8000 Update dependency puma to v4 [SECURITY] by renovate[bot] · Pull Request #18 · amleaver/piccolo · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Update dependency puma to v4 [SECURITY] #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

Copy link
Contributor
@renovate renovate bot commented Sep 25, 2022

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
puma 2.13.4 -> 4.3.12 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2019-16770

Keepalive thread overload/DoS

Impact

A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack.

If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.

Patches

This vulnerability is patched in Puma 4.3.1 and 3.12.2.

Workarounds

Reverse proxies in front of Puma could be configured to always allow less than X keepalive connections to a Puma cluster or process, where X is the number of threads configured in Puma's thread pool.

For more information

If you have any questions or comments about this advisory:

  • Open an issue at puma.

CVE-2020-5247

In Puma (RubyGem) before 4.3.2 and 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. CR, LF or/r, /n) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting.

While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).

This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server.

This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters.

CVE-2020-5249

Impact

If an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting.

While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).

This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses.

Patches

This has been fixed in 4.3.3 and 3.12.4.

Workarounds

Users can not allow untrusted/user input in the Early Hints response header.

For more information

If you have any questions or comments about this advisory:

CVE-2021-29509

This vulnerability is related to CVE-2019-16770.

Impact

The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster.

A puma server which received more concurrent keep-alive connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections.

Patches

This problem has been fixed in puma 4.3.8 and 5.3.1.

Workarounds

Setting queue_requests false also fixes the issue. This is not advised when using puma without a reverse proxy, such as nginx or apache, because you will open yourself to slow client attacks (e.g. slowloris).

The fix is very small. A git patch is available here for those using unsupported versions of Puma.

For more information

If you have any questions or comments about this advisory:

Acknowledgements

Thank you to @​MSP-Greg, @​wjordan and @​evanphx for their review on this issue.

Thank you to @​ioquatix for providing a modified fork of wrk which made debugging this issue much easier.

CVE-2021-41136

Impact

Prior to puma version 5.5.0, using puma with a proxy which forwards LF characters as line endings could allow HTTP request smuggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client.

This behavior (forwarding LF characters as line endings) is very uncommon amongst proxy servers, so we have graded the impact here as "low". Puma is only aware of a single proxy server which has this behavior.

If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client.

Patches

This vulnerability was patched in Puma 5.5.1 and 4.3.9.

Workarounds

This vulnerability only affects Puma installations without any proxy in front.

Use a proxy which does not forward LF characters as line endings.

Proxies which do not forward LF characters as line endings:

  • Nginx
  • Apache (>2.4.25)
  • Haproxy
  • Caddy
  • Traefik

Possible Breakage

If you are dealing with legacy clients that want to send LF as a line ending in an HTTP header, this will cause those clients to receive a 400 error.

References

For more information

If you have any questions or comments about this advisory:

CVE-2022-23634

Impact

Prior to puma version 5.6.2, puma may not always call close on the response body. Rails, prior to version 7.0.2.2, depended on the response body being closed in order for its CurrentAttributes implementation to work correctly.

From Rails:

Under certain circumstances response bodies will not be closed, for example a bug in a webserver[1] or a bug in a Rack middleware. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with ActiveSupport::CurrentAttributes.

The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage.

Patches

This problem is fixed in Puma versions 5.6.2 and 4.3.11.

This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

See:
GHSA-wh98-p28r-vrc9
for details about the rails vulnerability

Upgrading to a patched Rails or Puma version fixes the vulnerability.

Workarounds

Upgrade to Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

The Rails CVE includes a middleware that can be used instead.

References

For more information

If you have any questions or comments about this advisory:

CVE-2022-24790

When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma.

The following vulnerabilities are addressed by this advisory:

  • Lenient parsing of Transfer-Encoding headers, when unsupported encodings should be rejected and the final encoding must be chunked.
  • Lenient parsing of malformed Content-Length headers and chunk sizes, when only digits and hex digits should be allowed.
  • Lenient parsing of duplicate Content-Length headers, when they should be rejected.
  • Lenient parsing of the ending of chunked segments, when they should end with \r\n.

The vulnerability has been fixed in 5.6.4 and 4.3.12. When deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.

