🚨 [security] Update puma: 5.5.2 → 5.6.4 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ puma (5.5.2 → 5.6.4) · Repo · Changelog

Security Advisories 🚨

🚨 Information Exposure with Puma when used with Rails

Impact

Prior to puma version 5.6.2, puma may not always call
close on the response body. Rails, prior to version 7.0.2.2, depended on the
response body being closed in order for its CurrentAttributes implementation to
work correctly.

From Rails:

Under certain circumstances response bodies will not be closed, for example
a bug in a webserver[1] or a bug in a Rack middleware. In the event a
response is not notified of a close, ActionDispatch::Executor will not know
to reset thread local state for the next request. This can lead to data
being leaked to subsequent requests, especially when interacting with
ActiveSupport::CurrentAttributes.

The combination of these two behaviors (Puma not closing the body + Rails'
Executor implementation) causes information leakage.

Patches

This problem is fixed in Puma versions 5.6.2 and 4.3.11.

This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

See: GHSA-wh98-p28r-vrc9
for details about the rails vulnerability

Upgrading to a patched Rails or Puma version fixes the vulnerability.

Workarounds

Upgrade to Rails versions 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

The Rails CVE
includes a middleware that can be used instead.

Release Notes

5.6.4

• Security
  • Close several HTTP Request Smuggling exploits (CVE-2022-24790)

The 5.6.3 release was a mistake (released the wrong branch), 5.6.4 is correct.

5.6.2

5.6.2 / 2022-02-11

• Bugfix/Security
  • Response body will always be closed. (GHSA-rmj8-8hhh-gv5h, related to [#2809])

5.6.1

Bugfixes

• Reverted a commit which appeared to be causing occasional blank header values (see issue #2808) (#2809)

Full Changelog: v5.6.0...v5.6.1

5.6.0

Maintainer @nateberkopec had a daughter, nicknamed Birdie:

5.6.0 / 2022-01-25

• Features

  • Support localhost integration in ssl_bind ([#2764], [#2708])
  • Allow backlog parameter to be set with ssl_bind DSL ([#2780])
  • Remove yaml (psych) requirement in StateFile ([#2784])
  • Allow culling of oldest workers, previously was only youngest ([#2773], [#2794])
  • Add worker_check_interval configuration option ([#2759])
  • Always send lowlevel_error response to client ([#2731], [#2341])
  • Support for cert_pem and key_pem with ssl_bind DSL ([#2728])

• Bugfixes

  • Keep thread names under 15 characters, prevents breakage on some OSes ([#2733])
  • Fix two 'old-style-definition' compile warning ([#2807], [#2806])
  • Log environment correctly using option value ([#2799])
  • Fix warning from Ruby master (will be 3.2.0) ([#2785])
  • extconf.rb - fix openssl with old Windows builds ([#2757])
  • server.rb - rescue handling (Errno::EBADF) for @notify.close ([#2745])

• Refactor

  • server.rb - refactor code using @options[:remote_address] ([#2742])
  • [jruby] a couple refactorings - avoid copy-ing bytes ([#2730])

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 60 commits:

• 5.6.4
• 5.6.3
• Merge pull request from GHSA-h99w-9q5r-gjq9
• 5.6.2 (#2821)
• 2.6.1
• Revert "Always send lowlevel_error response to client (#2731)" (#2809)
• 5.6.0
• Fix two 'old-style-definition' compile warning (#2807)
• Fix typo in CONTRIBUTING (#2805)
• CONTRIBUTING: file limits
• Updates for OpenSSL 3 (#2800)
• Log environment using option value (#2799)
• Adds a --silent option to the CLI (#2803)
• Support `localhost` integration in `ssl_bind` (#2764)
• Use Ruby 3.1 in our Dockerfile (#2802)
• [CI] Update actions, fix intermittent test error (#2801)
• In fork_worker mode, worker_culling_strategy "oldest" shouldn't cull worker 0 (#2794)
• Process.respond_to?(:fork) is already defined as Puma.forkable?, so let's use it (#2793)
• Cleanup: Add WorkerHandle#term! method to remove usage of instance_variable_set (#2792)
• Fix warning from Ruby master (will be 3.2.0) (#2785)
• Allow backlog parameter to be set with ssl_bind DSL (#2780)
• Remove yaml (psych) requirement in StateFile (#2784)
• Allow culling of oldest workers, previously was only youngest (#2773)
• note about on_worker_boot behavior when app is not preloaded (#2778)
• Fix indentation in Worker class (#2781)
• CI: Add Ruby 3.1 (#2782)
• Bump RuboCop to work with newer Psych versions (#2783)
• revert portion of fa178f3c82 due to 65a821aa7e test_config.rb
• Revert "Add ability to specify custom logger (#2725)" (#2769)
• [CI] Remove the t3-pid file after tests
• Revise Actions workflows (#2766)
• [CI] fix fa178f3 - test_thread_pool.rb - don't work on 3 branches at once
• [CI] test_thread_pool.rb and test_config.rb fixes
• Add ability to specify custom logger (#2725)
• server.rb - refactor code using @options[:remote_address] (#2742)
• Keep thread names under 15 characters (#2733)
• tests: add `TEST_CASE_TIMEOUT` (#2765)
• Add worker_check_interval configuration option (#2759)
• [CI] Fix intermittent integration test failures/errors (#2751)
• Fix confusing comment typo [ci skip] (#2761)
• Add SIGINFO to documentation (#2762)
• [CI] OpenSSL 3.0 - Fix error message in test_verify_fail_if_client_unknown_ca (#2760)
• extconf.rb - fix openssl with old Windows builds (#2757)
• Use correct paths in test/config/ssl_config.rb (#2750)
• Rescue `Errno::EBADF` in `Client#close` (#2748)
• server.rb - rescue handling (`Errno::EBADF`) for `@notify.close` (#2745)
• CI: integration.rb - allow for nil in wait_for_server_to_boot (#2747)
• Fix Timeout Errors when reading responses (#2746)
• test_http11: make `Digest`use thread-safe (#2744)
• Always send lowlevel_error response to client (#2731)
• CI - itermittent fix and RuboCop (#2741)
• [jruby] a couple refactorings - avoid copy-ing bytes (#2730)
• Support for cert_pem and key_pem with ssl_bind DSL (#2728)
• Try to fix intermittent CI issues (#2739)
• Do not run rubocop on non-CRuby (#2737)
• Temporarily remove calls [ci skip]
• Fix check for #append_cflags (#2736)
• Fix TruffleRuby compile failure (#2732)
• Update History.md
• 4.3.10 release note

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

Go to the Depfu Dashboard to see the state of your dependencies and to customize how Depfu works.

[depfu]

Closed in favor of #224.