Version in base suite: 3.12.0-2

Base version: puma_3.12.0-2
Target version: puma_3.12.0-2+deb10u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/puma/puma_3.12.0-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/puma/puma_3.12.0-2+deb10u1.dsc

 changelog                    |   10 ++++++
 control                      |    2 -
 patches/CVE-2019-16770.patch |   69 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 4 files changed, 81 insertions(+), 1 deletion(-)

gpgv: Signature made Sun Feb 10 13:28:44 2019 UTC
gpgv:                using RSA key FCE16DAF5F3841A37A74F3200B76920762A6B785
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on /srv/release.debian.org/tmp/tmpcrdhf78s/puma_3.12.0-2.dsc
diff -Nru puma-3.12.0/debian/changelog puma-3.12.0/debian/changelog
--- puma-3.12.0/debian/changelog	2019-02-10 13:26:47.000000000 +0000
+++ puma-3.12.0/debian/changelog	2020-03-03 23:15:43.000000000 +0000
@@ -1,3 +1,13 @@
+puma (3.12.0-2+deb10u1) buster; urgency=medium
+
+  * Team upload.
+  * d/control (Vcs-Git): Add branch.
+  * d/patches/CVE-2019-16770.patch: Add patch.
+    - Backport fix for CVE-2019-16770 from upstream (closes: #946312).
+  * d/patches/series: Add patch.
+
+ -- Daniel Leidert <dleidert@debian.org>  Wed, 04 Mar 2020 00:15:43 +0100
+
 puma (3.12.0-2) unstable; urgency=medium
 
   * Disable tests failing in single cpu (Closes: #921931)
diff -Nru puma-3.12.0/debian/control puma-3.12.0/debian/control
--- puma-3.12.0/debian/control	2019-02-10 05:26:41.000000000 +0000
+++ puma-3.12.0/debian/control	2020-03-03 23:15:43.000000000 +0000
@@ -9,7 +9,7 @@
                rake,
                ruby-rack,
 Standards-Version: 4.3.0
-Vcs-Git: https://salsa.debian.org/ruby-team/puma.git
+Vcs-Git: https://salsa.debian.org/ruby-team/puma.git -b debian/buster
 Vcs-Browser: https://salsa.debian.org/ruby-team/puma
 Homepage: http://puma.io
 Testsuite: autopkgtest-pkg-ruby
diff -Nru puma-3.12.0/debian/patches/CVE-2019-16770.patch puma-3.12.0/debian/patches/CVE-2019-16770.patch
--- puma-3.12.0/debian/patches/CVE-2019-16770.patch	1970-01-01 00:00:00.000000000 +0000
+++ puma-3.12.0/debian/patches/CVE-2019-16770.patch	2020-03-03 23:15:43.000000000 +0000
@@ -0,0 +1,69 @@
+From: Nate Berkopec <nate.berkopec@gmail.com>
+Date: Thu, 5 Dec 2019 14:19:32 +0700
+Subject: Merge pull request from GHSA-7xx3-m584-x994
+
+could monopolize a thread. Previously, this could make a DoS attack more
+severe.
+
+Co-authored-by: Evan Phoenix <evan@phx.io>
+
+Debian-Bug: https://bugs.debian.org/946312
+Acked-By: Daniel Leidert <dleidert@debian.org>
+Origin: https://github.com/puma/puma/commit/06053e60908074bb38293d4449ea261cb009b53e.patch
+---
+ lib/puma/const.rb  |  7 +++++++
+ lib/puma/server.rb | 16 +++++++++++++++-
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/lib/puma/const.rb b/lib/puma/const.rb
+index f9e0a2a..7fc105c 100644
+--- a/lib/puma/const.rb
++++ b/lib/puma/const.rb
+@@ -116,6 +116,13 @@ module Puma
+     # sending data back
+     WRITE_TIMEOUT = 10
+ 
++    # How many requests to attempt inline before sending a client back to
++    # the reactor to be subject to normal ordering. The idea here is that
++    # we amortize the cost of going back to the reactor for a well behaved
++    # but very "greedy" client across 10 requests. This prevents a not
++    # well behaved client from monopolizing the thread forever.
++    MAX_FAST_INLINE = 10
++
+     # The original URI requested by the client.
+     REQUEST_URI= 'REQUEST_URI'.freeze
+     REQUEST_PATH = 'REQUEST_PATH'.freeze
+diff --git a/lib/puma/server.rb b/lib/puma/server.rb
+index e2e862f..66a982a 100644
+--- a/lib/puma/server.rb
++++ b/lib/puma/server.rb
+@@ -468,6 +468,8 @@ module Puma
+         clean_thread_locals = @options[:clean_thread_locals]
+         close_socket = true
+ 
++        requests = 0
++
+         while true
+           case handle_request(client, buffer)
+           when false
+@@ -481,7 +483,19 @@ module Puma
+ 
+             ThreadPool.clean_thread_locals if clean_thread_locals
+ 
+-            unless client.reset(@status == :run)
++            requests += 1
++
++            check_for_more_data = @status == :run
++
++            if requests >= MAX_FAST_INLINE
++              # This will mean that reset will only try to use the data it already
++              # has buffered and won't try to read more data. What this means is that
++              # every client, independent of their request speed, gets treated like a slow
++              # one once every MAX_FAST_INLINE requests.
++              check_for_more_data = false
++            end
++
++            unless client.reset(check_for_more_data)
+               close_socket = false
+               client.set_timeout @persistent_timeout
+               @reactor.add client
diff -Nru puma-3.12.0/debian/patches/series puma-3.12.0/debian/patches/series
--- puma-3.12.0/debian/patches/series	2019-02-10 13:18:23.000000000 +0000
+++ puma-3.12.0/debian/patches/series	2020-03-03 23:15:43.000000000 +0000
@@ -6,3 +6,4 @@
 0007-test-test_cli.rb-disable-test-that-fails-randomly.patch
 0008-fix-ssl-tests.patch
 0009-disable-tests-failing-in-single-cpu.patch
+CVE-2019-16770.patch