Closed dependabot-preview[bot] closed 2 years ago
We've just been alerted that this update fixes a security vulnerability:
Sourced from The GitHub Security Advisory Database.
Keepalive Connections Causing Denial Of Service in puma
This vulnerability is related to CVE-2019-16770.
Impact
The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster.
A
puma
server which received more concurrentkeep-alive
connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections.Patches
This problem has been fixed in
puma
4.3.8 and 5.3.1.Workarounds
Setting
queue_requests false
also fixes the issue. This is not advised when usingpuma
without a reverse proxy, such asnginx
orapache
, because you will open yourself to slow client attacks (e.g. slowloris).The fix is very small. A git patch is available here for those using unsupported versions of Puma.
For more information
... (truncated)
Affected versions: ["<= 4.3.7"]
@dependabot-bot rebase
Dependabot Preview has shut down and can no longer make changes to your Repository.
You can continue to keep your dependencies updated with GitHub-native Dependabot.
@dependabot rebase
OK, I won't notify you again about this release, but will get in touch when a new version is available.
If you change your mind, just re-open this PR and I'll resolve any conflicts on it.
Bumps puma from 4.3.6 to 5.3.1.
Release notes
Sourced from puma's releases.
... (truncated)
Changelog
Sourced from puma's changelog.
... (truncated)
Commits
1c91a4f
5.3.16b4a68a
4.3.8 release notedf72887
Close keepalive connections after MAX_FAST_INLINE requests6dfb8bc
5.3.0 history (#2622)fb71323
Ignore DS_Storef7a2d4e
systemd - fix event firing (#2591)2654f02
Bump version to 5.3.0 [ci skip] (#2616)cc1768e
Few documentations fixes. [ci skip] [changelog skip] (#2619)ff17194
Refactor drain on shutdown (#2600)3e80f7c
fix some spell errors (#2615)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in the `.dependabot/config.yml` file in this repo: - Update frequency - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)