-16770"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1158675 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1158675"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1188527 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1188527"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-16770"
    },
    {
      "cve": "CVE-2020-11076",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-11076"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-11076",
          "url": "https://www.suse.com/security/cve/CVE-2020-11076"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172175 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172175"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172176 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172176"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-11076"
    },
    {
      "cve": "CVE-2021-29509",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-29509"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in `puma` 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-29509",
          "url": "https://www.suse.com/security/cve/CVE-2021-29509"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1188527 for CVE-2021-29509",
          "url": "https://bugzilla.suse.com/1188527"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-29509"
    },
    {
      "cve": "CVE-2021-41136",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-41136"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request\u0027s body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-41136",
          "url": "https://www.suse.com/security/cve/CVE-2021-41136"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1191681 for CVE-2021-41136",
          "url": "https://bugzilla.suse.com/1191681"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2021-41136"
    },
    {
      "cve": "CVE-2022-24790",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-24790"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-24790",
          "url": "https://www.suse.com/security/cve/CVE-2022-24790"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1197818 for CVE-2022-24790",
          "url": "https://bugzilla.suse.com/1197818"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-5-5.6.8-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-24790"
    }
  ]
}

OPENSUSE-SU-2025:15123-1

Vulnerability from csaf_opensuse - Published: 2025-05-17 00:00 - Updated: 2025-05-17 00:00

Summary

ruby3.4-rubygem-puma-6.4.3-1.3 on GA media

Severity

Moderate

Notes

Title of the patch: ruby3.4-rubygem-puma-6.4.3-1.3 on GA media

Description of the patch: These are all security issues fixed in the ruby3.4-rubygem-puma-6.4.3-1.3 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2025-15123

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

CVE-2019-16770

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2020-11076

6.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2022-23634

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2024-45614

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64	—	Vendor Fix

Threats

Impact moderate

References

18 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://lists.opensuse.org/archives/list/security…	self
https://lists.opensuse.org/archives/list/security…	self
https://www.suse.com/security/cve/CVE-2019-16770/	self
https://www.suse.com/security/cve/CVE-2020-11076/	self
https://www.suse.com/security/cve/CVE-2022-23634/	self
https://www.suse.com/security/cve/CVE-2024-45614/	self
https://www.suse.com/security/cve/CVE-2019-16770	external
https://bugzilla.suse.com/1158675	external
https://bugzilla.suse.com/1188527	external
https://www.suse.com/security/cve/CVE-2020-11076	external
https://bugzilla.suse.com/1172175	external
https://bugzilla.suse.com/1172176	external
https://www.suse.com/security/cve/CVE-2022-23634	external
https://bugzilla.suse.com/1196222	external
https://www.suse.com/security/cve/CVE-2024-45614	external
https://bugzilla.suse.com/1230848	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ruby3.4-rubygem-puma-6.4.3-1.3 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ruby3.4-rubygem-puma-6.4.3-1.3 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-15123",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15123-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2025:15123-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4HTCFDLUCKJZXX35RHXSTQHMCPIT5GOW/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2025:15123-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4HTCFDLUCKJZXX35RHXSTQHMCPIT5GOW/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-16770 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-16770/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-11076 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-11076/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-23634 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-23634/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-45614 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-45614/"
      }
    ],
    "title": "ruby3.4-rubygem-puma-6.4.3-1.3 on GA media",
    "tracking": {
      "current_release_date": "2025-05-17T00:00:00Z",
      "generator": {
        "date": "2025-05-17T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:15123-1",
      "initial_release_date": "2025-05-17T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-05-17T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
                "product": {
                  "name": "ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
                  "product_id": "ruby3.4-rubygem-puma-6.4.3-1.3.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
                "product": {
                  "name": "ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
                  "product_id": "ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
                "product": {
                  "name": "ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
                  "product_id": "ruby3.4-rubygem-puma-6.4.3-1.3.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-puma-6.4.3-1.3.x86_64",
                "product": {
                  "name": "ruby3.4-rubygem-puma-6.4.3-1.3.x86_64",
                  "product_id": "ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-puma-6.4.3-1.3.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64"
        },
        "product_reference": "ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le"
        },
        "product_reference": "ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-puma-6.4.3-1.3.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x"
        },
        "product_reference": "ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-puma-6.4.3-1.3.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
        },
        "product_reference": "ruby3.4-rubygem-puma-6.4.3-1.3.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-16770",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-16770"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-16770",
          "url": "https://www.suse.com/security/cve/CVE-2019-16770"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1158675 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1158675"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1188527 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1188527"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-05-17T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-16770"
    },
    {
      "cve": "CVE-2020-11076",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-11076"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-11076",
          "url": "https://www.suse.com/security/cve/CVE-2020-11076"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172175 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172175"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172176 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172176"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-05-17T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-11076"
    },
    {
      "cve": "CVE-2022-23634",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-23634"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-23634",
          "url": "https://www.suse.com/security/cve/CVE-2022-23634"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1196222 for CVE-2022-23634",
          "url": "https://bugzilla.suse.com/1196222"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-05-17T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-23634"
    },
    {
      "cve": "CVE-2024-45614",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-45614"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-45614",
          "url": "https://www.suse.com/security/cve/CVE-2024-45614"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1230848 for CVE-2024-45614",
          "url": "https://bugzilla.suse.com/1230848"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-05-17T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-45614"
    }
  ]
}

OPENSUSE-SU-2026:10357-1

Vulnerability from csaf_opensuse - Published: 2026-03-13 00:00 - Updated: 2026-03-13 00:00

Summary

ruby4.0-rubygem-puma-6.4.3-1.5 on GA media

Severity

Moderate

Notes

Title of the patch: ruby4.0-rubygem-puma-6.4.3-1.5 on GA media

Description of the patch: These are all security issues fixed in the ruby4.0-rubygem-puma-6.4.3-1.5 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10357

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

CVE-2019-16770

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2020-11076

6.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2022-23634

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2024-45614

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64	—	Vendor Fix

Threats

Impact moderate

References

16 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2019-16770/	self
https://www.suse.com/security/cve/CVE-2020-11076/	self
https://www.suse.com/security/cve/CVE-2022-23634/	self
https://www.suse.com/security/cve/CVE-2024-45614/	self
https://www.suse.com/security/cve/CVE-2019-16770	external
https://bugzilla.suse.com/1158675	external
https://bugzilla.suse.com/1188527	external
https://www.suse.com/security/cve/CVE-2020-11076	external
https://bugzilla.suse.com/1172175	external
https://bugzilla.suse.com/1172176	external
https://www.suse.com/security/cve/CVE-2022-23634	external
https://bugzilla.suse.com/1196222	external
https://www.suse.com/security/cve/CVE-2024-45614	external
https://bugzilla.suse.com/1230848	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ruby4.0-rubygem-puma-6.4.3-1.5 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ruby4.0-rubygem-puma-6.4.3-1.5 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10357",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10357-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-16770 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-16770/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-11076 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-11076/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-23634 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-23634/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-45614 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-45614/"
      }
    ],
    "title": "ruby4.0-rubygem-puma-6.4.3-1.5 on GA media",
    "tracking": {
      "current_release_date": "2026-03-13T00:00:00Z",
      "generator": {
        "date": "2026-03-13T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10357-1",
      "initial_release_date": "2026-03-13T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-03-13T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
                "product": {
                  "name": "ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
                  "product_id": "ruby4.0-rubygem-puma-6.4.3-1.5.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
                "product": {
                  "name": "ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
                  "product_id": "ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
                "product": {
                  "name": "ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
                  "product_id": "ruby4.0-rubygem-puma-6.4.3-1.5.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby4.0-rubygem-puma-6.4.3-1.5.x86_64",
                "product": {
                  "name": "ruby4.0-rubygem-puma-6.4.3-1.5.x86_64",
                  "product_id": "ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-rubygem-puma-6.4.3-1.5.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64"
        },
        "product_reference": "ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le"
        },
        "product_reference": "ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-rubygem-puma-6.4.3-1.5.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x"
        },
        "product_reference": "ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-rubygem-puma-6.4.3-1.5.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
        },
        "product_reference": "ruby4.0-rubygem-puma-6.4.3-1.5.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-16770",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-16770"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-16770",
          "url": "https://www.suse.com/security/cve/CVE-2019-16770"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1158675 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1158675"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1188527 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1188527"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-13T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-16770"
    },
    {
      "cve": "CVE-2020-11076",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-11076"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-11076",
          "url": "https://www.suse.com/security/cve/CVE-2020-11076"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172175 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172175"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172176 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172176"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-13T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-11076"
    },
    {
      "cve": "CVE-2022-23634",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-23634"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-23634",
          "url": "https://www.suse.com/security/cve/CVE-2022-23634"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1196222 for CVE-2022-23634",
          "url": "https://bugzilla.suse.com/1196222"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-13T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-23634"
    },
    {
      "cve": "CVE-2024-45614",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-45614"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-45614",
          "url": "https://www.suse.com/security/cve/CVE-2024-45614"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1230848 for CVE-2024-45614",
          "url": "https://bugzilla.suse.com/1230848"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-13T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-45614"
    }
  ]
}

