puma is vulnerable to HTTP request smuggling. When using the library behind a proxy that does not properly validate the incoming HTTP requests with the RFC7230
standard, puma and the frontend proxy contradict on where one request starts and where it ends, resulting in requests to be smuggled via the front-end proxy.
github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5
github.com/puma/puma/commit/6c514e70f5ae0ff14c9b0091fa84bfa39b022025
github.com/puma/puma/commit/b8439ffc9d37f69c45bdca0a74cb49ebd9d09e66
github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9
lists.debian.org/debian-lts-announce/2022/08/msg00015.html
lists.fedoraproject.org/archives/list/[email protected]/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
lists.fedoraproject.org/archives/list/[email protected]/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
lists.fedoraproject.org/archives/list/[email protected]/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
security.gentoo.org/glsa/202208-28
www.debian.org/security/2022/dsa-5146