🚨 [security] Update puma: 4.3.5 → 6.1.0 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ puma (4.3.5 → 6.1.0) · Repo · Changelog

Security Advisories 🚨

🚨 HTTP Request Smuggling in puma

Impact

When using Puma behind a proxy that does not properly validate that the
incoming HTTP request matches the RFC7230 standard, Puma and the frontend
proxy may disagree on where a request starts and ends. This would allow
requests to be smuggled via the front-end proxy to Puma.

The following vulnerabilities are addressed by this advisory:

• Lenient parsing of Transfer-Encoding headers, when unsupported encodings
  should be rejected and the final encoding must be chunked.
• Lenient parsing of malformed Content-Length headers and chunk sizes, when
  only digits and hex digits should be allowed.
• Lenient parsing of duplicate Content-Length headers, when they should be
  rejected.
• Lenient parsing of the ending of chunked segments, when they should end
  with \r\n.

Patches

The vulnerability has been fixed in 5.6.4 and 4.3.12.

Workarounds

When deploying a proxy in front of Puma, turning on any and all functionality
to make sure that the request matches the RFC7230 standard.

These proxy servers are known to have "good" behavior re: this standard and
upgrading Puma may not be necessary. Users are encouraged to validate for
themselves.

• Nginx (latest)
• Apache (latest)
• Haproxy 2.5+
• Caddy (latest)
• Traefik (latest)

References

HTTP Request Smuggling

🚨 HTTP Request Smuggling in puma

Impact

When using Puma behind a proxy that does not properly validate that the
incoming HTTP request matches the RFC7230 standard, Puma and the frontend
proxy may disagree on where a request starts and ends. This would allow
requests to be smuggled via the front-end proxy to Puma.

The following vulnerabilities are addressed by this advisory:

• Lenient parsing of Transfer-Encoding headers, when unsupported encodings
  should be rejected and the final encoding must be chunked.
• Lenient parsing of malformed Content-Length headers and chunk sizes, when
  only digits and hex digits should be allowed.
• Lenient parsing of duplicate Content-Length headers, when they should be
  rejected.
• Lenient parsing of the ending of chunked segments, when they should end
  with \r\n.

Patches

The vulnerability has been fixed in 5.6.4 and 4.3.12.

Workarounds

When deploying a proxy in front of Puma, turning on any and all functionality
to make sure that the request matches the RFC7230 standard.

These proxy servers are known to have "good" behavior re: this standard and
upgrading Puma may not be necessary. Users are encouraged to validate for
themselves.

• Nginx (latest)
• Apache (latest)
• Haproxy 2.5+
• Caddy (latest)
• Traefik (latest)

References

HTTP Request Smuggling

🚨 Information Exposure with Puma when used with Rails

Impact

Prior to puma version 5.6.2, puma may not always call
close on the response body. Rails, prior to version 7.0.2.2, depended on the
response body being closed in order for its CurrentAttributes implementation to
work correctly.

From Rails:

Under certain circumstances response bodies will not be closed, for example
a bug in a webserver[1] or a bug in a Rack middleware. In the event a
response is not notified of a close, ActionDispatch::Executor will not know
to reset thread local state for the next request. This can lead to data
being leaked to subsequent requests, especially when interacting with
ActiveSupport::CurrentAttributes.

The combination of these two behaviors (Puma not closing the body + Rails'
Executor implementation) causes information leakage.

Patches

This problem is fixed in Puma versions 5.6.2 and 4.3.11.

This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

See: GHSA-wh98-p28r-vrc9
for details about the rails vulnerability

Upgrading to a patched Rails or Puma version fixes the vulnerability.

Workarounds

Upgrade to Rails versions 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

The Rails CVE
includes a middleware that can be used instead.

🚨 Information Exposure with Puma when used with Rails

Impact

Prior to puma version 5.6.2, puma may not always call
close on the response body. Rails, prior to version 7.0.2.2, depended on the
response body being closed in order for its CurrentAttributes implementation to
work correctly.

