New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency puma to v4 [security] - abandoned #86
base: master
Are you sure you want to change the base?
Conversation
|
|
35fe23e
to
06cf288
Compare
⚠ Artifact update problemRenovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is. ♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
The artifact failure details are included below: File name: Gemfile.lock
|
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. ⚠ Warning: custom changes will be lost. |
Autoclosing SkippedThis PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error. |
This PR contains the following updates:
"~> 3.7"
->"~> 4.0"
GitHub Vulnerability Alerts
CVE-2021-29509
This vulnerability is related to CVE-2019-16770.
Impact
The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster.
A
puma
server which received more concurrentkeep-alive
connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections.Patches
This problem has been fixed in
puma
4.3.8 and 5.3.1.Workarounds
Setting
queue_requests false
also fixes the issue. This is not advised when usingpuma
without a reverse proxy, such asnginx
orapache
, because you will open yourself to slow client attacks (e.g. slowloris).The fix is very small. A git patch is available here for those using unsupported versions of Puma.
For more information
If you have any questions or comments about this advisory:
Acknowledgements
Thank you to @MSP-Greg, @wjordan and @evanphx for their review on this issue.
Thank you to @ioquatix for providing a modified fork of
wrk
which made debugging this issue much easier.CVE-2021-41136
Impact
Prior to
puma
version 5.5.0, usingpuma
with a proxy which forwards LF characters as line endings could allow HTTP request smuggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client.This behavior (forwarding LF characters as line endings) is very uncommon amongst proxy servers, so we have graded the impact here as "low". Puma is only aware of a single proxy server which has this behavior.
If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client.
Patches
This vulnerability was patched in Puma 5.5.1 and 4.3.9.
Workarounds
This vulnerability only affects Puma installations without any proxy in front.
Use a proxy which does not forward LF characters as line endings.
Proxies which do not forward LF characters as line endings:
Possible Breakage
If you are dealing with legacy clients that want to send
LF
as a line ending in an HTTP header, this will cause those clients to receive a400
error.References
For more information
If you have any questions or comments about this advisory:
CVE-2022-23634
Impact
Prior to
puma
version5.6.2
,puma
may not always callclose
on the response body. Rails, prior to version7.0.2.2
, depended on the response body being closed in order for itsCurrentAttributes
implementation to work correctly.From Rails:
The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage.
Patches
This problem is fixed in Puma versions 5.6.2 and 4.3.11.
This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.
See:
GHSA-wh98-p28r-vrc9
for details about the rails vulnerability
Upgrading to a patched Rails or Puma version fixes the vulnerability.
Workarounds
Upgrade to Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.
The Rails CVE includes a middleware that can be used instead.
References
For more information
If you have any questions or comments about this advisory:
CVE-2022-24790
When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma.
The following vulnerabilities are addressed by this advisory:
Transfer-Encoding
headers, when unsupported encodings should be rejected and the final encoding must bechunked
.Content-Length
headers and chunk sizes, when only digits and hex digits should be allowed.Content-Length
headers, when they should be rejected.\r\n
.The vulnerability has been fixed in 5.6.4 and 4.3.12. When deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.
These proxy servers are known to have "good" behavior re: this standard and upgrading Puma may not be necessary. Users are encouraged to validate for themselves.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.