These proxy servers are known to have "good" behavior re: this standard and upgrading Puma may not be necessary. Users are encouraged to validate for themselves.

  • Nginx (latest)
  • Apache (latest)
  • Haproxy 2.5+
  • Caddy (latest)
  • Traefik (latest)

CVE-2020-11076

Impact

By using an invalid transfer-encoding header, an attacker could smuggle an HTTP response.

Originally reported by @​ZeddYu, who has our thanks for the detailed report.

Patches

The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.

For more information

If you have any questions or comments about this advisory:

CVE-2020-11077

Impact

This is a similar but different vulnerability to the one patched in 3.12.5 and 4.3.4.

A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client.

If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client.

Patches

The problem has been fixed in Puma 3.12.6 and Puma 4.3.5.

For more information

If you have any questions or comments about this advisory:


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/rubygems-puma-vulnerability branch from 2683f51 to beac1f4 Compare November 20, 2022 08:34
@renovate renovate bot force-pushed the renovate/rubygems-puma-vulnerability branch from beac1f4 to 54087e8 Compare March 16, 2023 17:52
@renovate
Copy link
Contributor Author
renovate bot commented Apr 3, 2023

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Gemfile.lock
Fetching source index from https://rubygems.org/
--- ERROR REPORT TEMPLATE -------------------------------------------------------
- What did you do?

  I ran the command `/opt/containerbase/tools/bundler/1.11.2/3.3.0/bin/bundler lock --update puma`

- What did you expect to happen?

  I expected Bundler to...

- What happened instead?

  Instead, what actually happened was...


Error details

    NoMethodError: undefined method `inflate' for module Gem
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/fetcher.rb:90:in `fetch_spec'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/remote_specification.rb:71:in `_remote_specification'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/remote_specification.rb:76:in `method_missing'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/resolver.rb:160:in `block in __dependencies'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/resolver.rb:157:in `each'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/resolver.rb:157:in `__dependencies'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/resolver.rb:112:in `activate_platform'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/resolver.rb:275:in `block in search_for'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/resolver.rb:275:in `each'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/resolver.rb:275:in `search_for'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/resolver.rb:332:in `block in verify_gemfile_dependencies_are_found!'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/resolver.rb:330:in `each'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/resolver.rb:330:in `verify_gemfile_dependencies_are_found!'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/resolver.rb:199:in `start'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/resolver.rb:183:in `resolve'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/definition.rb:198:in `resolve'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/definition.rb:137:in `specs'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/definition.rb:126:in `resolve_remotely!'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/cli/lock.rb:27:in `run'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/cli.rb:412:in `lock'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/vendor/thor/lib/thor/command.rb:27:in `run'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/vendor/thor/lib/thor/invocation.rb:126:in `invoke_command'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/vendor/thor/lib/thor.rb:359:in `dispatch'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/vendor/thor/lib/thor/base.rb:440:in `start'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/cli.rb:10:in `start'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/exe/bundler:19:in `block in <top (required)>'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/friendly_errors.rb:7:in `with_friendly_errors'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/exe/bundler:17:in `<top (required)>'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/bin/bundler:25:in `load'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/bin/bundler:25:in `<main>'

Environment

    Bundler   1.11.2
    Rubygems  3.5.3
    Ruby      3.3.0p0 (2023-12-25 revision 5124f9ac7513eb590c37717337c430cb93caa151) [x86_64-linux]
    GEM_HOME  /tmp/renovate/cache/others/bundler
    GEM_PATH  :/opt/containerbase/tools/bundler/1.11.2/3.3.0
    Git       2.43.2

Bundler settings

    github.com
      Set via BUNDLE_GITHUB__COM: "**redacted**"
--- TEMPLATE END ----------------------------------------------------------------

Unfortunately, an unexpected error occurred, and Bundler cannot continue.

First, try this link to see if there are any existing issue reports for this error:
https://github.com/bundler/bundler/search?q=undefined+method+%60inflate%27+for+module+Gem&type=Issues

If there aren't any reports for this error yet, please create copy and paste the report template above into a new issue. Don't forget to anonymize any private data! The new issue form is located at:
https://github.com/bundler/bundler/issues/new


@renovate renovate bot changed the title Update dependency puma to v4 [SECURITY] Update dependency puma to v5 [SECURITY] Aug 19, 2023
Copy link
Contributor Author
renovate bot commented May 23, 2024

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Gemfile.lock
Fetching source index from https://rubygems.org/
--- ERROR REPORT TEMPLATE -------------------------------------------------------
- What did you do?