From Rails:

Under certain circumstances response bodies will not be closed, for example
a bug in a webserver[1] or a bug in a Rack middleware. In the event a
response is not notified of a close, ActionDispatch::Executor will not know
to reset thread local state for the next request. This can lead to data
being leaked to subsequent requests, especially when interacting with
ActiveSupport::CurrentAttributes.

The combination of these two behaviors (Puma not closing the body + Rails'
Executor implementation) causes information leakage.

Patches

This problem is fixed in Puma versions 5.6.2 and 4.3.11.

This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

See: GHSA-wh98-p28r-vrc9
for details about the rails vulnerability

Upgrading to a patched Rails or Puma version fixes the vulnerability.

Workarounds

Upgrade to Rails versions 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

The Rails CVE
includes a middleware that can be used instead.

🚨 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma

Impact

Prior to puma version 5.5.0, using puma with a proxy which forwards LF characters as line endings could allow HTTP request smuggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client.

This behavior (forwarding LF characters as line endings) is very uncommon amongst proxy servers, so we have graded the impact here as "low". Puma is only aware of a single proxy server which has this behavior.

If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client.

Patches

This vulnerability was patched in Puma 5.5.1 and 4.3.9.

Workarounds

This vulnerability only affects Puma installations without any proxy in front.

Use a proxy which does not forward LF characters as line endings.

Proxies which do not forward LF characters as line endings:

• Nginx
• Apache (>2.4.25)
• Haproxy
• Caddy
• Traefik

Possible Breakage

If you are dealing with legacy clients that want to send LF as a line ending in an HTTP header, this will cause those clients to receive a 400 error.

References

• HTTP Request Smuggling

🚨 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma

Impact

Prior to puma version 5.5.0, using puma with a proxy which forwards LF characters as line endings could allow HTTP request smuggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client.

This behavior (forwarding LF characters as line endings) is very uncommon amongst proxy servers, so we have graded the impact here as "low". Puma is only aware of a single proxy server which has this behavior.

If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client.

Patches

This vulnerability was patched in Puma 5.5.1 and 4.3.9.

Workarounds

This vulnerability only affects Puma installations without any proxy in front.

Use a proxy which does not forward LF characters as line endings.

Proxies which do not forward LF characters as line endings:

• Nginx
• Apache (>2.4.25)
• Haproxy
• Caddy
• Traefik

Possible Breakage

If you are dealing with legacy clients that want to send LF as a line ending in an HTTP header, this will cause those clients to receive a 400 error.

References

• HTTP Request Smuggling

🚨 Keepalive Connections Causing Denial Of Service in puma

Impact

The fix for CVE-2019-16770 was incomplete. The original fix only protected
existing connections that had already been accepted from having their
requests starved by greedy persistent-connections saturating all threads in
the same process. However, new connections may still be starved by greedy
persistent-connections saturating all threads in all processes in the
cluster.

A puma server which received more concurrent keep-alive connections than the
server had threads in its threadpool would service only a subset of
connections, denying service to the unserved connections.

Patches

This problem has been fixed in puma 4.3.8 and 5.3.1.

Workarounds

Setting queue_requests false also fixes the issue. This is not advised when
using puma without a reverse proxy, such as nginx or apache, because you will
open yourself to slow client attacks (e.g. slowloris).

The fix is very small. A git patch is available here for those using
unsupported versions of Puma.

🚨 Keepalive Connections Causing Denial Of Service in puma

Impact

The fix for CVE-2019-16770 was incomplete. The original fix only protected
existing connections that had already been accepted from having their
requests starved by greedy persistent-connections saturating all threads in
the same process. However, new connections may still be starved by greedy
persistent-connections saturating all threads in all processes in the
cluster.

A puma server which received more concurrent keep-alive connections than the
server had threads in its threadpool would service only a subset of
connections, denying service to the unserved connections.

Patches

This problem has been fixed in puma 4.3.8 and 5.3.1.