SUSE-SU-2020:0081-1

Vulnerability from csaf_suse - Published: 2020-01-13 09:38 - Updated: 2020-01-13 09:38

Summary

Security update for crowbar-core, crowbar-openstack, openstack-horizon-plugin-monasca-ui, openstack-monasca-api, openstack-monasca-log-api, openstack-neutron, rubygem-puma, rubygem-rest-client

Severity

Moderate

Notes

Title of the patch: Security update for crowbar-core, crowbar-openstack, openstack-horizon-plugin-monasca-ui, openstack-monasca-api, openstack-monasca-log-api, openstack-neutron, rubygem-puma, rubygem-rest-client

Description of the patch: This update for crowbar-core, crowbar-openstack, openstack-horizon-plugin-monasca-ui, openstack-monasca-api, openstack-monasca-log-api, openstack-neutron, rubygem-puma, rubygem-rest-client contains the following fixes: Security issue fixed for rubygem-puma: - CVE-2019-16770: Fixed a potential denial of service in Puma's reactor (bsc#1158675, jsc#SOC-10999) Security issue fixed for rubygem-rest-client: - CVE-2015-3448: Fixed a plain text local password disclosure. (bsc#917802) Updates for crowbar-core: - Update to version 4.0+git.1574788924.e4a6aeb0c: * Allow pacemaker remotes for upgrade (SOC-10133) - Update to version 4.0+git.1574713660.972029d1a: * Ignore CVE-2019-13117 in CI builds (bsc#1157028) Updates for crowbar-openstack: - Update to version 4.0+git.1574869671.9c7bade2d: * tempest: configure Kibana version (SOC-10131) - Update to version 4.0+git.1574764112.c260c70e5: * horizon: install lbaas horizon dashboard (SOC-10883) Updates for openstack-horizon-plugin-monasca-ui: - Refresh allow-raw-grafana-links.patch - update to version 1.5.5~dev3 * Replace openstack.org git:// URLs with https:// * Fix the partial missing metrics in Create Alarm Definition flow * import zuul job settings from project-config * Fix incorrect splitting of dimension in ProxyView * Fix Alarm status Panel on Overview page * Change IntegerField to ChoiceField for notification period * Imported Translations from Zanata * Display unique metric names for alarm * Fix Alarm Details section in Alarm History view * Fix validators for creating and editing notifications * Center the text for the button Deterministic * Adding title to Filter Alarms pop-up * Fix misleading validation error * Fix nit found in monasca-ui * Fix Breadcrumbs * Fix description for name field * Fixing 'Create Alarm Definition' for IE11 * Imported Translations from Zanata Updates to openstack-monasca-api: - added fix-metric-name-offset.patch (SOC-10131) - removed 0001-Fix-InfluxDB-repository-list_dimension_values-to-sup.patch (merged upstream) - update to version 1.7.1~dev18 * Replace openstack.org git:// URLs with https:// * import zuul job settings from project-config * Upgrade Apache Storm to 1.0.6 * Zuul: Remove project name Updates to openstack-monasca-log-api: - added fix-tempest-region.patch (SOC-10131) - update to version 1.4.3~dev3 * Replace openstack.org git:// URLs with https:// * import zuul job settings from project-config * Avoid tox\_install.sh for constraints support Updates to openstack-neutron: - neutron: Remove stop action from ovs-cleanup (bsc#1157482) backport of https://review.opendev.org/#/c/695867/

Patchnames: SUSE-2020-81,SUSE-OpenStack-Cloud-7-2020-81

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

CVE-2015-3448

Affected products

Recommended 29 products

Product	Version	Remediation
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1574869671.9c7bade2d-9.65.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:grafana-monasca-ui-drilldown-1.5.5~dev3-8.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-monasca-api-1.7.1~dev18-12.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-monasca-log-api-1.4.3~dev3-5.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-dhcp-agent-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-doc-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-ha-tool-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-l3-agent-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-linuxbridge-agent-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-macvtap-agent-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-metadata-agent-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-metering-agent-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-openvswitch-agent-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-server-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:python-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:python-monasca-api-1.7.1~dev18-12.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:python-monasca-log-api-1.4.3~dev3-5.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:python-neutron-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.s390x	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.x86_64	—	Vendor Fix

Threats

Impact low

CVE-2019-13117

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Affected products

Recommended 29 products

Product	Version	Remediation
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1574869671.9c7bade2d-9.65.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:grafana-monasca-ui-drilldown-1.5.5~dev3-8.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-monasca-api-1.7.1~dev18-12.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-monasca-log-api-1.4.3~dev3-5.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-dhcp-agent-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-doc-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-ha-tool-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-l3-agent-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-linuxbridge-agent-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-macvtap-agent-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-metadata-agent-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-metering-agent-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-openvswitch-agent-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-server-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:python-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:python-monasca-api-1.7.1~dev18-12.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:python-monasca-log-api-1.4.3~dev3-5.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:python-neutron-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.s390x	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2019-16770

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 29 products

Product	Version	Remediation
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1574869671.9c7bade2d-9.65.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:grafana-monasca-ui-drilldown-1.5.5~dev3-8.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-monasca-api-1.7.1~dev18-12.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-monasca-log-api-1.4.3~dev3-5.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-dhcp-agent-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-doc-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-ha-tool-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-l3-agent-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-linuxbridge-agent-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-macvtap-agent-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-metadata-agent-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-metering-agent-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-openvswitch-agent-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-server-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:python-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:python-monasca-api-1.7.1~dev18-12.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:python-monasca-log-api-1.4.3~dev3-5.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:python-neutron-9.4.2~dev21-7.38.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.s390x	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.x86_64	—	Vendor Fix

