🚨 [security] [ruby] Update puma 6.4.0 → 6.6.0 (minor)

[depfu]

---

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

---

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ puma (6.4.0 → 6.6.0) · Repo · Changelog

Security Advisories 🚨

🚨 Puma's header normalization allows for client to clobber proxy set headers

Impact

Clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users trusting headers set by their proxy may be affected. Attackers may be able to downgrade connections to HTTP (non-SSL) or redirect responses, which could cause confidentiality leaks if combined with a separate MITM attack.

Patches

v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win.

Workarounds

Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level.

Any users that are implicitly trusting the proxy defined headers for security or availability should immediately cease doing so until upgraded to the fixed versions.

🚨 Puma HTTP Request/Response Smuggling vulnerability

Impact

Prior to versions 6.4.2 and 5.6.8, puma exhibited dangerous behavior when parsing chunked transfer encoding bodies.

Fixed versions limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption.

Patches

The vulnerability has been fixed in 6.4.2 and 5.6.8.

Workarounds

No known workarounds.

References

• HTTP Request Smuggling
• Open an issue in Puma
• See our security policy

Release Notes

6.6.0

Some stuff for JRuby users (SIGUSR2 trap), reforkers (see below), and a few debug/logging/observability related goodies.

• Features

  • Option to turn off SIGUSR2 trapping ([#3570], [#3567])
  • Shorten ThreadPool trimmer and reaper thread names ([#3383])
  • Add after_refork hook ([#3386])
  • Add busy threads stat ([#3517])
  • Add a debug log before running each type of hook ([#3375])
  • Allow alternative schemes in Binder ([#3348], [#3302])
  • Avoid spawning Threadpool#trim thread if pool size is fixed ([#3384])

• Bugfixes

  • Change HttpParserError to be subclass of StandardError ([#3590], [#3552])
  • added test cases
  • fix update phased restart symlink folder

• Performance

  • Only ping worker 0 during phased restart if using fork worker ([#3568])

• Refactor

  • Fix multi-delimiter split to get status app token ([#3505])
  • Change ping to use const ([#3595])
  • Fixup use of Puma::Const::PipeRequest constants ([#3565])
  • Update DSL hook processing logic to be consistent ([#3376])

6.5.0

They say good things come to wait, and you've all had to wait a long time for 6.5.0 because @nateberkopec had another daughter: Sky!

• Features

  • Print RUBY_DESCRIPTION when Puma starts ([#3407])
  • Set the worker process count automatically when using WEB_CONCURRENCY=auto ([#3439], [#3437])
  • Mark as ractor-safe ([#3486], [#3422])
  • Add option enable_keep_alive. true mimics existing behavior, but now can use false to disable keepalive to reduce queue tail latency ([#3496])
  • Add parameters to Puma methods to allow CI to change ENV in isolation ([#3485])
  • Add ssl_ciphersuites option for TLSv1.3 ciphers ([#3359], [#3343])
  • You can now use --threads 5 or threads 5 to config max/min threads with a single number (used to need to say 5:5) ([#3309])
  • Option to turn off systemd plugin ([#3425], [#3424])
  • Add on_stopped hook ([#3411], [#3380])

• Bugfixes

  • Handle blank environment variables when loading config ([#3539])
  • lib/rack/handler/puma.rb - fix for rackup v1.0.1, adjust Gemfile ([#3532], [#3531])
  • null_io.rb - add external_encoding, set_encoding, binmode, binmode? ([#3214])
  • Implement NullIO#seek and #pos to mimic IO ([#3468])
  • add support in rack handler & fix regression in binder for linux abstract namespace sockets ([#3508])
  • Use actual thread local for Puma::Server.current. ([#3360])
  • client.rb - fix request chunked body handling ([#3338], [#3337])
  • Properly handle two requests seen in the initial buffer ([#3332])
  • Fix response repeated status line when request is invalid or errors are raised ([#3308], [#3307])
  • Fix child processes not being reaped when Process.detach used ([#3314], [#3313])

• JRuby

  • Make HTTP length constants configurable ([#3518])
  • Fixup jruby_restart.rb & launcher.rb to work with ARM64 macOS JRuby ([#3467])

• Performance

  • Avoid checking if all workers reached timeout unless idle timeout is configured ([#3341])
  • Request body - increase read size to 64 kB ([#3548])
  • single mode skip wait_for_less_busy_worker ([#3325])

• Refactor

  • A ton of CI/test improvements by @MSP-Greg, as usual.
  • Add ThreadPool#stats and adjust Server#stats to use it ([#3527])
  • normalize whitespace in worker stats string ([#3513])
  • rack/handler/puma.rb - ssl - use start_with?, add test ([#3510])
  • extconf.rb - add logging for OpenSSL versions ([#3370])
  • Lazily require Puma::Rack::Builder ([#3340])
  • Refactor: Constantize worker pipe request types ([#3318])

• Docs

  • stats.md improvements ([#3514])
  • control_cli.rb: Harmonize help message with bin/puma ([#3434])
  • dsl.rb: Clarify a callback's argument ([#3435])
  • lib/rack/handler/puma.rb - relocate and fixup module comment ([#3495])

6.4.3

• Security
  • Discards any headers using underscores if the non-underscore version also exists. Without this, an attacker could overwrite values set by intermediate proxies (e.g. X-Forwarded-For). (CVE-2024-45614/GHSA-9hf4-67fc-4vf4)

6.4.2 (from changelog)

• Security
  • Limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. (GHSA-c2f4-cvqm-65w2)

6.4.1

• Bugfixes

  • DSL#warn_if_in_single_mode - fixup when workers set via CLI ([#3256])
  • Fix idle-timeout not working in cluster mode ([#3235], [#3228], [#3282], [#3283])
  • Fix worker 0 timing out during phased restart ([#3225], [#2786])
  • context_builder.rb - require openssl if verify_mode != 'none' ([#3179])
  • Make puma cluster process suitable as PID 1 ([#3255])
  • Improve Puma::NullIO consistency with real IO ([#3276])
  • extconf.rb - fixup to detect openssl info in Ruby build ([#3271], [#3266])
  • MiniSSL.java - set serialVersionUID, fix RaiseException deprecation ([#3270])
  • dsl.rb - fix warn_if_in_single_mode when WEB_CONCURRENCY is set ([#3265], [#3264])

• Maintenance

  • LOTS of test refactoring to make tests more stable and easier to write - thanks to @MSP-Greg!
  • Fix bug in tests re: TestPuma::HOST4 ([#3254])
  • Dockerfile for minimal repros: use Ruby 3.2, expect bundler installed ([#3245])
  • fix define_method calls, use Symbol parameter instead of String ([#3293])

• Docs

  • README.md - add the puma-acme plugin ([#3301])
  • Remove --keep-file-descriptors flag from systemd docs ([#3248])
  • Note symlink mechanism in restart documentation for hot restart ([#3298])

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nio4r (indirect, 2.7.3 → 2.7.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 4 commits:

• Bump patch version.
• Mark as ractor-safe (#320)
• Update CI matrix. (#321)
• JRuby supports Java 8 and higher. Need to emit Java 8 classfile format (#317)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)