🚨 [security] Update puma: 5.1.1 → 5.4.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ puma (5.1.1 → 5.4.0) · Repo · Changelog

Security Advisories 🚨

🚨 Keepalive Connections Causing Denial Of Service in puma

Impact

The fix for CVE-2019-16770 was incomplete. The original fix only protected
existing connections that had already been accepted from having their
requests starved by greedy persistent-connections saturating all threads in
the same process. However, new connections may still be starved by greedy
persistent-connections saturating all threads in all processes in the
cluster.

A puma server which received more concurrent keep-alive connections than the
server had threads in its threadpool would service only a subset of
connections, denying service to the unserved connections.

Patches

This problem has been fixed in puma 4.3.8 and 5.3.1.

Workarounds

Setting queue_requests false also fixes the issue. This is not advised when
using puma without a reverse proxy, such as nginx or apache, because you will
open yourself to slow client attacks (e.g. slowloris).

The fix is very small. A git patch is available here for those using
unsupported versions of Puma.

Release Notes

5.4.0

• Features

  • Better/expanded names for threadpool threads ([#2657])
  • Allow pkg_config for OpenSSL ([#2648], [#1412])
  • Add rack_url_scheme to Puma::DSL, allows setting of rack.url_scheme header ([#2586], [#2569])

• Bugfixes

  • Binder#parse - allow for symlinked unix path, add create_activated_fds debug ENV ([#2643], [#2638])
  • Fix deprecation warning: minissl.c - Use Random.bytes if available ([#2642])
  • Client certificates: set session id context while creating SSLContext ([#2633])

• Refactor

  • Replace IO.select with IO#wait_* when checking a single IO ([#2666])

5.3.2 (from changelog)

• Bugfixes
  • Gracefully handle Rack not accepting CLI options (#2630, #2626)
  • Fix sigterm misbehavior (#2629)
  • Improvements to keepalive-connection shedding (#2628)

5.3.1

• Security
  • Close keepalive connections after the maximum number of fast inlined requests (#2625)

5.3.0

5.3.0 / 2021-05-07

Contributor @MSP-Greg codenamed this release "Sweetnighter".

• Features

  • Add support for Linux's abstract sockets ([#2564], [#2526])
  • Add debug to worker timeout and startup ([#2559], [#2528])
  • Print warning when running one-worker cluster ([#2565], [#2534])
  • Don't close systemd activated socket on pumactl restart ([#2563], [#2504])

• Bugfixes

  • systemd - fix event firing ([#2591], [#2572])
  • Immediately unlink temporary files ([#2613])
  • Improve parsing of HTTP_HOST header ([#2605], [#2584])
  • Handle fatal error that has no backtrace ([#2607], [#2552])
  • Fix timing out requests too early ([#2606], [#2574])
  • Handle segfault in Ruby 2.6.6 on thread-locals ([#2567], [#2566])
  • Server#closed_socket? - parameter may be a MiniSSL::Socket ([#2596])
  • Define UNPACK_TCP_STATE_FROM_TCP_INFO in the right place ([#2588], [#2556])
  • request.rb - fix chunked assembly for ascii incompatible encodings, add test ([#2585], [#2583])

• Performance

  • Reset peerip only if remote_addr_header is set ([#2609])
  • Reduce puma_parser struct size ([#2590])

• Refactor

  • Refactor drain on shutdown ([#2600])
  • Micro optimisations in wait_for_less_busy_worker feature ([#2579])
  • Lots of test fixes

5.2.2 (from changelog)

• Bugfixes
  • Add #flush and #sync methods to Puma::NullIO (#2553)
  • Restore sync=true on STDOUT and STDERR streams (#2557)

5.2.1

2021-02-05

• Bugfixes
  • Fix TCP cork/uncork operations to work with ssl clients ([#2550])
  • Require rack/common_logger explicitly if :verbose is true ([#2547])
  • MiniSSL::Socket#write - use data.byteslice(wrote..-1) ([#2543])
  • Set @env[CONTENT_LENGTH] value as string. ([#2549])

5.2.0

• Features

  • 10x latency improvement for MRI on ssl connections by reducing overhead ([#2519])
  • Add option to specify the desired IO selector backend for libev ([#2522])
  • Add ability to set OpenSSL verification flags (MRI only) ([#2490])
  • Uses flush after writing messages to avoid mutating $stdout and $stderr using sync=true ([#2486])

• Bugfixes

  • MiniSSL - Update dhparam to 2048 bit for use with SSL_CTX_set_tmp_dh ([#2535])
  • Change 'Goodbye!' message to be output after listeners are closed ([#2529])
  • Fix ssl bind logging with 0.0.0.0 and localhost ([#2533])
  • Fix compiler warnings, but skipped warnings related to ragel state machine generated code ([#1953])
  • Fix phased restart errors related to nio4r gem when using the Puma control server ([#2516])
  • Add #string method to Puma::NullIO ([#2520])
  • Fix binding via Rack handler to IPv6 addresses ([#2521])

• Refactor

  • Refactor MiniSSL::Context on MRI, fix MiniSSL::Socket#write ([#2519])
  • Remove Server#read_body ([#2531])
  • Fail build if compiling extensions raises warnings on GH Actions, configurable via MAKE_WARNINGS_INTO_ERRORS ([#1953])

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nio4r (indirect, 2.5.4 → 2.5.7) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 22 commits:

• Patch version bump.
• Allow usage of native extension by default.
• Don't try to link universal extension.
• Patch version bump.
• Suggest kqueue on OSX if >= 10.12.2
• Avoid requiring linux kernel headers to be present
• CI: Remove the macos-11.0 target, for now
• CHANGES.md: add v2.5.5
• Patch version bump.
• Be more explicit with why `pure?` is being used.
• Workaround for ARM-based macOS bundled Ruby
• Allow pure Ruby and Java NIO::Selector to be initialized with nil
• Declare linuxaio and io_uring experimental
• linuxaio is actually only supported on linux kernel 4.19+
• Define EV_USE_IOURING if header is present
• Patch libev and add support for linuxaio and io_uring
• Upgrade libev to verion 4.33
• Add ruby 3.0 to the README
• Add ruby 3.0 to the CI pipeline
• Actions - add MRI head/master for Ubuntu & macOS
• Update Actions workflow - OS changes & additions
• Fix javac -Xlint warnings

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #337.