Threats

Impact important

References

24 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-security-upd…	self
https://bugzilla.suse.com/1157028	self
https://bugzilla.suse.com/1157482	self
https://bugzilla.suse.com/1158675	self
https://bugzilla.suse.com/917802	self
https://www.suse.com/security/cve/CVE-2015-3448/	self
https://www.suse.com/security/cve/CVE-2019-13117/	self
https://www.suse.com/security/cve/CVE-2019-16770/	self
https://bugzilla.suse.com/SOC-10131	self
https://bugzilla.suse.com/SOC-10133	self
https://bugzilla.suse.com/SOC-10883	self
https://bugzilla.suse.com/SOC-10999	self
https://www.suse.com/security/cve/CVE-2015-3448	external
https://bugzilla.suse.com/917802	external
https://www.suse.com/security/cve/CVE-2019-13117	external
https://bugzilla.suse.com/1140095	external
https://bugzilla.suse.com/1157028	external
https://bugzilla.suse.com/1160968	external
https://www.suse.com/security/cve/CVE-2019-16770	external
https://bugzilla.suse.com/1158675	external
https://bugzilla.suse.com/1188527	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for crowbar-core, crowbar-openstack, openstack-horizon-plugin-monasca-ui, openstack-monasca-api, openstack-monasca-log-api, openstack-neutron, rubygem-puma, rubygem-rest-client",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for crowbar-core, crowbar-openstack, openstack-horizon-plugin-monasca-ui, openstack-monasca-api, openstack-monasca-log-api, openstack-neutron, rubygem-puma, rubygem-rest-client contains the following fixes:\n\nSecurity issue fixed for rubygem-puma:\n\n- CVE-2019-16770: Fixed a potential denial of service  in Puma\u0027s reactor (bsc#1158675, jsc#SOC-10999)\n\nSecurity issue fixed for rubygem-rest-client:\n\n- CVE-2015-3448: Fixed a plain text local password disclosure. (bsc#917802)\n\nUpdates for crowbar-core:\n- Update to version 4.0+git.1574788924.e4a6aeb0c:\n  * Allow pacemaker remotes for upgrade (SOC-10133)\n\n- Update to version 4.0+git.1574713660.972029d1a:\n  * Ignore CVE-2019-13117 in CI builds (bsc#1157028)\n\nUpdates for crowbar-openstack:\n- Update to version 4.0+git.1574869671.9c7bade2d:\n  * tempest: configure Kibana version (SOC-10131)\n\n- Update to version 4.0+git.1574764112.c260c70e5:\n  * horizon: install lbaas horizon dashboard (SOC-10883)\n\nUpdates for openstack-horizon-plugin-monasca-ui:\n- Refresh allow-raw-grafana-links.patch\n- update to version 1.5.5~dev3\n  * Replace openstack.org git:// URLs with https://\n  * Fix the partial missing metrics in Create Alarm Definition flow\n  * import zuul job settings from project-config\n  * Fix incorrect splitting of dimension in ProxyView\n  * Fix Alarm status Panel on Overview page\n  * Change IntegerField to ChoiceField for notification period\n  * Imported Translations from Zanata\n  * Display unique metric names for alarm\n  * Fix Alarm Details section in Alarm History view\n  * Fix validators for creating and editing notifications\n  * Center the text for the button Deterministic\n  * Adding title to Filter Alarms pop-up\n  * Fix misleading validation error\n  * Fix nit found in monasca-ui\n  * Fix Breadcrumbs\n  * Fix description for name field\n  * Fixing \u0027Create Alarm Definition\u0027 for IE11\n  * Imported Translations from Zanata\n\nUpdates to openstack-monasca-api:\n- added fix-metric-name-offset.patch (SOC-10131)\n- removed 0001-Fix-InfluxDB-repository-list_dimension_values-to-sup.patch\n  (merged upstream)\n- update to version 1.7.1~dev18\n  * Replace openstack.org git:// URLs with https://\n  * import zuul job settings from project-config\n  * Upgrade Apache Storm to 1.0.6\n  * Zuul: Remove project name\n\nUpdates to openstack-monasca-log-api:\n- added fix-tempest-region.patch (SOC-10131)\n- update to version 1.4.3~dev3\n  * Replace openstack.org git:// URLs with https://\n  * import zuul job settings from project-config\n  * Avoid tox\\_install.sh for constraints support\n\nUpdates to openstack-neutron:\n- neutron: Remove stop action from ovs-cleanup (bsc#1157482)\n  backport of https://review.opendev.org/#/c/695867/\n  ",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2020-81,SUSE-OpenStack-Cloud-7-2020-81",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2020_0081-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2020:0081-1",
        "url": "https://www.suse.com/support/update/announcement/2020/suse-su-20200081-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2020:0081-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2020-January/006330.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1157028",
        "url": "https://bugzilla.suse.com/1157028"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1157482",
        "url": "https://bugzilla.suse.com/1157482"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1158675",
        "url": "https://bugzilla.suse.com/1158675"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 917802",
        "url": "https://bugzilla.suse.com/917802"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2015-3448 page",
        "url": "https://www.suse.com/security/cve/CVE-2015-3448/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-13117 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-13117/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-16770 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-16770/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug SOC-10131",
        "url": "https://bugzilla.suse.com/SOC-10131"
      },
      {
        "category": "self",
        "summary": "SUSE Bug SOC-10133",
        "url": "https://bugzilla.suse.com/SOC-10133"
      },
      {
        "category": "self",
        "summary": "SUSE Bug SOC-10883",
        "url": "https://bugzilla.suse.com/SOC-10883"
      },
      {
        "category": "self",
        "summary": "SUSE Bug SOC-10999",
        "url": "https://bugzilla.suse.com/SOC-10999"
      }
    ],
    "title": "Security update for crowbar-core, crowbar-openstack, openstack-horizon-plugin-monasca-ui, openstack-monasca-api, openstack-monasca-log-api, openstack-neutron, rubygem-puma, rubygem-rest-client",
    "tracking": {
      "current_release_date": "2020-01-13T09:38:16Z",
      "generator": {
        "date": "2020-01-13T09:38:16Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2020:0081-1",
      "initial_release_date": "2020-01-13T09:38:16Z",
      "revision_history": [
        {
          "date": "2020-01-13T09:38:16Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64",
                "product": {
                  "name": "crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64",
                  "product_id": "crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64",
                "product": {
                  "name": "crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64",
                  "product_id": "crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "crowbar-core-devel-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64",
                "product": {
                  "name": "crowbar-core-devel-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64",
                  "product_id": "crowbar-core-devel-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-puma-2.16.0-4.3.1.aarch64",
                "product": {
                  "name": "ruby2.1-rubygem-puma-2.16.0-4.3.1.aarch64",
                  "product_id": "ruby2.1-rubygem-puma-2.16.0-4.3.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-puma-doc-2.16.0-4.3.1.aarch64",
                "product": {
                  "name": "ruby2.1-rubygem-puma-doc-2.16.0-4.3.1.aarch64",
                  "product_id": "ruby2.1-rubygem-puma-doc-2.16.0-4.3.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-rest-client-1_6-1.6.7-3.3.1.aarch64",
                "product": {
                  "name": "ruby2.1-rubygem-rest-client-1_6-1.6.7-3.3.1.aarch64",
                  "product_id": "ruby2.1-rubygem-rest-client-1_6-1.6.7-3.3.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-rest-client-doc-1_6-1.6.7-3.3.1.aarch64",
                "product": {
                  "name": "ruby2.1-rubygem-rest-client-doc-1_6-1.6.7-3.3.1.aarch64",
                  "product_id": "ruby2.1-rubygem-rest-client-doc-1_6-1.6.7-3.3.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-rest-client-testsuite-1_6-1.6.7-3.3.1.aarch64",
                "product": {
                  "name": "ruby2.1-rubygem-rest-client-testsuite-1_6-1.6.7-3.3.1.aarch64",
                  "product_id": "ruby2.1-rubygem-rest-client-testsuite-1_6-1.6.7-3.3.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "crowbar-openstack-4.0+git.1574869671.9c7bade2d-9.65.1.noarch",
                "product": {
                  "name": "crowbar-openstack-4.0+git.1574869671.9c7bade2d-9.65.1.noarch",
                  "product_id": "crowbar-openstack-4.0+git.1574869671.9c7bade2d-9.65.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "grafana-monasca-ui-drilldown-1.5.5~dev3-8.1.noarch",
                "product": {
                  "name": "grafana-monasca-ui-drilldown-1.5.5~dev3-8.1.noarch",
                  "product_id": "grafana-monasca-ui-drilldown-1.5.5~dev3-8.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "openstack-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch",
                "product": {
                  "name": "openstack-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch",
                  "product_id": "openstack-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "openstack-monasca-api-1.7.1~dev18-12.1.noarch",
                "product": {
                  "name": "openstack-monasca-api-1.7.1~dev18-12.1.noarch",
                  "product_id": "openstack-monasca-api-1.7.1~dev18-12.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "openstack-monasca-log-api-1.4.3~dev3-5.1.noarch",
                "product": {
                  "name": "openstack-monasca-log-api-1.4.3~dev3-5.1.noarch",
                  "product_id": "openstack-monasca-log-api-1.4.3~dev3-5.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "openstack-neutron-9.4.2~dev21-7.38.1.noarch",
                "product": {
                  "name": "openstack-neutron-9.4.2~dev21-7.38.1.noarch",
                  "product_id": "openstack-neutron-9.4.2~dev21-7.38.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "openstack-neutron-dhcp-agent-9.4.2~dev21-7.38.1.noarch",
                "product": {
                  "name": "openstack-neutron-dhcp-agent-9.4.2~dev21-7.38.1.noarch",
                  "product_id": "openstack-neutron-dhcp-agent-9.4.2~dev21-7.38.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "openstack-neutron-doc-9.4.2~dev21-7.38.1.noarch",
                "product": {
                  "name": "openstack-neutron-doc-9.4.2~dev21-7.38.1.noarch",
                  "product_id": "openstack-neutron-doc-9.4.2~dev21-7.38.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "openstack-neutron-ha-tool-9.4.2~dev21-7.38.1.noarch",
                "product": {
                  "name": "openstack-neutron-ha-tool-9.4.2~dev21-7.38.1.noarch",
