[Security] Bump puma and capistrano3-puma

[dependabot-preview[bot]]

Bumps puma and capistrano3-puma. These dependencies needed to be updated together. Updates puma from 3.12.6 to 5.3.1 This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Keepalive Connections Causing Denial Of Service in puma This vulnerability is related to CVE-2019-16770.

Impact

The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster.

A puma server which received more concurrent keep-alive connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections.

Patches

This problem has been fixed in puma 4.3.8 and 5.3.1.

Workarounds

Setting queue_requests false also fixes the issue. This is not advised when using puma without a reverse proxy, such as nginx or apache, because you will open yourself to slow client attacks (e.g. slowloris).

The fix is very small. A git patch is available here for those using unsupported versions of Puma.

For more information

... (truncated)

Affected versions: <= 4.3.7

Release notes

Sourced from puma's releases.

5.3.1

• Security
  • Close keepalive connections after the maximum number of fast inlined requests (#2625)

5.3.0 - Sweetnighter

5.3.0 / 2021-05-07

Contributor @​MSP-Greg codenamed this release "Sweetnighter".

• Features

  • Add support for Linux's abstract sockets (#2564, #2526)
  • Add debug to worker timeout and startup (#2559, #2528)
  • Print warning when running one-worker cluster (#2565, #2534)
  • Don't close systemd activated socket on pumactl restart (#2563, #2504)

• Bugfixes

  • systemd - fix event firing (#2591, #2572)
  • Immediately unlink temporary files (#2613)
  • Improve parsing of HTTP_HOST header (#2605, #2584)
  • Handle fatal error that has no backtrace (#2607, #2552)
  • Fix timing out requests too early (#2606, #2574)
  • Handle segfault in Ruby 2.6.6 on thread-locals (#2567, #2566)
  • Server#closed_socket? - parameter may be a MiniSSL::Socket (#2596)
  • Define UNPACK_TCP_STATE_FROM_TCP_INFO in the right place (#2588, #2556)
  • request.rb - fix chunked assembly for ascii incompatible encodings, add test (#2585, #2583)

• Performance

  • Reset peerip only if remote_addr_header is set (#2609)
  • Reduce puma_parser struct size (#2590)

• Refactor

  • Refactor drain on shutdown (#2600)
  • Micro optimisations in wait_for_less_busy_worker feature (#2579)
  • Lots of test fixes

5.2.2

• Bugfixes
  • Add #flush and #sync methods to Puma::NullIO (#2553)
  • Restore sync=true on STDOUT and STDERR streams (#2557)

5.2.1

2021-02-05

• Bugfixes
  • Fix TCP cork/uncork operations to work with ssl clients (#2550)
  • Require rack/common_logger explicitly if :verbose is true (#2547)
  • MiniSSL::Socket#write - use data.byteslice(wrote..-1) (#2543)
  • Set @env[CONTENT_LENGTH] value as string. (#2549)

... (truncated)

Changelog

Sourced from puma's changelog.

5.3.1 / 2021-05-11

• Security
  • Close keepalive connections after the maximum number of fast inlined requests (#2625)

5.3.0 / 2021-05-07

• Features

  • Add support for Linux's abstract sockets (#2564, #2526)
  • Add debug to worker timeout and startup (#2559, #2528)
  • Print warning when running one-worker cluster (#2565, #2534)
  • Don't close systemd activated socket on pumactl restart (#2563, #2504)

• Bugfixes

  • systemd - fix event firing (#2591, #2572)
  • Immediately unlink temporary files (#2613)
  • Improve parsing of HTTP_HOST header (#2605, #2584)
  • Handle fatal error that has no backtrace (#2607, #2552)
  • Fix timing out requests too early (#2606, #2574)
  • Handle segfault in Ruby 2.6.6 on thread-locals (#2567, #2566)
  • Server#closed_socket? - parameter may be a MiniSSL::Socket (#2596)
  • Define UNPACK_TCP_STATE_FROM_TCP_INFO in the right place (#2588, #2556)
  • request.rb - fix chunked assembly for ascii incompatible encodings, add test (#2585, #2583)

• Performance

  • Reset peerip only if remote_addr_header is set (#2609)
  • Reduce puma_parser struct size (#2590)

• Refactor

  • Refactor drain on shutdown (#2600)
  • Micro optimisations in wait_for_less_busy_worker feature (#2579)
  • Lots of test fixes

5.2.2 / 2021-02-22

• Bugfixes
  • Add #flush and #sync methods to Puma::NullIO (#2553)
  • Restore sync=true on STDOUT and STDERR streams (#2557)