  I ran the command `/opt/containerbase/tools/bundler/1.11.2/3.4.2/bin/bundler lock --update puma`

- What did you expect to happen?

  I expected Bundler to...

- What happened instead?

  Instead, what actually happened was...


Error details

    NoMethodError: undefined method 'inflate' for module Gem
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/fetcher.rb:90:in 'Bundler::Fetcher#fetch_spec'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/remote_specification.rb:71:in 'Bundler::RemoteSpecification#_remote_specification'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/remote_specification.rb:76:in 'Bundler::RemoteSpecification#method_missing'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/resolver.rb:160:in 'block in Bundler::Resolver::SpecGroup#__dependencies'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/resolver.rb:157:in 'Array#each'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/resolver.rb:157:in 'Bundler::Resolver::SpecGroup#__dependencies'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/resolver.rb:112:in 'Bundler::Resolver::SpecGroup#activate_platform'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/resolver.rb:275:in 'block in Bundler::Resolver#search_for'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/resolver.rb:275:in 'Array#each'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/resolver.rb:275:in 'Bundler::Resolver#search_for'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/resolver.rb:332:in 'block in Bundler::Resolver#verify_gemfile_dependencies_are_found!'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/resolver.rb:330:in 'Array#each'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/resolver.rb:330:in 'Bundler::Resolver#verify_gemfile_dependencies_are_found!'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/resolver.rb:199:in 'Bundler::Resolver#start'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/resolver.rb:183:in 'Bundler::Resolver.resolve'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/definition.rb:198:in 'Bundler::Definition#resolve'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/definition.rb:137:in 'Bundler::Definition#specs'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/definition.rb:126:in 'Bundler::Definition#resolve_remotely!'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/cli/lock.rb:27:in 'Bundler::CLI::Lock#run'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/cli.rb:412:in 'Bundler::CLI#lock'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/vendor/thor/lib/thor/command.rb:27:in 'Bundler::Thor::Command#run'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/vendor/thor/lib/thor/invocation.rb:126:in 'Bundler::Thor::Invocation#invoke_command'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/vendor/thor/lib/thor.rb:359:in 'Bundler::Thor.dispatch'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/vendor/thor/lib/thor/base.rb:440:in 'Bundler::Thor::Base::ClassMethods#start'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/cli.rb:10:in 'Bundler::CLI.start'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/exe/bundler:19:in 'block in <top (required)>'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/lib/bundler/friendly_errors.rb:7:in 'Bundler.with_friendly_errors'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/gems/bundler-1.11.2/exe/bundler:17:in '<top (required)>'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/bin/bundler:25:in 'Kernel#load'
      /opt/containerbase/tools/bundler/1.11.2/3.4.2/bin/bundler:25:in '<main>'

Environment

    Bundler   1.11.2
    Rubygems  3.6.2
    Ruby      3.4.2p28 (2025-02-15 revision d2930f8e7a5db8a7337fa43370940381b420cc3e) [x86_64-linux]
    GEM_HOME  /runner/cache/others/bundler
    GEM_PATH  :/opt/containerbase/tools/bundler/1.11.2/3.4.2
    Git       2.49.0

Bundler settings

    github.com
      Set via BUNDLE_GITHUB__COM: "**redacted**"
--- TEMPLATE END ----------------------------------------------------------------

Unfortunately, an unexpected error occurred, and Bundler cannot continue.

First, try this link to see if there are any existing issue reports for this error:
https://github.com/bundler/bundler/search?q=undefined+method+%27inflate%27+for+module+Gem&type=Issues

If there aren't any reports for this error yet, please create copy and paste the report template above into a new issue. Don't forget to anonymize any private data! The new issue form is located at:
https://github.com/bundler/bundler/issues/new


@renovate renovate bot changed the title Update dependency puma to v5 [SECURITY] Update dependency puma to v4 [SECURITY] Aug 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants
0