                  "product_id": "openstack-neutron-ha-tool-9.4.2~dev21-7.38.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "openstack-neutron-l3-agent-9.4.2~dev21-7.38.1.noarch",
                "product": {
                  "name": "openstack-neutron-l3-agent-9.4.2~dev21-7.38.1.noarch",
                  "product_id": "openstack-neutron-l3-agent-9.4.2~dev21-7.38.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "openstack-neutron-linuxbridge-agent-9.4.2~dev21-7.38.1.noarch",
                "product": {
                  "name": "openstack-neutron-linuxbridge-agent-9.4.2~dev21-7.38.1.noarch",
                  "product_id": "openstack-neutron-linuxbridge-agent-9.4.2~dev21-7.38.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "openstack-neutron-macvtap-agent-9.4.2~dev21-7.38.1.noarch",
                "product": {
                  "name": "openstack-neutron-macvtap-agent-9.4.2~dev21-7.38.1.noarch",
                  "product_id": "openstack-neutron-macvtap-agent-9.4.2~dev21-7.38.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "openstack-neutron-metadata-agent-9.4.2~dev21-7.38.1.noarch",
                "product": {
                  "name": "openstack-neutron-metadata-agent-9.4.2~dev21-7.38.1.noarch",
                  "product_id": "openstack-neutron-metadata-agent-9.4.2~dev21-7.38.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "openstack-neutron-metering-agent-9.4.2~dev21-7.38.1.noarch",
                "product": {
                  "name": "openstack-neutron-metering-agent-9.4.2~dev21-7.38.1.noarch",
                  "product_id": "openstack-neutron-metering-agent-9.4.2~dev21-7.38.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "openstack-neutron-openvswitch-agent-9.4.2~dev21-7.38.1.noarch",
                "product": {
                  "name": "openstack-neutron-openvswitch-agent-9.4.2~dev21-7.38.1.noarch",
                  "product_id": "openstack-neutron-openvswitch-agent-9.4.2~dev21-7.38.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "openstack-neutron-server-9.4.2~dev21-7.38.1.noarch",
                "product": {
                  "name": "openstack-neutron-server-9.4.2~dev21-7.38.1.noarch",
                  "product_id": "openstack-neutron-server-9.4.2~dev21-7.38.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "openstack-neutron-test-9.4.2~dev21-7.38.1.noarch",
                "product": {
                  "name": "openstack-neutron-test-9.4.2~dev21-7.38.1.noarch",
                  "product_id": "openstack-neutron-test-9.4.2~dev21-7.38.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "python-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch",
                "product": {
                  "name": "python-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch",
                  "product_id": "python-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "python-monasca-api-1.7.1~dev18-12.1.noarch",
                "product": {
                  "name": "python-monasca-api-1.7.1~dev18-12.1.noarch",
                  "product_id": "python-monasca-api-1.7.1~dev18-12.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "python-monasca-log-api-1.4.3~dev3-5.1.noarch",
                "product": {
                  "name": "python-monasca-log-api-1.4.3~dev3-5.1.noarch",
                  "product_id": "python-monasca-log-api-1.4.3~dev3-5.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "python-neutron-9.4.2~dev21-7.38.1.noarch",
                "product": {
                  "name": "python-neutron-9.4.2~dev21-7.38.1.noarch",
                  "product_id": "python-neutron-9.4.2~dev21-7.38.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.ppc64le",
                "product": {
                  "name": "crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.ppc64le",
                  "product_id": "crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.ppc64le",
                "product": {
                  "name": "crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.ppc64le",
                  "product_id": "crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "crowbar-core-devel-4.0+git.1574788924.e4a6aeb0c-9.60.2.ppc64le",
                "product": {
                  "name": "crowbar-core-devel-4.0+git.1574788924.e4a6aeb0c-9.60.2.ppc64le",
                  "product_id": "crowbar-core-devel-4.0+git.1574788924.e4a6aeb0c-9.60.2.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-puma-2.16.0-4.3.1.ppc64le",
                "product": {
                  "name": "ruby2.1-rubygem-puma-2.16.0-4.3.1.ppc64le",
                  "product_id": "ruby2.1-rubygem-puma-2.16.0-4.3.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-puma-doc-2.16.0-4.3.1.ppc64le",
                "product": {
                  "name": "ruby2.1-rubygem-puma-doc-2.16.0-4.3.1.ppc64le",
                  "product_id": "ruby2.1-rubygem-puma-doc-2.16.0-4.3.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-rest-client-1_6-1.6.7-3.3.1.ppc64le",
                "product": {
                  "name": "ruby2.1-rubygem-rest-client-1_6-1.6.7-3.3.1.ppc64le",
                  "product_id": "ruby2.1-rubygem-rest-client-1_6-1.6.7-3.3.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-rest-client-doc-1_6-1.6.7-3.3.1.ppc64le",
                "product": {
                  "name": "ruby2.1-rubygem-rest-client-doc-1_6-1.6.7-3.3.1.ppc64le",
                  "product_id": "ruby2.1-rubygem-rest-client-doc-1_6-1.6.7-3.3.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-rest-client-testsuite-1_6-1.6.7-3.3.1.ppc64le",
                "product": {
                  "name": "ruby2.1-rubygem-rest-client-testsuite-1_6-1.6.7-3.3.1.ppc64le",
                  "product_id": "ruby2.1-rubygem-rest-client-testsuite-1_6-1.6.7-3.3.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x",
                "product": {
                  "name": "crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x",
                  "product_id": "crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x",
                "product": {
                  "name": "crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x",
                  "product_id": "crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "crowbar-core-devel-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x",
                "product": {
                  "name": "crowbar-core-devel-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x",
                  "product_id": "crowbar-core-devel-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-puma-2.16.0-4.3.1.s390x",
                "product": {
                  "name": "ruby2.1-rubygem-puma-2.16.0-4.3.1.s390x",
                  "product_id": "ruby2.1-rubygem-puma-2.16.0-4.3.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-puma-doc-2.16.0-4.3.1.s390x",
                "product": {
                  "name": "ruby2.1-rubygem-puma-doc-2.16.0-4.3.1.s390x",
                  "product_id": "ruby2.1-rubygem-puma-doc-2.16.0-4.3.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-rest-client-1_6-1.6.7-3.3.1.s390x",
                "product": {
                  "name": "ruby2.1-rubygem-rest-client-1_6-1.6.7-3.3.1.s390x",
                  "product_id": "ruby2.1-rubygem-rest-client-1_6-1.6.7-3.3.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-rest-client-doc-1_6-1.6.7-3.3.1.s390x",
                "product": {
                  "name": "ruby2.1-rubygem-rest-client-doc-1_6-1.6.7-3.3.1.s390x",
                  "product_id": "ruby2.1-rubygem-rest-client-doc-1_6-1.6.7-3.3.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-rest-client-testsuite-1_6-1.6.7-3.3.1.s390x",
                "product": {
                  "name": "ruby2.1-rubygem-rest-client-testsuite-1_6-1.6.7-3.3.1.s390x",
                  "product_id": "ruby2.1-rubygem-rest-client-testsuite-1_6-1.6.7-3.3.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64",
                "product": {
                  "name": "crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64",
                  "product_id": "crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64",
                "product": {
                  "name": "crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64",
                  "product_id": "crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "crowbar-core-devel-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64",
                "product": {
                  "name": "crowbar-core-devel-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64",
                  "product_id": "crowbar-core-devel-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-puma-2.16.0-4.3.1.x86_64",
                "product": {
                  "name": "ruby2.1-rubygem-puma-2.16.0-4.3.1.x86_64",
                  "product_id": "ruby2.1-rubygem-puma-2.16.0-4.3.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-puma-doc-2.16.0-4.3.1.x86_64",
                "product": {
                  "name": "ruby2.1-rubygem-puma-doc-2.16.0-4.3.1.x86_64",
                  "product_id": "ruby2.1-rubygem-puma-doc-2.16.0-4.3.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-rest-client-1_6-1.6.7-3.3.1.x86_64",
                "product": {
                  "name": "ruby2.1-rubygem-rest-client-1_6-1.6.7-3.3.1.x86_64",
                  "product_id": "ruby2.1-rubygem-rest-client-1_6-1.6.7-3.3.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-rest-client-doc-1_6-1.6.7-3.3.1.x86_64",
                "product": {
                  "name": "ruby2.1-rubygem-rest-client-doc-1_6-1.6.7-3.3.1.x86_64",
                  "product_id": "ruby2.1-rubygem-rest-client-doc-1_6-1.6.7-3.3.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-rest-client-testsuite-1_6-1.6.7-3.3.1.x86_64",
                "product": {
                  "name": "ruby2.1-rubygem-rest-client-testsuite-1_6-1.6.7-3.3.1.x86_64",
                  "product_id": "ruby2.1-rubygem-rest-client-testsuite-1_6-1.6.7-3.3.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE OpenStack Cloud 7",
                "product": {
                  "name": "SUSE OpenStack Cloud 7",
                  "product_id": "SUSE OpenStack Cloud 7",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:suse-openstack-cloud:7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64 as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64"
        },
        "product_reference": "crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x"
        },
        "product_reference": "crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64 as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64"
        },
        "product_reference": "crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64 as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64"
        },
        "product_reference": "crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x"
        },
        "product_reference": "crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64 as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64"