5.2.1 / 2021-02-05

• Bugfixes
  • Fix TCP cork/uncork operations to work with ssl clients (#2550)
  • Require rack/common_logger explicitly if :verbose is true (#2547)
  • MiniSSL::Socket#write - use data.byteslice(wrote..-1) (#2543)
  • Set @env[CONTENT_LENGTH] value as string. (#2549)

5.2.0 / 2021-01-27

• Features

... (truncated)

Commits

• 1c91a4f 5.3.1
• 6b4a68a 4.3.8 release note
• df72887 Close keepalive connections after MAX_FAST_INLINE requests
• 6dfb8bc 5.3.0 history (#2622)
• fb71323 Ignore DS_Store
• f7a2d4e systemd - fix event firing (#2591)
• 2654f02 Bump version to 5.3.0 [ci skip] (#2616)
• cc1768e Few documentations fixes. [ci skip] [changelog skip] (#2619)
• ff17194 Refactor drain on shutdown (#2600)
• 3e80f7c fix some spell errors (#2615)
• Additional commits viewable in compare view

Updates capistrano3-puma from 3.1.1 to 5.0.4

Changelog

Sourced from capistrano3-puma's changelog.

• 5.0.4:

  • fix: puma_systemctl_user default value (#319)

• 5.0.3:

  • Remove ExecStop from systemd unit file (#314)
  • Systemd user service manager and lingering (#307)

• 5.0.2:

  • Single name for systemd config template

• 5.0.1:

  • Fix #301, Task "puma:smart_restart" not found

• 5.0.0:

  • Support puma 5.0
  • Support SystemD service manager

• 4.0.0:

  • Support puma 4.x

• 3.1.0:

  • Don't load puma hooks by default.

• 3.0.0:

  • Require capistrano 3.7+
  • Implement the plugin system
  • don't fail if puma was already running
  • Added :puma_daemonize option (default is false)

• 2.0.0:

  • Require puma 3.4+
  • Require Capistrano 3.5+
  • Require capistrano-bundler

• 1.2.0: add support for puma user for puma user @​mcb & @​seuros

• 1.1.0: Set :puma_preload_app to false; Reload Monit after uploading any monit configuration; Always refresh Gemfile @​rafaelgoulart @​suhailpatel @​sime

• 1.0.0: Add activate control app @​askagirl

• 0.8.5: Fix smart_restart task to check if puma preloads app

• 0.8.4: Allow patch method (Nginx template) @​lonre

• 0.8.2: Start task creates a conf file if none exists @​stevemadere

• 0.8.1: Fixed nginx task @​hnatt, support for prune_bundler @​behe

• 0.8.0: Some changes

• 0.7.0: added Nginx template generator @​dfang

• 0.6.1: added :puma_default_hooks, you can turn off the automatic hooks by setting it false

• 0.6.0: Remove daemonize true from default puma.rb file. Explicitly pass --daemon flag when needed.

• 0.5.1: Added worker_timeout option

• 0.5.0: Bugs fixes

• 0.4.2: Fix monit template to support chruby

• 0.4.1: Fix puma jungle (debian)

• 0.4.0: Multi-bind support

• 0.3.7: Dependency bug fix

• 0.3.5: Fixed a prehistoric bug

• 0.3.4: I don't remember what i did here

• 0.3.3: Puma jungle start fix

• 0.3.2: Tag option support (require puma 2.8.2+)

• 0.3.1: Typo fix

• 0.3.0: Initial support for puma signals

... (truncated)

Commits

• 1868267 release 5.0.4
• bf3548f fix: puma_systemctl_user default value (#319)
• 133aa8e release 5.0.3
• 212d03a Update nginx template to support X-Forwarded-Proto and remove executables fro...
• 5a280fe Remove ExecStop from systemd unit file (#314)
• e50096a update systemd template accept puma_service_unit_env_file and puma_se… (#315)
• 7bb37e8 Systemd user service manager and lingering (#307)
• d4ac7b9 Default systemd service name on multi-app host (#309)
• e62eaf7 release 5.0.2
• 16f160f Merge pull request #308 from skillstream/multi-apps
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)

[codecov-commenter]

Codecov Report

Merging #437 (6761e8d) into main (02affe4) will not change coverage. The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #437   +/-   ##
=======================================
  Coverage   67.27%   67.27%           
=======================================
  Files          23       23           
  Lines         272      272           
=======================================
  Hits          183      183           
  Misses         89       89           

---

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 02affe4...6761e8d. Read the comment docs.

[dependabot-preview[bot]]

Superseded by #442.