[Security] Bump capistrano3-puma and puma

[dependabot-preview[bot]]

Bumps capistrano3-puma and puma. These dependencies needed to be updated together. Updates capistrano3-puma from 3.1.1 to 5.0.4

Changelog

Sourced from capistrano3-puma's changelog.

• 5.0.4:

  • fix: puma_systemctl_user default value (#319)

• 5.0.3:

  • Remove ExecStop from systemd unit file (#314)
  • Systemd user service manager and lingering (#307)

• 5.0.2:

  • Single name for systemd config template

• 5.0.1:

  • Fix #301, Task "puma:smart_restart" not found

• 5.0.0:

  • Support puma 5.0
  • Support SystemD service manager

• 4.0.0:

  • Support puma 4.x

• 3.1.0:

  • Don't load puma hooks by default.

• 3.0.0:

  • Require capistrano 3.7+
  • Implement the plugin system
  • don't fail if puma was already running
  • Added :puma_daemonize option (default is false)

• 2.0.0:

  • Require puma 3.4+
  • Require Capistrano 3.5+
  • Require capistrano-bundler

• 1.2.0: add support for puma user for puma user @mcb & @seuros

• 1.1.0: Set :puma_preload_app to false; Reload Monit after uploading any monit configuration; Always refresh Gemfile @rafaelgoulart @suhailpatel @sime

• 1.0.0: Add activate control app @askagirl

• 0.8.5: Fix smart_restart task to check if puma preloads app

• 0.8.4: Allow patch method (Nginx template) @lonre

• 0.8.2: Start task creates a conf file if none exists @stevemadere

• 0.8.1: Fixed nginx task @hnatt, support for prune_bundler @behe

• 0.8.0: Some changes

• 0.7.0: added Nginx template generator @dfang

• 0.6.1: added :puma_default_hooks, you can turn off the automatic hooks by setting it false

• 0.6.0: Remove daemonize true from default puma.rb file. Explicitly pass --daemon flag when needed.

• 0.5.1: Added worker_timeout option

• 0.5.0: Bugs fixes

• 0.4.2: Fix monit template to support chruby

• 0.4.1: Fix puma jungle (debian)

• 0.4.0: Multi-bind support

• 0.3.7: Dependency bug fix

• 0.3.5: Fixed a prehistoric bug

• 0.3.4: I don't remember what i did here

• 0.3.3: Puma jungle start fix

• 0.3.2: Tag option support (require puma 2.8.2+)

• 0.3.1: Typo fix

• 0.3.0: Initial support for puma signals

... (truncated)

Commits

• 1868267 release 5.0.4
• bf3548f fix: puma_systemctl_user default value (#319)
• 133aa8e release 5.0.3
• 212d03a Update nginx template to support X-Forwarded-Proto and remove executables fro...
• 5a280fe Remove ExecStop from systemd unit file (#314)
• e50096a update systemd template accept puma_service_unit_env_file and puma_se… (#315)
• 7bb37e8 Systemd user service manager and lingering (#307)
• d4ac7b9 Default systemd service name on multi-app host (#309)
• e62eaf7 release 5.0.2
• 16f160f Merge pull request #308 from skillstream/multi-apps
• Additional commits viewable in compare view

Updates puma from 3.12.6 to 5.2.2

Release notes

Sourced from puma's releases.

5.2.1

2021-02-05

• Bugfixes
  • Fix TCP cork/uncork operations to work with ssl clients (#2550)
  • Require rack/common_logger explicitly if :verbose is true (#2547)
  • MiniSSL::Socket#write - use data.byteslice(wrote..-1) (#2543)
  • Set @env[CONTENT_LENGTH] value as string. (#2549)

5.2.0

• Features

  • 10x latency improvement for MRI on ssl connections by reducing overhead (#2519)
  • Add option to specify the desired IO selector backend for libev (#2522)
  • Add ability to set OpenSSL verification flags (MRI only) (#2490)
  • Uses flush after writing messages to avoid mutating $stdout and $stderr using sync=true (#2486)

• Bugfixes

  • MiniSSL - Update dhparam to 2048 bit for use with SSL_CTX_set_tmp_dh (#2535)
  • Change 'Goodbye!' message to be output after listeners are closed (#2529)
  • Fix ssl bind logging with 0.0.0.0 and localhost (#2533)
  • Fix compiler warnings, but skipped warnings related to ragel state machine generated code (#1953)
  • Fix phased restart errors related to nio4r gem when using the Puma control server (#2516)
  • Add #string method to Puma::NullIO (#2520)
  • Fix binding via Rack handler to IPv6 addresses (#2521)

• Refactor

  • Refactor MiniSSL::Context on MRI, fix MiniSSL::Socket#write (#2519)
  • Remove Server#read_body (#2531)
  • Fail build if compiling extensions raises warnings on GH Actions, configurable via MAKE_WARNINGS_INTO_ERRORS (#1953)

5.1.1

• Bugfixes
  • Fix over eager matching against banned header names (#2510)

