VulnerableCode Package Details - pkg:deb/debian/puma@4.3.8-1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-q37p-vzmm-aken	Puma's Keepalive Connections Causing Denial Of Service This vulnerability is related to [CVE-2019-16770](https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994). ### Impact The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. ### Patches This problem has been fixed in `puma` 4.3.8 and 5.3.1. ### Workarounds Setting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. [slowloris](https://en.wikipedia.org/wiki/Slowloris_(computer_security))). The fix is very small. [A git patch is available here](https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837) for those using [unsupported versions](https://github.com/puma/puma/security/policy#supported-versions) of Puma. ### For more information If you have any questions or comments about this advisory: * Open an issue in [Puma](https://github.com/puma/puma). * To report problems with this fix or to report another vulnerability, see [our security policy.](https://github.com/puma/puma/security/policy) ### Acknowledgements Thank you to @MSP-Greg, @wjordan and @evanphx for their review on this issue. Thank you to @ioquatix for providing a modified fork of `wrk` which made debugging this issue much easier.	CVE-2021-29509 GHSA-q28m-8xjw-8vr5

Vulnerability

Summary

Aliases

VCID-q37p-vzmm-aken

Puma's Keepalive Connections Causing Denial Of Service This vulnerability is related to [CVE-2019-16770](https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994). ### Impact The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. ### Patches This problem has been fixed in `puma` 4.3.8 and 5.3.1. ### Workarounds Setting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. [slowloris](https://en.wikipedia.org/wiki/Slowloris_(computer_security))). The fix is very small. [A git patch is available here](https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837) for those using [unsupported versions](https://github.com/puma/puma/security/policy#supported-versions) of Puma. ### For more information If you have any questions or comments about this advisory: * Open an issue in [Puma](https://github.com/puma/puma). * To report problems with this fix or to report another vulnerability, see [our security policy.](https://github.com/puma/puma/security/policy) ### Acknowledgements Thank you to @MSP-Greg, @wjordan and @evanphx for their review on this issue. Thank you to @ioquatix for providing a modified fork of `wrk` which made debugging this issue much easier.

CVE-2021-29509
GHSA-q28m-8xjw-8vr5

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T13:14:05.779134+00:00	Debian Importer	Fixing	VCID-q37p-vzmm-aken	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T09:06:43.555473+00:00	Debian Importer	Fixing	VCID-q37p-vzmm-aken	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:50:24.743195+00:00	Debian Importer	Fixing	VCID-q37p-vzmm-aken	https://security-tracker.debian.org/tracker/data/json	38.1.0