        },
        "product_reference": "crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crowbar-openstack-4.0+git.1574869671.9c7bade2d-9.65.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1574869671.9c7bade2d-9.65.1.noarch"
        },
        "product_reference": "crowbar-openstack-4.0+git.1574869671.9c7bade2d-9.65.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-monasca-ui-drilldown-1.5.5~dev3-8.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:grafana-monasca-ui-drilldown-1.5.5~dev3-8.1.noarch"
        },
        "product_reference": "grafana-monasca-ui-drilldown-1.5.5~dev3-8.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:openstack-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch"
        },
        "product_reference": "openstack-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-monasca-api-1.7.1~dev18-12.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:openstack-monasca-api-1.7.1~dev18-12.1.noarch"
        },
        "product_reference": "openstack-monasca-api-1.7.1~dev18-12.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-monasca-log-api-1.4.3~dev3-5.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:openstack-monasca-log-api-1.4.3~dev3-5.1.noarch"
        },
        "product_reference": "openstack-monasca-log-api-1.4.3~dev3-5.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-neutron-9.4.2~dev21-7.38.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:openstack-neutron-9.4.2~dev21-7.38.1.noarch"
        },
        "product_reference": "openstack-neutron-9.4.2~dev21-7.38.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-neutron-dhcp-agent-9.4.2~dev21-7.38.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:openstack-neutron-dhcp-agent-9.4.2~dev21-7.38.1.noarch"
        },
        "product_reference": "openstack-neutron-dhcp-agent-9.4.2~dev21-7.38.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-neutron-doc-9.4.2~dev21-7.38.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:openstack-neutron-doc-9.4.2~dev21-7.38.1.noarch"
        },
        "product_reference": "openstack-neutron-doc-9.4.2~dev21-7.38.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-neutron-ha-tool-9.4.2~dev21-7.38.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:openstack-neutron-ha-tool-9.4.2~dev21-7.38.1.noarch"
        },
        "product_reference": "openstack-neutron-ha-tool-9.4.2~dev21-7.38.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-neutron-l3-agent-9.4.2~dev21-7.38.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:openstack-neutron-l3-agent-9.4.2~dev21-7.38.1.noarch"
        },
        "product_reference": "openstack-neutron-l3-agent-9.4.2~dev21-7.38.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-neutron-linuxbridge-agent-9.4.2~dev21-7.38.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:openstack-neutron-linuxbridge-agent-9.4.2~dev21-7.38.1.noarch"
        },
        "product_reference": "openstack-neutron-linuxbridge-agent-9.4.2~dev21-7.38.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-neutron-macvtap-agent-9.4.2~dev21-7.38.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:openstack-neutron-macvtap-agent-9.4.2~dev21-7.38.1.noarch"
        },
        "product_reference": "openstack-neutron-macvtap-agent-9.4.2~dev21-7.38.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-neutron-metadata-agent-9.4.2~dev21-7.38.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:openstack-neutron-metadata-agent-9.4.2~dev21-7.38.1.noarch"
        },
        "product_reference": "openstack-neutron-metadata-agent-9.4.2~dev21-7.38.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-neutron-metering-agent-9.4.2~dev21-7.38.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:openstack-neutron-metering-agent-9.4.2~dev21-7.38.1.noarch"
        },
        "product_reference": "openstack-neutron-metering-agent-9.4.2~dev21-7.38.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-neutron-openvswitch-agent-9.4.2~dev21-7.38.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:openstack-neutron-openvswitch-agent-9.4.2~dev21-7.38.1.noarch"
        },
        "product_reference": "openstack-neutron-openvswitch-agent-9.4.2~dev21-7.38.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-neutron-server-9.4.2~dev21-7.38.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:openstack-neutron-server-9.4.2~dev21-7.38.1.noarch"
        },
        "product_reference": "openstack-neutron-server-9.4.2~dev21-7.38.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:python-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch"
        },
        "product_reference": "python-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-monasca-api-1.7.1~dev18-12.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:python-monasca-api-1.7.1~dev18-12.1.noarch"
        },
        "product_reference": "python-monasca-api-1.7.1~dev18-12.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-monasca-log-api-1.4.3~dev3-5.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:python-monasca-log-api-1.4.3~dev3-5.1.noarch"
        },
        "product_reference": "python-monasca-log-api-1.4.3~dev3-5.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-neutron-9.4.2~dev21-7.38.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:python-neutron-9.4.2~dev21-7.38.1.noarch"
        },
        "product_reference": "python-neutron-9.4.2~dev21-7.38.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.1-rubygem-puma-2.16.0-4.3.1.aarch64 as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.aarch64"
        },
        "product_reference": "ruby2.1-rubygem-puma-2.16.0-4.3.1.aarch64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.1-rubygem-puma-2.16.0-4.3.1.s390x as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.s390x"
        },
        "product_reference": "ruby2.1-rubygem-puma-2.16.0-4.3.1.s390x",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.1-rubygem-puma-2.16.0-4.3.1.x86_64 as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.x86_64"
        },
        "product_reference": "ruby2.1-rubygem-puma-2.16.0-4.3.1.x86_64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2015-3448",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2015-3448"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "REST client for Ruby (aka rest-client) before 1.7.3 logs usernames and passwords, which allows local users to obtain sensitive information by reading the log.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64",
          "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x",
          "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64",
          "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64",
          "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x",
          "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64",
          "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1574869671.9c7bade2d-9.65.1.noarch",
          "SUSE OpenStack Cloud 7:grafana-monasca-ui-drilldown-1.5.5~dev3-8.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-monasca-api-1.7.1~dev18-12.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-monasca-log-api-1.4.3~dev3-5.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-dhcp-agent-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-doc-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-ha-tool-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-l3-agent-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-linuxbridge-agent-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-macvtap-agent-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-metadata-agent-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-metering-agent-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-openvswitch-agent-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-server-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:python-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch",
          "SUSE OpenStack Cloud 7:python-monasca-api-1.7.1~dev18-12.1.noarch",
          "SUSE OpenStack Cloud 7:python-monasca-log-api-1.4.3~dev3-5.1.noarch",
          "SUSE OpenStack Cloud 7:python-neutron-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.aarch64",
          "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.s390x",
          "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2015-3448",
          "url": "https://www.suse.com/security/cve/CVE-2015-3448"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 917802 for CVE-2015-3448",
          "url": "https://bugzilla.suse.com/917802"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64",
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x",
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64",
            "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1574869671.9c7bade2d-9.65.1.noarch",
            "SUSE OpenStack Cloud 7:grafana-monasca-ui-drilldown-1.5.5~dev3-8.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-monasca-api-1.7.1~dev18-12.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-monasca-log-api-1.4.3~dev3-5.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-dhcp-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-doc-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-ha-tool-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-l3-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-linuxbridge-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-macvtap-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-metadata-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-metering-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-openvswitch-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-server-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:python-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch",
            "SUSE OpenStack Cloud 7:python-monasca-api-1.7.1~dev18-12.1.noarch",
            "SUSE OpenStack Cloud 7:python-monasca-log-api-1.4.3~dev3-5.1.noarch",
            "SUSE OpenStack Cloud 7:python-neutron-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.aarch64",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.s390x",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-01-13T09:38:16Z",
          "details": "low"
        }
      ],
      "title": "CVE-2015-3448"
    },
    {
      "cve": "CVE-2019-13117",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-13117"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64",
          "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x",
          "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64",
          "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64",
          "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x",
          "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64",
          "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1574869671.9c7bade2d-9.65.1.noarch",
