🚨 [security] Update puma 6.4.0 → 6.4.2 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ puma (6.4.0 → 6.4.2) · Repo · Changelog

Security Advisories 🚨

🚨 Puma HTTP Request/Response Smuggling vulnerability

Impact

Prior to versions 6.4.2 and 5.6.8, puma exhibited incorrect
behavior when parsing chunked transfer encoding bodies in a
way that allowed HTTP request smuggling.

Fixed versions limit the size of chunk extensions. Without this
limit, an attacker could cause unbounded resource (CPU, network
bandwidth) consumption.

Patches

The vulnerability has been fixed in 6.4.2 and 5.6.8.

Workarounds

No known workarounds.

References

• HTTP Request Smuggling
• Open an issue in Puma
• See our security policy

Release Notes

6.4.2 (from changelog)

• Security
  • Limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. (GHSA-c2f4-cvqm-65w2)

6.4.1

• Bugfixes

  • DSL#warn_if_in_single_mode - fixup when workers set via CLI ([#3256])
  • Fix idle-timeout not working in cluster mode ([#3235], [#3228], [#3282], [#3283])
  • Fix worker 0 timing out during phased restart ([#3225], [#2786])
  • context_builder.rb - require openssl if verify_mode != 'none' ([#3179])
  • Make puma cluster process suitable as PID 1 ([#3255])
  • Improve Puma::NullIO consistency with real IO ([#3276])
  • extconf.rb - fixup to detect openssl info in Ruby build ([#3271], [#3266])
  • MiniSSL.java - set serialVersionUID, fix RaiseException deprecation ([#3270])
  • dsl.rb - fix warn_if_in_single_mode when WEB_CONCURRENCY is set ([#3265], [#3264])

• Maintenance

  • LOTS of test refactoring to make tests more stable and easier to write - thanks to @MSP-Greg!
  • Fix bug in tests re: TestPuma::HOST4 ([#3254])
  • Dockerfile for minimal repros: use Ruby 3.2, expect bundler installed ([#3245])
  • fix define_method calls, use Symbol parameter instead of String ([#3293])

• Docs

  • README.md - add the puma-acme plugin ([#3301])
  • Remove --keep-file-descriptors flag from systemd docs ([#3248])
  • Note symlink mechanism in restart documentation for hot restart ([#3298])

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 48 commits:

• 5.6.8 and 6.4.2
• 6.4.2
• Merge pull request from GHSA-c2f4-cvqm-65w2
• 6.4.1 version tick!
• 6.4.1
• [Fix #3282] `idle-timeout` not waiting on all workers in cluster mode (#3283)
• README.md - add the puma-acme plugin (#3301)
• [CI] Change all workflow file extensions to '.yml' (#3300)
• [CI] Add Ruby 3.3, use 'rubygems: latest' in tests.yaml MRI (#3299)
• Note symlink mechanism in restart documentation for hot restart (#3298)
• ragel.yml - remove Windows due to incorrect line directives (#3294)
• Bump actions/upload-artifact from 3 to 4 (#3291)
• fix define_method calls, use Symbol parameter instead of String (#3293)
• Fix Calendly link in CONTRIBUTING (#3292)
• Update nate calendar link
• configuration.rb - move dsl require back to top (#3288)
• mini_ssl.c - fix TruffleRuby compile error (#3289)
• test_null_io.rb - fix up for Ruby 2.4, TruffleRuby (#3279)
• Improve Puma::NullIO consistency with real IO (#3276)
• extconf.rb - fixup to detect openssl info in Ruby build (#3271)
• MiniSSL.java - set serialVersionUID, fix RaiseException deprecation (#3270)
• Use test_runner for tests (#3268)
• ragel.yml - use bundle exec rake instead of rake (#3269)
• dsl.rb - fix warn_if_in_single_mode when WEB_CONCURRENCY is set (#3265)
• Bump fkirc/skip-duplicate-actions from 5.3.0 to 5.3.1 (#3263)
• Make puma cluster process suitable as PID 1 (#3255)
• [CI] Fix macOS TruffleRuby SSL compile (#3259)
• DSL#warn_if_in_single_mode - fixup when workers set via CLI (#3256)
• Fix TestPuma::HOST4 (#3254)
• test_puma_server_ssl.rb - add Errno::ECONNABORTED to assert_ssl_client_error_match (#3252)
• Remove `--keep-file-descriptors` flag from systemd docs (#3248)
• [CI] test.yaml 'NON-MRI: ubuntu-22.04 jruby no SSL' test timeout (#3249)
• [C] test framework update (#3246)
• [Fix #3228] `idle-timeout` not working in cluster mode (#3235)
• [CI] test_puma_localhost_authority.rb - use PumaSocket, remove net/http (#3244)
• [CI] test_puma_server_ssl.rb - use PumaSocket, remove net/http (#3243)
• [CI] test_cli.rb - use PumaSocket (#3242)
• Dockerfile for minimal repros: use Ruby 3.2, expect bundler installed (#3245)
• test_pumactl.rb - use port 0 on server, misc (#3239)
• [CI] test_rack_handler.rb - fix test ensure when skipped (#3240)
• [CI] - move test_control_gc_stats_* from test_cli.rb to test_integration_pumactl.rb, misc (#3237)
• Fixup macOS detection (#3238)
• [Fix #2786] Worker 0 timing out during phased restart (#3225)
• integration.rb - less blocking in wait_for_server_to_* methods (#3233)
• context_builder.rb - require openssl if verify_mode != 'none' (#3179)
• dsl.rb - fix white space for RuboCop, see 7a0e0c2763 (#3230)
• Expand documentation for on_thread_start and on_thread_exit. Close #3229
• Update kubernetes.md [ci skip]

↗️ nio4r (indirect, 2.5.9 → 2.7.0) · Repo · Changelog

Release Notes

2.7.0

What's Changed

• Fix changelog_uri in gemspec metadata by @MaximeD in #303
• Fix license by @voxik in #309
• Convert NIO objects to TypedData API by @casperisfine in #310

New Contributors

• @MaximeD made their first contribution in #303
• @voxik made their first contribution in #309
• @casperisfine made their first contribution in #310

Full Changelog: v2.6.1...v2.7.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 19 commits:

• Bump minor version.
• For some reason, I had to add `bake` as a direct dependency.
• Update changes.
• Convert NIO objects to TypedData API (#310)
• Fix license (#309)
• Fix changelog_uri in gemspec metadata (#303)
• Disable `bake-modernize` as it's not supported on Ruby v2.4.
• Bump patch version.
• Update copyrights/license & funding URI.
• Add bake-gem and bake-modernize for maintenance tasks.
• Don't update `io` which is subsequently stored. Retain the original. (#306)
• Resolve issue loading both nio and nio4r gems (#302)
• Avoid direct access to IO internals. (#301)
• Update changes.
• Remove codeql as it seems tricky to use without extra research.
• Prefer lower case.
• Create codeql.yml
• Fix conversion loses int precision using SIZET2NUM. (#297)
• Add more notes for building jruby package.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (b80ceab) 100.00% compared to head (9db20eb) 100.00%.

Additional details and impacted files

@@            Coverage Diff            @@
##              main      #313   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           45        45           
  Lines          616       616           
=========================================
  Hits           616       616           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.