6.4.3

nateberkopec · nateberkopec · commit e867e53aa4e7 · 2024-09-19T14:04:11.000+09:00
diff --git a/History.md b/History.md
@@ -1,3 +1,8 @@
+## 6.4.3 / 2024-09-19
+
+* Security
+  * Discards any headers using underscores if the non-underscore version also exists. Without this, an attacker could overwrite values set by intermediate proxies (e.g. X-Forwarded-For). ([CVE-2024-45614](https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4)/GHSA-9hf4-67fc-4vf4)
+
 ## 6.4.2 / 2024-01-08
 
 * Security
diff --git a/lib/puma/const.rb b/lib/puma/const.rb
@@ -100,7 +100,7 @@ class UnsupportedOption < RuntimeError
   # too taxing on performance.
   module Const
 
-    PUMA_VERSION = VERSION = "6.4.2"
+    PUMA_VERSION = VERSION = "6.4.3"
     CODE_NAME = "The Eagle of Durango"
 
     PUMA_SERVER_STRING = ["puma", PUMA_VERSION, CODE_NAME].join(" ").freeze