          "SUSE OpenStack Cloud 7:grafana-monasca-ui-drilldown-1.5.5~dev3-8.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-monasca-api-1.7.1~dev18-12.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-monasca-log-api-1.4.3~dev3-5.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-dhcp-agent-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-doc-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-ha-tool-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-l3-agent-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-linuxbridge-agent-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-macvtap-agent-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-metadata-agent-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-metering-agent-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-openvswitch-agent-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-server-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:python-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch",
          "SUSE OpenStack Cloud 7:python-monasca-api-1.7.1~dev18-12.1.noarch",
          "SUSE OpenStack Cloud 7:python-monasca-log-api-1.4.3~dev3-5.1.noarch",
          "SUSE OpenStack Cloud 7:python-neutron-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.aarch64",
          "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.s390x",
          "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-13117",
          "url": "https://www.suse.com/security/cve/CVE-2019-13117"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1140095 for CVE-2019-13117",
          "url": "https://bugzilla.suse.com/1140095"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1157028 for CVE-2019-13117",
          "url": "https://bugzilla.suse.com/1157028"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1160968 for CVE-2019-13117",
          "url": "https://bugzilla.suse.com/1160968"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64",
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x",
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64",
            "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1574869671.9c7bade2d-9.65.1.noarch",
            "SUSE OpenStack Cloud 7:grafana-monasca-ui-drilldown-1.5.5~dev3-8.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-monasca-api-1.7.1~dev18-12.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-monasca-log-api-1.4.3~dev3-5.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-dhcp-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-doc-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-ha-tool-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-l3-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-linuxbridge-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-macvtap-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-metadata-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-metering-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-openvswitch-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-server-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:python-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch",
            "SUSE OpenStack Cloud 7:python-monasca-api-1.7.1~dev18-12.1.noarch",
            "SUSE OpenStack Cloud 7:python-monasca-log-api-1.4.3~dev3-5.1.noarch",
            "SUSE OpenStack Cloud 7:python-neutron-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.aarch64",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.s390x",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64",
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x",
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64",
            "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1574869671.9c7bade2d-9.65.1.noarch",
            "SUSE OpenStack Cloud 7:grafana-monasca-ui-drilldown-1.5.5~dev3-8.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-monasca-api-1.7.1~dev18-12.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-monasca-log-api-1.4.3~dev3-5.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-dhcp-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-doc-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-ha-tool-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-l3-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-linuxbridge-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-macvtap-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-metadata-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-metering-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-openvswitch-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-server-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:python-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch",
            "SUSE OpenStack Cloud 7:python-monasca-api-1.7.1~dev18-12.1.noarch",
            "SUSE OpenStack Cloud 7:python-monasca-log-api-1.4.3~dev3-5.1.noarch",
            "SUSE OpenStack Cloud 7:python-neutron-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.aarch64",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.s390x",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-01-13T09:38:16Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2019-13117"
    },
    {
      "cve": "CVE-2019-16770",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-16770"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64",
          "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x",
          "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64",
          "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64",
          "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x",
          "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64",
          "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1574869671.9c7bade2d-9.65.1.noarch",
          "SUSE OpenStack Cloud 7:grafana-monasca-ui-drilldown-1.5.5~dev3-8.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-monasca-api-1.7.1~dev18-12.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-monasca-log-api-1.4.3~dev3-5.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-dhcp-agent-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-doc-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-ha-tool-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-l3-agent-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-linuxbridge-agent-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-macvtap-agent-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-metadata-agent-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-metering-agent-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-openvswitch-agent-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-server-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:python-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch",
          "SUSE OpenStack Cloud 7:python-monasca-api-1.7.1~dev18-12.1.noarch",
          "SUSE OpenStack Cloud 7:python-monasca-log-api-1.4.3~dev3-5.1.noarch",
          "SUSE OpenStack Cloud 7:python-neutron-9.4.2~dev21-7.38.1.noarch",
          "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.aarch64",
          "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.s390x",
          "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-16770",
          "url": "https://www.suse.com/security/cve/CVE-2019-16770"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1158675 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1158675"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1188527 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1188527"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64",
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x",
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64",
            "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1574869671.9c7bade2d-9.65.1.noarch",
            "SUSE OpenStack Cloud 7:grafana-monasca-ui-drilldown-1.5.5~dev3-8.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-monasca-api-1.7.1~dev18-12.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-monasca-log-api-1.4.3~dev3-5.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-dhcp-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-doc-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-ha-tool-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-l3-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-linuxbridge-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-macvtap-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-metadata-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-metering-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-openvswitch-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-server-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:python-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch",
            "SUSE OpenStack Cloud 7:python-monasca-api-1.7.1~dev18-12.1.noarch",
            "SUSE OpenStack Cloud 7:python-monasca-log-api-1.4.3~dev3-5.1.noarch",
            "SUSE OpenStack Cloud 7:python-neutron-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.aarch64",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.s390x",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64",
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x",
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.aarch64",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.s390x",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2.x86_64",
            "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1574869671.9c7bade2d-9.65.1.noarch",
            "SUSE OpenStack Cloud 7:grafana-monasca-ui-drilldown-1.5.5~dev3-8.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-monasca-api-1.7.1~dev18-12.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-monasca-log-api-1.4.3~dev3-5.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-dhcp-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-doc-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-ha-tool-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-l3-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-linuxbridge-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-macvtap-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-metadata-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-metering-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-openvswitch-agent-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-server-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:python-horizon-plugin-monasca-ui-1.5.5~dev3-8.1.noarch",
            "SUSE OpenStack Cloud 7:python-monasca-api-1.7.1~dev18-12.1.noarch",
            "SUSE OpenStack Cloud 7:python-monasca-log-api-1.4.3~dev3-5.1.noarch",
            "SUSE OpenStack Cloud 7:python-neutron-9.4.2~dev21-7.38.1.noarch",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.aarch64",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.s390x",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-puma-2.16.0-4.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-01-13T09:38:16Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-16770"
    }
  ]
}

