6.4.3

puma · Sep 19, 2024 · e867e53 · e867e53
1 parent 63a27b5
commit e867e53
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/History.md b/History.md
@@ -1,3 +1,8 @@
+## 6.4.3 / 2024-09-19
+
+* Security
+  * Discards any headers using underscores if the non-underscore version also exists. Without this, an attacker could overwrite values set by intermediate proxies (e.g. X-Forwarded-For). ([CVE-2024-45614](https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4)/GHSA-9hf4-67fc-4vf4)
+
 ## 6.4.2 / 2024-01-08
 
 * Security

diff --git a/lib/puma/const.rb b/lib/puma/const.rb
@@ -100,7 +100,7 @@ class UnsupportedOption < RuntimeError
   # too taxing on performance.
   module Const
 
-    PUMA_VERSION = VERSION = "6.4.2"
+    PUMA_VERSION = VERSION = "6.4.3"
     CODE_NAME = "The Eagle of Durango"
 
     PUMA_SERVER_STRING = ["puma", PUMA_VERSION, CODE_NAME].join(" ").freeze