🚨 [security] [ruby] Update puma 5.6.7 → 6.4.1 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ puma (5.6.7 → 6.4.1) · Repo · Changelog

Security Advisories 🚨

🚨 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in puma

Impact

Prior to version 6.3.1, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling.

The following vulnerabilities are addressed by this advisory:

• Incorrect parsing of trailing fields in chunked transfer encoding bodies
• Parsing of blank/zero-length Content-Length headers\r\n

Patches

The vulnerability has been fixed in 6.3.1 and 5.6.7.

Workarounds

No known workarounds.

References

HTTP Request Smuggling

🚨 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in puma

Impact

Prior to version 6.3.1, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling.

The following vulnerabilities are addressed by this advisory:

• Incorrect parsing of trailing fields in chunked transfer encoding bodies
• Parsing of blank/zero-length Content-Length headers\r\n

Patches

The vulnerability has been fixed in 6.3.1 and 5.6.7.

Workarounds

No known workarounds.

References

HTTP Request Smuggling

Release Notes

6.4.1 (from changelog)

• Bugfixes

  • DSL#warn_if_in_single_mode - fixup when workers set via CLI (#3256)
  • Fix idle-timeout not working in cluster mode (#3235, #3228, #3282, #3283)
  • Fix worker 0 timing out during phased restart (#3225, #2786)
  • context_builder.rb - require openssl if verify_mode != 'none' (#3179)
  • Make puma cluster process suitable as PID 1 (#3255)
  • Improve Puma::NullIO consistency with real IO (#3276)
  • extconf.rb - fixup to detect openssl info in Ruby build (#3271, #3266)
  • MiniSSL.java - set serialVersionUID, fix RaiseException deprecation (#3270)
  • dsl.rb - fix warn_if_in_single_mode when WEB_CONCURRENCY is set (#3265, #3264)

• Maintenance

  • LOTS of test refactoring to make tests more stable and easier to write - thanks to @MSP-Greg!
  • Fix bug in tests re: TestPuma::HOST4 (#3254)
  • Dockerfile for minimal repros: use Ruby 3.2, expect bundler installed (#3245)
  • fix define_method calls, use Symbol parameter instead of String (#3293)

• Docs

  • README.md - add the puma-acme plugin (#3301)
  • Remove --keep-file-descriptors flag from systemd docs (#3248)
  • Note symlink mechanism in restart documentation for hot restart (#3298)

6.4.0

America is #1 in professional cycling, baby!

• Features

  • on_thread_exit hook ([#2920])
  • on_thread_start_hook ([#3195])
  • Shutdown on idle ([#3209], [#2580])
  • New error message when control server port taken ([#3204])

• Refactor

  • Remove Forwardable dependency ([#3191], #3190)
  • Update URLMap Regexp usage for Ruby v3.3 ([#3165])

• Bugfixes

  • Bring the cert_pem: parameter into parity with the cert: parameter to ssl_bind. ([#3174])
  • Fix using control server with IPv6 host ([#3181])
  • control_cli.rb - add require_relative 'log_writer' ([#3187])
  • Fix cases where fallback Rack response wasn't sent to the client ([#3094])

6.3.1

• Security
  • Address HTTP request smuggling vulnerabilities with zero-length Content Length header and trailer fields (GHSA-68xg-gqqm-vgj8)

6.3.0

Japan has 72 traditional microseasons. May 31 is the first day of 麦秋至, which means the time of the wheat/barley harvest.

• Features

  • Add dsl method supported_http_methods ([#3106], [#3014])
  • Puma error responses no longer have any fingerprints to indicate Puma ([#3161], [#3037])
  • Support decryption of SSL key ([#3133], [#3132])

• Bugfixes

  • Don't send 103 early hints response when only invalid headers are used ([#3163])
  • Handle malformed request path ([#3155], [#3148])
  • Misc lib file fixes - trapping additional errors, CI helper ([#3129])
  • Fixup req form data file upload with "r\n" line endings ([#3137])
  • Restore rack 1.6 compatibility ([#3156])

• Refactor

  • const.rb - Update Puma::HTTP_STATUS_CODES ([#3162])
  • Clarify Reactor#initialize ([#3151])

New Contributors

• @severin made their first contribution in #3156

Full Changelog: v6.2.2...v6.3.0

6.2.2

• Bugfixes
  • Fix Rack-related NameError by adding :: operator ([#3118], [#3117])

6.2.1

6.2.1 / 2023-03-31

• Bugfixes
  • Fix java 8 compatibility ([#3109], [#3108])
  • Always write io_buffer when in "enum bodies" branch. ([#3113], [#3112])
  • Fix warn_if_in_single_mode incorrect message ([#3111])