SUSE-SU-2020:0311-1

Vulnerability from csaf_suse - Published: 2020-02-03 17:18 - Updated: 2020-02-03 17:18

Summary

Security update for crowbar-core, crowbar-openstack, openstack-neutron-fwaas, rubygem-crowbar-client

Severity

Critical

Notes

Title of the patch: Security update for crowbar-core, crowbar-openstack, openstack-neutron-fwaas, rubygem-crowbar-client

Description of the patch: This update for crowbar-core, crowbar-openstack, openstack-neutron-fwaas, rubygem-crowbar-client contains the following fixes: Security fixes for rubygem-crowbar-client: - CVE-2018-17954: Fixed an issue where crowbar was leaking the secret admin passwords to all nodes (bsc#1117080) Changes in crowbar-core: - Update to version 4.0+git.1578392992.fabfd186c: * Avoid nil crash when provisioner attributes are not set (bsc#1160048) - Update to version 4.0+git.1578294389.acc7385d5: * Adding CVE-2019-16770 to the ignore list, regarding SOC-10999. Changes in crowbar-openstack: - Update to version 4.0+git.1579171175.d53ab6363: * tempest: tempest run filters as templates (SOC-11052) * Add tempest filters based on services (SOC-9801) Changes in openstack-neutron-fwaas: - Remove the patch that was deleting the tempest entry point and enable tempest tests.