Workarounds

Setting queue_requests false also fixes the issue. This is not advised when
using puma without a reverse proxy, such as nginx or apache, because you will
open yourself to slow client attacks (e.g. slowloris).

The fix is very small. A git patch is available here for those using
unsupported versions of Puma.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nio4r (indirect, 2.5.2 → 2.5.8) · Repo · Changelog

Release Notes

2.5.4 (from changelog)

• #251 Intermittent SEGV during GC. (@boazsegev)

2.5.3 (from changelog)

• #241 Possible bug with Ruby >= 2.7.0 and GC.compact. (@boazsegev)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 75 commits:

• Bump patch version.
• Remove guard from Gemfile.
• Fix incorrect return types. Fixes #275.
• Patch version bump.
• Allow usage of native extension by default.
• Don't try to link universal extension.
• Patch version bump.
• Suggest kqueue on OSX if >= 10.12.2
• Avoid requiring linux kernel headers to be present
• CI: Remove the macos-11.0 target, for now
• CHANGES.md: add v2.5.5
• Patch version bump.
• Be more explicit with why `pure?` is being used.
• Workaround for ARM-based macOS bundled Ruby
• Allow pure Ruby and Java NIO::Selector to be initialized with nil
• Declare linuxaio and io_uring experimental
• linuxaio is actually only supported on linux kernel 4.19+
• Define EV_USE_IOURING if header is present
• Patch libev and add support for linuxaio and io_uring
• Upgrade libev to verion 4.33
• Add ruby 3.0 to the README
• Add ruby 3.0 to the CI pipeline
• Actions - add MRI head/master for Ubuntu & macOS
• Update Actions workflow - OS changes & additions
• Fix javac -Xlint warnings
• Prepare for v2.5.4 release.
• Remove unneeded assertions.
• Update ext/nio4r/monitor.c
• replace `if` with assert, keep memory init.
• actually, initialize the whole memory block to zero
• test allocation for failure and initialize memory
• Add `if` statement, even if redundant
• README.md: update build status badge
• Move `EV_STANDALONE` definition to `extconf.rb` (#250)
• Add space between control statements and brackets.
• Use clang-format to improve code consistency.
• Remove cruft from README.
• Remove ancient Guardfile.
• Bump version.
• Remove ancient appveyor config.
• Prepare CHANGES.md for next release.
• fix for #241
• Fix Actions CI for macOS
• ssl_socket_spec.rb - move require inside block
• Fixes for use when OpenSSL is not loaded
• Fix warning: Use `result.unpack1("i")` instead of `result.unpack("i").first`. (convention:Style/UnpackFirst)
• Setting 'Enabled: false' for the new cops of Rubocop
• Fix warning: Metrics/LineLength has the wrong namespace - should be Layout
• Update rubocop version to 2.4
• Fix warning: The `Lint/HandleExceptions` cop has been renamed to `Lint/SuppressedException`.
• Fix warning: The `Layout/AlignHash` cop has been renamed to `Layout/HashAlignment`
• Bumb Rubocop to 0.82.0
• Use truffleruby-head in CI
• CI: Exclude TruffleRuby on Windows
• Remove travis config and update github actions.
• Update travis configuration.
• Add ruby 2.7
• Merge pull request #234 from MSP-Greg/add-actions
• Remove redundant jobs from AppVeyor
• Remove redundant jobs from Travis
• Add Actions CI - workflow.yml
• extconf.rb - add devkit for mingw
• Fix Warning: unrecognized cop Performance/RegexpMatch found in .rubocop.yml
• Fix Lint/UnneededCopEnableDirective
• Fix Naming/RescuedExceptionsVariableName
• Fix Lint/UnneededCopEnableDirective
• disable Layout/AlignHash
• Fix Style/ExpandPathArguments
• Fix Layout/EmptyLineAfterGuardClause
• Fix Style/ExpandPathArguments
• bump rubocop to 0.74.0
• CI: Add 2.7 to the matrix
• Polish examples/echo_server.rb
• Update CHANGES.md
• Update CHANGES.md

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #420.