6.2.0

Pat Metheny Group - Speaking of Now

• Features

  • Ability to supply a custom logger ([#2770], [#2511])
  • Warn when clustered-only hooks are defined in single mode ([#3089])
  • Adds the on_booted event ([#2709])

• Bugfixes

  • Loggers - internal_write - catch Errno::EINVAL ([#3091])
  • commonlogger.rb - fix HIJACK time format, use constants, not strings ([#3074])
  • Fixed some edge cases regarding request hijacking ([#3072])

6.1.1

• Bugfixes
  • We no longer try to use the systemd plugin for JRuby ([#3079])
  • Allow ::Rack::Handler::Puma.run to work regardless of whether Rack/Rackup are loaded ([#3080])

6.1.0

• Features

  • WebSocket support via partial hijack ([#3058], [#3007])
  • Add built-in systemd notify support ([#3011])
  • Periodically send status to systemd ([#3006], [#2604])
  • Introduce the ability to return 413: payload too large for requests ([#3040])
  • Log loaded extensions when PUMA_DEBUG is set ([#3036], [#3020])

• Bugfixes

  • Fix issue with rack 3 compatibility re: rackup ([#3061], [#3057])
  • Allow setting TCP low_latency with SSL listener ([#3065])

• Performance

  • Reduce memory usage for large file uploads ([#3062])

6.0.2

6.0.2 / 2023-01-01

• Refactor
  • Remove use of etc and time gems in Puma ([#3035], [#3033])
  • Refactor const.rb - freeze ([#3016])

6.0.1

6.0.1 / 2022-12-20

• Bugfixes
  • Handle waking up a closed selector in Reactor#add ([#3005])
  • Fixup response processing, enumerable bodies ([#3004], [#3000])
  • Correctly close app body for all code paths ([#3002], [#2999])
• Refactor
  • Add IOBuffer to Client, remove from ThreadPool thread instances ([#3013])

Full Changelog: v6.0.0...v6.0.1

6.0.0 (from changelog)

• Breaking Changes

  • Dropping Ruby 2.2 and 2.3 support (now 2.4+) (#2919)
  • Remote_addr functionality has changed (#2652, #2653)
  • No longer supporting Java 1.7 or below (JRuby 9.1 was the last release to support this) (#2849)
  • Remove nakayoshi GC (#2933, #2925)
  • wait_for_less_busy_worker is now default on (#2940)
  • Prefix all environment variables with PUMA_ (#2924, #2853)
  • Removed some constants (#2957, #2958, #2959, #2960)
  • The following classes are now part of Puma's private API: Client, Cluster::Worker, Cluster::Worker, HandleRequest. (#2988)
  • Configuration constants like DefaultRackup removed (#2928)

• Features

  • Increase throughput on large (100kb+) response bodies by 3-10x (#2896, #2892)
  • Increase throughput on file responses (#2923)
  • Add support for streaming bodies in Rack. (#2740)
  • Allow OpenSSL session reuse via a 'reuse' ssl_bind method or bind string query parameter (#2845)
  • Allow run_hooks to pass a hash to blocks for use later (#2917, #2915)
  • Allow using preload_app! with fork_worker (#2907)
  • Support request_body_wait metric with higher precision (#2953)
  • Allow header values to be arrays (Rack 3) (#2936, #2931)
  • Export Puma/Ruby versions in /stats (#2875)
  • Allow configuring request uri max length & request path max length (#2840)
  • Add a couple of public accessors (#2774)
  • Log entire backtrace when worker start fails (#2891)
  • [jruby] Enable TLSv1.3 support (#2886)
  • [jruby] support setting TLS protocols + rename ssl_cipher_list (#2899)
  • [jruby] Support a truststore option (#2849, #2904, #2884)

• Bugfixes

  • Load the configuration before passing it to the binder (#2897)
  • Do not raise error raised on HTTP methods we don't recognize or support, like CONNECT (#2932, #1441)
  • Fixed a memory leak when creating a new SSL listener (#2956)

• Refactor

  • log_writer.rb - add internal_write method (#2888)
  • [WIP] Refactor: Split out LogWriter from Events (no logic change) (#2798)
  • Extract prune_bundler code into it's own class. (#2797)
  • Refactor Launcher#run to increase readability (no logic change) (#2795)
  • Ruby 3.2 will have native IO#wait_* methods, don't require io/wait (#2903)
  • Various internal API refactorings (#2942, #2921, #2922, #2955)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)