🚨 [security] [ruby] Update puma 5.6.5 → 6.3.0 (major)

[depfu[bot]]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ puma (5.6.5 → 6.3.0) · Repo · Changelog

Security Advisories 🚨

🚨 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in puma

Impact

Prior to version 6.3.1, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling.

The following vulnerabilities are addressed by this advisory:

• Incorrect parsing of trailing fields in chunked transfer encoding bodies
• Parsing of blank/zero-length Content-Length headers\r\n

Patches

The vulnerability has been fixed in 6.3.1 and 5.6.7.

Workarounds

No known workarounds.

References

HTTP Request Smuggling

Release Notes

6.3.0

Japan has 72 traditional microseasons. May 31 is the first day of 麦秋至, which means the time of the wheat/barley harvest.

• Features

  • Add dsl method supported_http_methods ([#3106], [#3014])
  • Puma error responses no longer have any fingerprints to indicate Puma ([#3161], [#3037])
  • Support decryption of SSL key ([#3133], [#3132])

• Bugfixes

  • Don't send 103 early hints response when only invalid headers are used ([#3163])
  • Handle malformed request path ([#3155], [#3148])
  • Misc lib file fixes - trapping additional errors, CI helper ([#3129])
  • Fixup req form data file upload with "r\n" line endings ([#3137])
  • Restore rack 1.6 compatibility ([#3156])

• Refactor

  • const.rb - Update Puma::HTTP_STATUS_CODES ([#3162])
  • Clarify Reactor#initialize ([#3151])

New Contributors

• @severin made their first contribution in #3156

Full Changelog: v6.2.2...v6.3.0

6.2.2

• Bugfixes
  • Fix Rack-related NameError by adding :: operator ([#3118], [#3117])

6.2.1

6.2.1 / 2023-03-31

• Bugfixes
  • Fix java 8 compatibility ([#3109], [#3108])
  • Always write io_buffer when in "enum bodies" branch. ([#3113], [#3112])
  • Fix warn_if_in_single_mode incorrect message ([#3111])

6.2.0

Pat Metheny Group - Speaking of Now

• Features

  • Ability to supply a custom logger ([#2770], [#2511])
  • Warn when clustered-only hooks are defined in single mode ([#3089])
  • Adds the on_booted event ([#2709])

• Bugfixes

  • Loggers - internal_write - catch Errno::EINVAL ([#3091])
  • commonlogger.rb - fix HIJACK time format, use constants, not strings ([#3074])
  • Fixed some edge cases regarding request hijacking ([#3072])

6.1.1

• Bugfixes
  • We no longer try to use the systemd plugin for JRuby ([#3079])
  • Allow ::Rack::Handler::Puma.run to work regardless of whether Rack/Rackup are loaded ([#3080])

6.1.0

• Features

  • WebSocket support via partial hijack ([#3058], [#3007])
  • Add built-in systemd notify support ([#3011])
  • Periodically send status to systemd ([#3006], [#2604])
  • Introduce the ability to return 413: payload too large for requests ([#3040])
  • Log loaded extensions when PUMA_DEBUG is set ([#3036], [#3020])

• Bugfixes

  • Fix issue with rack 3 compatibility re: rackup ([#3061], [#3057])
  • Allow setting TCP low_latency with SSL listener ([#3065])

• Performance

  • Reduce memory usage for large file uploads ([#3062])

6.0.2

6.0.2 / 2023-01-01

• Refactor
  • Remove use of etc and time gems in Puma ([#3035], [#3033])
  • Refactor const.rb - freeze ([#3016])

6.0.1

6.0.1 / 2022-12-20

• Bugfixes
  • Handle waking up a closed selector in Reactor#add ([#3005])
  • Fixup response processing, enumerable bodies ([#3004], [#3000])
  • Correctly close app body for all code paths ([#3002], [#2999])
• Refactor
  • Add IOBuffer to Client, remove from ThreadPool thread instances ([#3013])

Full Changelog: v6.0.0...v6.0.1

6.0.0 (from changelog)

• Breaking Changes

  • Dropping Ruby 2.2 and 2.3 support (now 2.4+) (#2919)
  • Remote_addr functionality has changed (#2652, #2653)
  • No longer supporting Java 1.7 or below (JRuby 9.1 was the last release to support this) (#2849)
  • Remove nakayoshi GC (#2933, #2925)
  • wait_for_less_busy_worker is now default on (#2940)
  • Prefix all environment variables with PUMA_ (#2924, #2853)
  • Removed some constants (#2957, #2958, #2959, #2960)
  • The following classes are now part of Puma's private API: Client, Cluster::Worker, Cluster::Worker, HandleRequest. (#2988)
  • Configuration constants like DefaultRackup removed (#2928)

• Features

  • Increase throughput on large (100kb+) response bodies by 3-10x (#2896, #2892)
  • Increase throughput on file responses (#2923)
  • Add support for streaming bodies in Rack. (#2740)
  • Allow OpenSSL session reuse via a 'reuse' ssl_bind method or bind string query parameter (#2845)
  • Allow run_hooks to pass a hash to blocks for use later (#2917, #2915)
  • Allow using preload_app! with fork_worker (#2907)
  • Support request_body_wait metric with higher precision (#2953)
  • Allow header values to be arrays (Rack 3) (#2936, #2931)
  • Export Puma/Ruby versions in /stats (#2875)
  • Allow configuring request uri max length & request path max length (#2840)
  • Add a couple of public accessors (#2774)
  • Log entire backtrace when worker start fails (#2891)
  • [jruby] Enable TLSv1.3 support (#2886)
  • [jruby] support setting TLS protocols + rename ssl_cipher_list (#2899)
  • [jruby] Support a truststore option (#2849, #2904, #2884)

• Bugfixes

  • Load the configuration before passing it to the binder (#2897)
  • Do not raise error raised on HTTP methods we don't recognize or support, like CONNECT (#2932, #1441)
  • Fixed a memory leak when creating a new SSL listener (#2956)

• Refactor

  • log_writer.rb - add internal_write method (#2888)
  • [WIP] Refactor: Split out LogWriter from Events (no logic change) (#2798)
  • Extract prune_bundler code into it's own class. (#2797)
  • Refactor Launcher#run to increase readability (no logic change) (#2795)
  • Ruby 3.2 will have native IO#wait_* methods, don't require io/wait (#2903)
  • Various internal API refactorings (#2942, #2921, #2922, #2955)

5.6.6 (from changelog)

• Bugfix
  • Allow Puma to be loaded with Rack 3 (#3166)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nio4r (indirect, 2.5.8 → 2.5.9) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 10 commits:

• Bump patch version.
• Fix order of OpenSSL require.
• Remove coveralls.
• Rework (VALUE* args) -> (VALUE arg) invalid function type. Fixes #287.
• Fix java 8 compatibility. (#292)
• Fix test workflow.
• Actions - remove Ubuntu-16.04, macOS to 11, add Ubuntu-22.04, Win 2022
• Add license file. Fixes #228, #282.
• allow missing `devkit`
• Add missing changelogs for v2.5.6 v2.5.7 v2.5.8

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu[bot]]

Closed in favor of #770.