Patchnames: SUSE-2020-311,SUSE-OpenStack-Cloud-7-2020-311

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

CVE-2018-17954

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 13 products

Product	Version	Remediation
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.s390x	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.s390x	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1579171175.d53ab6363-9.68.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-fwaas-9.0.2~dev5-4.6.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-fwaas-doc-9.0.2~dev5-4.6.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:python-neutron-fwaas-9.0.2~dev5-4.6.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.s390x	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2019-16770

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 13 products

Product	Version	Remediation
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.s390x	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.s390x	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1579171175.d53ab6363-9.68.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-fwaas-9.0.2~dev5-4.6.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:openstack-neutron-fwaas-doc-9.0.2~dev5-4.6.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:python-neutron-fwaas-9.0.2~dev5-4.6.1.noarch	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.s390x	—	Vendor Fix
Unresolved product id: SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.x86_64	—	Vendor Fix

Threats

Impact important

References

13 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-security-upd…	self
https://bugzilla.suse.com/1117080	self
https://bugzilla.suse.com/1160048	self
https://www.suse.com/security/cve/CVE-2018-17954/	self
https://www.suse.com/security/cve/CVE-2019-16770/	self
https://www.suse.com/security/cve/CVE-2018-17954	external
https://bugzilla.suse.com/1117080	external
https://www.suse.com/security/cve/CVE-2019-16770	external
https://bugzilla.suse.com/1158675	external
https://bugzilla.suse.com/1188527	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "critical"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for crowbar-core, crowbar-openstack, openstack-neutron-fwaas, rubygem-crowbar-client",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for crowbar-core, crowbar-openstack, openstack-neutron-fwaas, rubygem-crowbar-client  contains the following fixes:\n\nSecurity fixes for rubygem-crowbar-client:\n\n- CVE-2018-17954: Fixed an issue where crowbar was leaking the secret admin passwords to all nodes (bsc#1117080)\n\nChanges in crowbar-core:\n- Update to version 4.0+git.1578392992.fabfd186c:\n  * Avoid nil crash when provisioner attributes are not set (bsc#1160048)\n\n- Update to version 4.0+git.1578294389.acc7385d5:\n  * Adding CVE-2019-16770 to the ignore list, regarding SOC-10999.\n\nChanges in crowbar-openstack:\n- Update to version 4.0+git.1579171175.d53ab6363:\n  * tempest: tempest run filters as templates (SOC-11052)\n  * Add tempest filters based on services (SOC-9801)\n\nChanges in openstack-neutron-fwaas:\n- Remove the patch that was deleting the tempest entry point and enable tempest tests.\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2020-311,SUSE-OpenStack-Cloud-7-2020-311",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2020_0311-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2020:0311-1",
        "url": "https://www.suse.com/support/update/announcement/2020/suse-su-20200311-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2020:0311-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2020-February/006446.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1117080",
        "url": "https://bugzilla.suse.com/1117080"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1160048",
        "url": "https://bugzilla.suse.com/1160048"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-17954 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-17954/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-16770 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-16770/"
      }
    ],
    "title": "Security update for crowbar-core, crowbar-openstack, openstack-neutron-fwaas, rubygem-crowbar-client",
    "tracking": {
      "current_release_date": "2020-02-03T17:18:32Z",
      "generator": {
        "date": "2020-02-03T17:18:32Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2020:0311-1",
      "initial_release_date": "2020-02-03T17:18:32Z",
      "revision_history": [
        {
          "date": "2020-02-03T17:18:32Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.aarch64",
                "product": {
                  "name": "crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.aarch64",
                  "product_id": "crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.aarch64",
                "product": {
                  "name": "crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.aarch64",
                  "product_id": "crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "crowbar-core-devel-4.0+git.1578392992.fabfd186c-9.63.1.aarch64",
                "product": {
                  "name": "crowbar-core-devel-4.0+git.1578392992.fabfd186c-9.63.1.aarch64",
                  "product_id": "crowbar-core-devel-4.0+git.1578392992.fabfd186c-9.63.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.aarch64",
                "product": {
                  "name": "ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.aarch64",
                  "product_id": "ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-crowbar-client-doc-3.9.1-7.17.1.aarch64",
                "product": {
                  "name": "ruby2.1-rubygem-crowbar-client-doc-3.9.1-7.17.1.aarch64",
                  "product_id": "ruby2.1-rubygem-crowbar-client-doc-3.9.1-7.17.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-crowbar-client-testsuite-3.9.1-7.17.1.aarch64",
                "product": {
                  "name": "ruby2.1-rubygem-crowbar-client-testsuite-3.9.1-7.17.1.aarch64",
                  "product_id": "ruby2.1-rubygem-crowbar-client-testsuite-3.9.1-7.17.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "crowbar-openstack-4.0+git.1579171175.d53ab6363-9.68.1.noarch",
                "product": {
                  "name": "crowbar-openstack-4.0+git.1579171175.d53ab6363-9.68.1.noarch",
                  "product_id": "crowbar-openstack-4.0+git.1579171175.d53ab6363-9.68.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "openstack-neutron-fwaas-9.0.2~dev5-4.6.1.noarch",
                "product": {
                  "name": "openstack-neutron-fwaas-9.0.2~dev5-4.6.1.noarch",
                  "product_id": "openstack-neutron-fwaas-9.0.2~dev5-4.6.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "openstack-neutron-fwaas-doc-9.0.2~dev5-4.6.1.noarch",
                "product": {
                  "name": "openstack-neutron-fwaas-doc-9.0.2~dev5-4.6.1.noarch",
                  "product_id": "openstack-neutron-fwaas-doc-9.0.2~dev5-4.6.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "openstack-neutron-fwaas-test-9.0.2~dev5-4.6.1.noarch",
                "product": {
                  "name": "openstack-neutron-fwaas-test-9.0.2~dev5-4.6.1.noarch",
                  "product_id": "openstack-neutron-fwaas-test-9.0.2~dev5-4.6.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "python-neutron-fwaas-9.0.2~dev5-4.6.1.noarch",
                "product": {
                  "name": "python-neutron-fwaas-9.0.2~dev5-4.6.1.noarch",
                  "product_id": "python-neutron-fwaas-9.0.2~dev5-4.6.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.ppc64le",
                "product": {
                  "name": "crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.ppc64le",
                  "product_id": "crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.ppc64le",
                "product": {
                  "name": "crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.ppc64le",
                  "product_id": "crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "crowbar-core-devel-4.0+git.1578392992.fabfd186c-9.63.1.ppc64le",
                "product": {
                  "name": "crowbar-core-devel-4.0+git.1578392992.fabfd186c-9.63.1.ppc64le",
                  "product_id": "crowbar-core-devel-4.0+git.1578392992.fabfd186c-9.63.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.ppc64le",
                "product": {
                  "name": "ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.ppc64le",
                  "product_id": "ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-crowbar-client-doc-3.9.1-7.17.1.ppc64le",
                "product": {
                  "name": "ruby2.1-rubygem-crowbar-client-doc-3.9.1-7.17.1.ppc64le",
                  "product_id": "ruby2.1-rubygem-crowbar-client-doc-3.9.1-7.17.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-crowbar-client-testsuite-3.9.1-7.17.1.ppc64le",
                "product": {
                  "name": "ruby2.1-rubygem-crowbar-client-testsuite-3.9.1-7.17.1.ppc64le",
                  "product_id": "ruby2.1-rubygem-crowbar-client-testsuite-3.9.1-7.17.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.s390x",
                "product": {
                  "name": "crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.s390x",
                  "product_id": "crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.s390x",
                "product": {
                  "name": "crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.s390x",
                  "product_id": "crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "crowbar-core-devel-4.0+git.1578392992.fabfd186c-9.63.1.s390x",
                "product": {
                  "name": "crowbar-core-devel-4.0+git.1578392992.fabfd186c-9.63.1.s390x",
                  "product_id": "crowbar-core-devel-4.0+git.1578392992.fabfd186c-9.63.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.s390x",
                "product": {
                  "name": "ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.s390x",
                  "product_id": "ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-crowbar-client-doc-3.9.1-7.17.1.s390x",
                "product": {
                  "name": "ruby2.1-rubygem-crowbar-client-doc-3.9.1-7.17.1.s390x",
                  "product_id": "ruby2.1-rubygem-crowbar-client-doc-3.9.1-7.17.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-crowbar-client-testsuite-3.9.1-7.17.1.s390x",
                "product": {
                  "name": "ruby2.1-rubygem-crowbar-client-testsuite-3.9.1-7.17.1.s390x",
                  "product_id": "ruby2.1-rubygem-crowbar-client-testsuite-3.9.1-7.17.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.x86_64",
                "product": {
                  "name": "crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.x86_64",
                  "product_id": "crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.x86_64",
                "product": {
                  "name": "crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.x86_64",
                  "product_id": "crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "crowbar-core-devel-4.0+git.1578392992.fabfd186c-9.63.1.x86_64",
                "product": {
                  "name": "crowbar-core-devel-4.0+git.1578392992.fabfd186c-9.63.1.x86_64",
                  "product_id": "crowbar-core-devel-4.0+git.1578392992.fabfd186c-9.63.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.x86_64",
                "product": {
                  "name": "ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.x86_64",
                  "product_id": "ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-crowbar-client-doc-3.9.1-7.17.1.x86_64",
                "product": {
                  "name": "ruby2.1-rubygem-crowbar-client-doc-3.9.1-7.17.1.x86_64",
                  "product_id": "ruby2.1-rubygem-crowbar-client-doc-3.9.1-7.17.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-crowbar-client-testsuite-3.9.1-7.17.1.x86_64",
                "product": {
                  "name": "ruby2.1-rubygem-crowbar-client-testsuite-3.9.1-7.17.1.x86_64",
                  "product_id": "ruby2.1-rubygem-crowbar-client-testsuite-3.9.1-7.17.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE OpenStack Cloud 7",
                "product": {
                  "name": "SUSE OpenStack Cloud 7",
                  "product_id": "SUSE OpenStack Cloud 7",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:suse-openstack-cloud:7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.aarch64 as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.aarch64"
        },
        "product_reference": "crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.aarch64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.s390x as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.s390x"
        },
        "product_reference": "crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.s390x",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.x86_64 as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.x86_64"
        },
        "product_reference": "crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.x86_64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.aarch64 as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.aarch64"
        },
        "product_reference": "crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.aarch64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.s390x as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.s390x"
        },
        "product_reference": "crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.s390x",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.x86_64 as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.x86_64"
        },
        "product_reference": "crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.x86_64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crowbar-openstack-4.0+git.1579171175.d53ab6363-9.68.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1579171175.d53ab6363-9.68.1.noarch"
        },
        "product_reference": "crowbar-openstack-4.0+git.1579171175.d53ab6363-9.68.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-neutron-fwaas-9.0.2~dev5-4.6.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:openstack-neutron-fwaas-9.0.2~dev5-4.6.1.noarch"
        },
        "product_reference": "openstack-neutron-fwaas-9.0.2~dev5-4.6.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-neutron-fwaas-doc-9.0.2~dev5-4.6.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:openstack-neutron-fwaas-doc-9.0.2~dev5-4.6.1.noarch"
        },
        "product_reference": "openstack-neutron-fwaas-doc-9.0.2~dev5-4.6.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-neutron-fwaas-9.0.2~dev5-4.6.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:python-neutron-fwaas-9.0.2~dev5-4.6.1.noarch"
        },
        "product_reference": "python-neutron-fwaas-9.0.2~dev5-4.6.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.aarch64 as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.aarch64"
        },
        "product_reference": "ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.aarch64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.s390x as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.s390x"
        },
        "product_reference": "ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.s390x",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.x86_64 as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.x86_64"
        },
        "product_reference": "ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.x86_64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-17954",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-17954"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue affects: SUSE OpenStack Cloud 7 crowbar-core versions prior to 4.0+git.1578392992.fabfd186c-9.63.1, crowbar-. SUSE OpenStack Cloud 8 ardana-cinder versions prior to 8.0+git.1579279939.ee7da88-3.39.3, ardana-. SUSE OpenStack Cloud 9 ardana-ansible versions prior to 9.0+git.1581611758.f694f7d-3.16.1, ardana-. SUSE OpenStack Cloud Crowbar 8 crowbar-core versions prior to 5.0+git.1582968668.1a55c77c5-3.35.4, crowbar-. SUSE OpenStack Cloud Crowbar 9 crowbar-core versions prior to 6.0+git.1582892022.cbd70e833-3.19.3, crowbar-.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.aarch64",
          "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.s390x",
          "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.x86_64",
          "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.aarch64",
          "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.s390x",
          "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.x86_64",
          "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1579171175.d53ab6363-9.68.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-fwaas-9.0.2~dev5-4.6.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-fwaas-doc-9.0.2~dev5-4.6.1.noarch",
          "SUSE OpenStack Cloud 7:python-neutron-fwaas-9.0.2~dev5-4.6.1.noarch",
          "SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.aarch64",
          "SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.s390x",
          "SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-17954",
          "url": "https://www.suse.com/security/cve/CVE-2018-17954"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1117080 for CVE-2018-17954",
          "url": "https://bugzilla.suse.com/1117080"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.aarch64",
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.s390x",
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.x86_64",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.aarch64",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.s390x",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.x86_64",
            "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1579171175.d53ab6363-9.68.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-fwaas-9.0.2~dev5-4.6.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-fwaas-doc-9.0.2~dev5-4.6.1.noarch",
            "SUSE OpenStack Cloud 7:python-neutron-fwaas-9.0.2~dev5-4.6.1.noarch",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.aarch64",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.s390x",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.aarch64",
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.s390x",
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.x86_64",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.aarch64",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.s390x",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.x86_64",
            "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1579171175.d53ab6363-9.68.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-fwaas-9.0.2~dev5-4.6.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-fwaas-doc-9.0.2~dev5-4.6.1.noarch",
            "SUSE OpenStack Cloud 7:python-neutron-fwaas-9.0.2~dev5-4.6.1.noarch",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.aarch64",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.s390x",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-02-03T17:18:32Z",
          "details": "important"
        }
      ],
      "title": "CVE-2018-17954"
    },
    {
      "cve": "CVE-2019-16770",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-16770"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.aarch64",
          "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.s390x",
          "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.x86_64",
          "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.aarch64",
          "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.s390x",
          "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.x86_64",
          "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1579171175.d53ab6363-9.68.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-fwaas-9.0.2~dev5-4.6.1.noarch",
          "SUSE OpenStack Cloud 7:openstack-neutron-fwaas-doc-9.0.2~dev5-4.6.1.noarch",
          "SUSE OpenStack Cloud 7:python-neutron-fwaas-9.0.2~dev5-4.6.1.noarch",
          "SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.aarch64",
          "SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.s390x",
          "SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-16770",
          "url": "https://www.suse.com/security/cve/CVE-2019-16770"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1158675 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1158675"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1188527 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1188527"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.aarch64",
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.s390x",
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.x86_64",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.aarch64",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.s390x",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.x86_64",
            "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1579171175.d53ab6363-9.68.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-fwaas-9.0.2~dev5-4.6.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-fwaas-doc-9.0.2~dev5-4.6.1.noarch",
            "SUSE OpenStack Cloud 7:python-neutron-fwaas-9.0.2~dev5-4.6.1.noarch",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.aarch64",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.s390x",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.aarch64",
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.s390x",
            "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1578392992.fabfd186c-9.63.1.x86_64",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.aarch64",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.s390x",
            "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1578392992.fabfd186c-9.63.1.x86_64",
            "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1579171175.d53ab6363-9.68.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-fwaas-9.0.2~dev5-4.6.1.noarch",
            "SUSE OpenStack Cloud 7:openstack-neutron-fwaas-doc-9.0.2~dev5-4.6.1.noarch",
            "SUSE OpenStack Cloud 7:python-neutron-fwaas-9.0.2~dev5-4.6.1.noarch",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.aarch64",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.s390x",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-crowbar-client-3.9.1-7.17.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-02-03T17:18:32Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-16770"
    }
  ]
}

CVE-2019-16770 (GCVE-0-2019-16770)

Tags

Sightings

Nomenclature

Action not permitted

CVE-2019-16770 (GCVE-0-2019-16770)

Tags

Sightings

Nomenclature