renovate[bot]
commented
3 years ago :warning: Artifact update problem
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
:recycle: Renovate will retry this branch, including artifacts, only when one of the following happens:
- any of the package files in this branch needs updating, or
- the branch becomes conflicted, or
- you check the rebase/retry checkbox if found above, or
- you rename this PR's title to start with "rebase!" to trigger it manually
The artifact failure details are included below:
File name: Gemfile.lock
2.6.3: Pulling from renovate/ruby
83ee3a23efb7: Pulling fs layer
db98fc6f11f0: Pulling fs layer
f611acd52c6c: Pulling fs layer
74f4c7b35aa5: Pulling fs layer
bca0f0cd5c76: Pulling fs layer
580129a80667: Pulling fs layer
dd7524b79122: Pulling fs layer
0b3ae563b176: Pulling fs layer
581ce9de78a0: Pulling fs layer
74f4c7b35aa5: Waiting
bca0f0cd5c76: Waiting
580129a80667: Waiting
dd7524b79122: Waiting
0b3ae563b176: Waiting
581ce9de78a0: Waiting
db98fc6f11f0: Verifying Checksum
db98fc6f11f0: Download complete
f611acd52c6c: Verifying Checksum
f611acd52c6c: Download complete
bca0f0cd5c76: Verifying Checksum
74f4c7b35aa5: Verifying Checksum
74f4c7b35aa5: Download complete
bca0f0cd5c76: Download complete
83ee3a23efb7: Verifying Checksum
83ee3a23efb7: Download complete
0b3ae563b176: Verifying Checksum
0b3ae563b176: Download complete
580129a80667: Verifying Checksum
580129a80667: Download complete
dd7524b79122: Verifying Checksum
dd7524b79122: Download complete
581ce9de78a0: Verifying Checksum
581ce9de78a0: Download complete
83ee3a23efb7: Pull complete
db98fc6f11f0: Pull complete
f611acd52c6c: Pull complete
74f4c7b35aa5: Pull complete
bca0f0cd5c76: Pull complete
580129a80667: Pull complete
dd7524b79122: Pull complete
0b3ae563b176: Pull complete
This PR contains the following updates:
3.12.4->3.12.6GitHub Vulnerability Alerts
CVE-2020-11076
Impact
By using an invalid transfer-encoding header, an attacker could smuggle an HTTP response.
Originally reported by @ZeddYu, who has our thanks for the detailed report.
Patches
The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.
For more information
If you have any questions or comments about this advisory:
CVE-2020-11077
Impact
This is a similar but different vulnerability to the one patched in 3.12.5 and 4.3.4.
A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client.
If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client.
Patches
The problem has been fixed in Puma 3.12.6 and Puma 4.3.5.
For more information
If you have any questions or comments about this advisory:
Renovate configuration
:date: Schedule: "" (UTC).
:vertical_traffic_light: Automerge: Enabled.
:recycle: Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
:no_bell: Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.