VulnerableCode Package Details - pkg:rpm/redhat/tfm-rubygem-puma@5.3.2-1?arch=el7sat

Search for packages

Vulnerability	Summary	Fixed by
VCID-q37p-vzmm-aken Aliases: CVE-2021-29509 GHSA-q28m-8xjw-8vr5	Puma's Keepalive Connections Causing Denial Of Service This vulnerability is related to [CVE-2019-16770](https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994). ### Impact The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. ### Patches This problem has been fixed in `puma` 4.3.8 and 5.3.1. ### Workarounds Setting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. [slowloris](https://en.wikipedia.org/wiki/Slowloris_(computer_security))). The fix is very small. [A git patch is available here](https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837) for those using [unsupported versions](https://github.com/puma/puma/security/policy#supported-versions) of Puma. ### For more information If you have any questions or comments about this advisory: * Open an issue in [Puma](https://github.com/puma/puma). * To report problems with this fix or to report another vulnerability, see [our security policy.](https://github.com/puma/puma/security/policy) ### Acknowledgements Thank you to @MSP-Greg, @wjordan and @evanphx for their review on this issue. Thank you to @ioquatix for providing a modified fork of `wrk` which made debugging this issue much easier.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-q37p-vzmm-aken
Aliases:
CVE-2021-29509
GHSA-q28m-8xjw-8vr5

Puma's Keepalive Connections Causing Denial Of Service This vulnerability is related to [CVE-2019-16770](https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994). ### Impact The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. ### Patches This problem has been fixed in `puma` 4.3.8 and 5.3.1. ### Workarounds Setting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. [slowloris](https://en.wikipedia.org/wiki/Slowloris_(computer_security))). The fix is very small. [A git patch is available here](https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837) for those using [unsupported versions](https://github.com/puma/puma/security/policy#supported-versions) of Puma. ### For more information If you have any questions or comments about this advisory: * Open an issue in [Puma](https://github.com/puma/puma). * To report problems with this fix or to report another vulnerability, see [our security policy.](https://github.com/puma/puma/security/policy) ### Acknowledgements Thank you to @MSP-Greg, @wjordan and @evanphx for their review on this issue. Thank you to @ioquatix for providing a modified fork of `wrk` which made debugging this issue much easier.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T14:02:19.716232+00:00	RedHat Importer	Affected by	VCID-q37p-vzmm-aken	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29509.json	38.0.0

2026-04-01T14:02:19.716232+00:00

RedHat Importer

Affected by

VCID-q37p-vzmm-aken

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29509.json

38.0.0

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	4.0