5.1.0 / 2020-11-30

• Features

  • Phased restart availability is now always logged, even if it is not available.
  • Prints the loaded configuration if the environment variable PUMA_LOG_CONFIG is present (#2472)
  • Integrate with systemd's watchdog and notification features (#2438)
  • Adds max_fast_inline as a configuration option for the Server object (#2406)
  • You can now fork workers from worker 0 using SIGURG w/o fork_worker enabled #2449
  • Add option to bind to systemd activated sockets (#2362)
  • Add compile option to change the QUERY_STRING max length (#2485)

• Bugfixes

  • Fix JRuby handling in Puma::DSL#ssl_bind (#2489)
  • control_cli.rb - all normal output should be to @stdout (#2487)
  • Catch 'Error in reactor loop escaped: mode not supported for this object: r' (#2477)
  • Ignore Rails' reaper thread (and any thread marked forksafe) for warning (#2475)

... (truncated)

Changelog

Sourced from puma's changelog.

5.2.2 / 2021-02-22

• Bugfixes
  • Add #flush and #sync methods to Puma::NullIO (#2553)
  • Restore sync=true on STDOUT and STDERR streams (#2557)

5.2.1 / 2021-02-05

• Bugfixes
  • Fix TCP cork/uncork operations to work with ssl clients (#2550)
  • Require rack/common_logger explicitly if :verbose is true (#2547)
  • MiniSSL::Socket#write - use data.byteslice(wrote..-1) (#2543)
  • Set @env[CONTENT_LENGTH] value as string. (#2549)

5.2.0 / 2021-01-27

• Features

  • 10x latency improvement for MRI on ssl connections by reducing overhead (#2519)
  • Add option to specify the desired IO selector backend for libev (#2522)
  • Add ability to set OpenSSL verification flags (MRI only) (#2490)
  • Uses flush after writing messages to avoid mutating $stdout and $stderr using sync=true (#2486)

• Bugfixes

  • MiniSSL - Update dhparam to 2048 bit for use with SSL_CTX_set_tmp_dh (#2535)
  • Change 'Goodbye!' message to be output after listeners are closed (#2529)
  • Fix ssl bind logging with 0.0.0.0 and localhost (#2533)
  • Fix compiler warnings, but skipped warnings related to ragel state machine generated code (#1953)
  • Fix phased restart errors related to nio4r gem when using the Puma control server (#2516)
  • Add #string method to Puma::NullIO (#2520)
  • Fix binding via Rack handler to IPv6 addresses (#2521)

• Refactor

  • Refactor MiniSSL::Context on MRI, fix MiniSSL::Socket#write (#2519)
  • Remove Server#read_body (#2531)
  • Fail build if compiling extensions raises warnings on GH Actions, configurable via MAKE_WARNINGS_INTO_ERRORS (#1953)

5.1.1 / 2020-12-10

• Bugfixes
  • Fix over eager matching against banned header names (#2510)

5.1.0 / 2020-11-30

• Features
  • Phased restart availability is now always logged, even if it is not available.
  • Prints the loaded configuration if the environment variable PUMA_LOG_CONFIG is present (#2472)
  • Integrate with systemd's watchdog and notification features (#2438)
  • Adds max_fast_inline as a configuration option for the Server object (#2406)
  • You can now fork workers from worker 0 using SIGURG w/o fork_worker enabled #2449
  • Add option to bind to systemd activated sockets (#2362)

... (truncated)

Commits

• a192434 Fix CI (#2561)
• 7970d14 5.2.2 [ci skip]
• 7a2cdf6 Restore sync=true on global stdout/stderr streams (#2557)
• 1555ca2 .rubocop.yml - exclude local bundles in test/worker_gem_independence_test
• b0bd212 Update check_changelog.yml
• 7c91d90 Add #flush and #sync methods to Puma::NullIO (#2553)
• 26776c8 GitHub Actions now supports skipping tests
• 56512ba Update architecture.md
• 9ede356 5.2.1
• e3380e9 server.rb - properly cork & uncork ssl client (#2550)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)

[codecov-commenter]

Codecov Report

Merging #410 (b27ddd3) into master (02affe4) will not change coverage. The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #410   +/-   ##
=======================================
  Coverage   67.27%   67.27%           
=======================================
  Files          23       23           
  Lines         272      272           
=======================================
  Hits          183      183           
  Misses         89       89           

---

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 02affe4...b27ddd3. Read the comment docs.

[dependabot-preview[bot]]

We've just been alerted that this update fixes a security vulnerability:

Sourced from The GitHub Security Advisory Database.

Keepalive Connections Causing Denial Of Service in puma

This vulnerability is related to CVE-2019-16770.

Impact

The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster.

A puma server which received more concurrent keep-alive connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections.

Patches

This problem has been fixed in puma 4.3.8 and 5.3.1.

Workarounds

Setting queue_requests false also fixes the issue. This is not advised when using puma without a reverse proxy, such as nginx or apache, because you will open yourself to slow client attacks (e.g. slowloris).

The fix is very small. A git patch is available here for those using unsupported versions of Puma.

For more information

... (truncated)

Affected versions: ["<= 4.3.7"]

[dependabot-preview[bot]]

Superseded by #437.