Update dependency puma to v5 [SECURITY]#111
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
Author
⚠ Artifact update problemRenovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is. ♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
The artifact failure details are included below: File name: Gemfile.lock |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
'~> 4.1'->'~> 5.0'GitHub Vulnerability Alerts
CVE-2021-41136
Impact
Prior to
pumaversion 5.5.0, usingpumawith a proxy which forwards LF characters as line endings could allow HTTP request smuggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client.This behavior (forwarding LF characters as line endings) is very uncommon amongst proxy servers, so we have graded the impact here as "low". Puma is only aware of a single proxy server which has this behavior.
If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client.
Patches
This vulnerability was patched in Puma 5.5.1 and 4.3.9.
Workarounds
This vulnerability only affects Puma installations without any proxy in front.
Use a proxy which does not forward LF characters as line endings.
Proxies which do not forward LF characters as line endings:
Possible Breakage
If you are dealing with legacy clients that want to send
LFas a line ending in an HTTP header, this will cause those clients to receive a400error.References
For more information
If you have any questions or comments about this advisory:
CVE-2022-23634
Impact
Prior to
pumaversion5.6.2,pumamay not always callcloseon the response body. Rails, prior to version7.0.2.2, depended on the response body being closed in order for itsCurrentAttributesimplementation to work correctly.From Rails:
The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage.
Patches
This problem is fixed in Puma versions 5.6.2 and 4.3.11.
This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.
See:
GHSA-wh98-p28r-vrc9
for details about the rails vulnerability
Upgrading to a patched Rails or Puma version fixes the vulnerability.
Workarounds
Upgrade to Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.
The Rails CVE includes a middleware that can be used instead.
References
For more information
If you have any questions or comments about this advisory:
CVE-2022-24790
When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma.
The following vulnerabilities are addressed by this advisory:
Transfer-Encodingheaders, when unsupported encodings should be rejected and the final encoding must bechunked.Content-Lengthheaders and chunk sizes, when only digits and hex digits should be allowed.Content-Lengthheaders, when they should be rejected.\r\n.The vulnerability has been fixed in 5.6.4 and 4.3.12. When deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.
These proxy servers are known to have "good" behavior re: this standard and upgrading Puma may not be necessary. Users are encouraged to validate for themselves.
CVE-2023-40175
Impact
Prior to version 6.3.1, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling.
The following vulnerabilities are addressed by this advisory:
Patches
The vulnerability has been fixed in 6.3.1 and 5.6.7.
Workarounds
No known workarounds.
References
HTTP Request Smuggling
For more information
If you have any questions or comments about this advisory:
Open an issue in Puma
See our security policy
Release Notes
puma/puma (puma)
v5.6.7Compare Source
v5.6.6Compare Source
v5.6.5Compare Source
Feature
Bugfixes
v5.6.4Compare Source
v5.6.2Compare Source
closed. (GHSA-rmj8-8hhh-gv5h, related to [#2809])v5.6.1Compare Source
v5.6.0Compare Source
Features
localhostintegration inssl_bind([#2764], [#2708])Bugfixes
Errno::EBADF) for@notify.close([#2745])Refactor
v5.5.2Compare Source
v5.5.1Compare Source
Feature (added as mistake - we don't normally do this on bugfix releases, sorry!)
Security
v5.5.0Compare Source
Features
Bugfixes
Performance
v5.4.0Compare Source
Features
rack_url_schemeto Puma::DSL, allows setting ofrack.url_schemeheader ([#2586], [#2569])Bugfixes
Binder#parse- allow for symlinked unix path, add create_activated_fds debug ENV ([#2643], [#2638])Refactor
IO.selectwithIO#wait_*when checking a single IO ([#2666])v5.3.2Compare Source
v5.3.1Compare Source
v5.3.0Compare Source
Features
Bugfixes
Performance
Refactor
wait_for_less_busy_workerfeature ([#2579])v5.2.2Compare Source
#flushand#syncmethods toPuma::NullIO([#2553])sync=trueonSTDOUTandSTDERRstreams ([#2557])v5.2.1Compare Source
@env[CONTENT_LENGTH]value as string. ([#2549])v5.2.0Compare Source
Features
flushafter writing messages to avoid mutating $stdout and $stderr usingsync=true([#2486])Bugfixes
#stringmethod toPuma::NullIO([#2520])Refactor
Server#read_body([#2531])MAKE_WARNINGS_INTO_ERRORS([#1953])v5.1.1Compare Source
v5.1.0Compare Source
Features
PUMA_LOG_CONFIGis present ([#2472])QUERY_STRINGmax length ([#2485])Bugfixes
jsongem ([#2473])jsongem to fix phased restart errors ([#2479])v5.0.4Compare Source
preload_app([#2461], [#2454])v5.0.3Compare Source
Bugfixes
Bundler::GemNotFounderrors fornio4rgem during phased restarts ([#2427], [#2018])on_bootedafter server starts ([#2431], [#2212])Refactor
v5.0.2Compare Source
v5.0.1Compare Source
Bugfixes
Refactor
v5.0.0Compare Source
Features
fork_workeroption andreforkcommand for reduced memory usage by forking from a worker process instead of the master process. ([#2099])wait_for_less_busy_workerconfig. This may reduce latency on MRI through inserting a small delay before re-listening on the socket if worker is busy ([#2079]).nakayoshi_forkoption. Reduce memory usage in preloaded cluster-mode apps by GCing before fork and compacting, where available. ([#2093], [#2256])thread-backtracescommand to print thread backtraces ([#2054])requests_counttoPuma.stats. ([#2106])lowlevel_error_handleris now called during a forced threadpool shutdown, and if a callable with 3 arguments is set, we now also pass the status code ([#2203])state_permissionto config DSL to set state file permissions ([#2238])Puma.stats_hash, which returns a stats in Hash instead of a JSON string ([#2086], [#2253])rack.multithreadandrack.multiprocessnow dynamically resolved bymax_threadandworkersrespectively ([#2288])Deprecations, Removals and Breaking API Changes
--controlhas been removed. Use--control-url([#1487])worker_directoryhas been removed. Usedirectory.preload_app!is on by default if number of workers > 1 and set viaWEB_CONCURRENCY([#2143])tcp_modehas been removed without replacement. ([#2169])environmentis read fromRAILS_ENV, ifRACK_ENVcan't be found ([#2022])Bugfixes
BUNDLE_GEMFILEenv var when usingprune_bundler([#1893])BUNDLE_GEMFILEis unspecified in workers if unspecified in master when usingprune_bundler([#2154])Connection: closedheader when queue requests is disabled ([#2216])out_of_bandhook never executed if the number of worker threads is > 1 ([#2177])UserFileDefaultOptions#fetchto properly usedefault([#2233])out_of_bandhook ([#2234])CONTENT_LENGTHfor chunked requests ([#2287])ClassNotFoundexception when using MiniSSL with Java8.prune_bundler([#2319]).Refactor
Configuration.random_tokenand remove insecure fallback ([#2102])Runner#start_controlURL parsing ([#2111])Rack::Handler::Puma.runto use**options([#2189])v4.3.12Compare Source
v4.3.11Compare Source
v4.3.10Compare Source
v4.3.9Compare Source
v4.3.8Compare Source
v4.3.7Compare Source
v4.3.6Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.