search

psantos10 / sos

4 stars 0 forks source link

Update dependency puma to v5 [SECURITY] #111

Open renovate[bot] opened 1 year ago

renovate[bot] commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Update Change
puma (source, changelog) major '~> 4.1' -> '~> 5.0'

GitHub Vulnerability Alerts

CVE-2021-41136

Impact

Prior to puma version 5.5.0, using puma with a proxy which forwards LF characters as line endings could allow HTTP request smuggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client.

This behavior (forwarding LF characters as line endings) is very uncommon amongst proxy servers, so we have graded the impact here as "low". Puma is only aware of a single proxy server which has this behavior.

If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client.

Patches

This vulnerability was patched in Puma 5.5.1 and 4.3.9.

Workarounds

This vulnerability only affects Puma installations without any proxy in front.

Use a proxy which does not forward LF characters as line endings.

Proxies which do not forward LF characters as line endings:

Possible Breakage

If you are dealing with legacy clients that want to send LF as a line ending in an HTTP header, this will cause those clients to receive a 400 error.

References

For more information

If you have any questions or comments about this advisory:

CVE-2022-23634

Impact

Prior to puma version 5.6.2, puma may not always call close on the response body. Rails, prior to version 7.0.2.2, depended on the response body being closed in order for its CurrentAttributes implementation to work correctly.

From Rails:

Under certain circumstances response bodies will not be closed, for example a bug in a webserver[1] or a bug in a Rack middleware. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with ActiveSupport::CurrentAttributes.

The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage.

Patches

This problem is fixed in Puma versions 5.6.2 and 4.3.11.

This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

See: https://github.com/advisories/GHSA-wh98-p28r-vrc9 for details about the rails vulnerability

Upgrading to a patched Rails or Puma version fixes the vulnerability.

Workarounds

Upgrade to Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

The Rails CVE includes a middleware that can be used instead.

References

For more information

If you have any questions or comments about this advisory:

CVE-2022-24790

When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma.

The following vulnerabilities are addressed by this advisory:

The vulnerability has been fixed in 5.6.4 and 4.3.12. When deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.

These proxy servers are known to have "good" behavior re: this standard and upgrading Puma may not be necessary. Users are encouraged to validate for themselves.

CVE-2023-40175

Impact

Prior to version 6.3.1, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling.

The following vulnerabilities are addressed by this advisory:

Patches

The vulnerability has been fixed in 6.3.1 and 5.6.7.

Workarounds

No known workarounds.

References

HTTP Request Smuggling

For more information

If you have any questions or comments about this advisory:

Open an issue in Puma See our security policy

Release Notes

puma/puma (puma) ### [`v5.6.7`](https://togithub.com/puma/puma/blob/HEAD/History.md#567--2023-08-18) [Compare Source](https://togithub.com/puma/puma/compare/v5.6.6...v5.6.7) - Security - Address HTTP request smuggling vulnerabilities with zero-length Content Length header and trailer fields ([GHSA-68xg-gqqm-vgj8](https://togithub.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8)) ### [`v5.6.6`](https://togithub.com/puma/puma/blob/HEAD/History.md#566--2023-06-21) [Compare Source](https://togithub.com/puma/puma/compare/v5.6.5...v5.6.6) - Bugfix - Prevent loading with rack 3 (\[[#​3166](https://togithub.com/puma/puma/issues/3166)]) ### [`v5.6.5`](https://togithub.com/puma/puma/blob/HEAD/History.md#565--2022-08-23) [Compare Source](https://togithub.com/puma/puma/compare/v5.6.4...v5.6.5) - Feature - Puma::ControlCLI - allow refork command to be sent as a request (\[[#​2868](https://togithub.com/puma/puma/issues/2868)], \[[#​2866](https://togithub.com/puma/puma/issues/2866)]) - Bugfixes - NullIO#closed should return false (\[[#​2883](https://togithub.com/puma/puma/issues/2883)]) - \[jruby] Fix TLS verification hang (\[[#​2890](https://togithub.com/puma/puma/issues/2890)], \[[#​2729](https://togithub.com/puma/puma/issues/2729)]) - extconf.rb - don't use pkg_config('openssl') if '--with-openssl-dir' is used (\[[#​2885](https://togithub.com/puma/puma/issues/2885)], \[[#​2839](https://togithub.com/puma/puma/issues/2839)]) - MiniSSL - detect SSL_CTX_set_dh_auto (\[[#​2864](https://togithub.com/puma/puma/issues/2864)], \[[#​2863](https://togithub.com/puma/puma/issues/2863)]) - Fix rack.after_reply exceptions breaking connections (\[[#​2861](https://togithub.com/puma/puma/issues/2861)], \[[#​2856](https://togithub.com/puma/puma/issues/2856)]) - Escape SSL cert and filenames (\[[#​2855](https://togithub.com/puma/puma/issues/2855)]) - Fail hard if SSL certs or keys are invalid (\[[#​2848](https://togithub.com/puma/puma/issues/2848)]) - Fail hard if SSL certs or keys cannot be read by user (\[[#​2847](https://togithub.com/puma/puma/issues/2847)]) - Fix build with Opaque DH in LibreSSL 3.5. (\[[#​2838](https://togithub.com/puma/puma/issues/2838)]) - Pre-existing socket file removed when TERM is issued after USR2 (if puma is running in cluster mode) (\[[#​2817](https://togithub.com/puma/puma/issues/2817)]) - Fix Puma::StateFile#load incompatibility (\[[#​2810](https://togithub.com/puma/puma/issues/2810)]) ### [`v5.6.4`](https://togithub.com/puma/puma/blob/HEAD/History.md#564--2022-03-30) [Compare Source](https://togithub.com/puma/puma/compare/v5.6.2...v5.6.4) - Security - Close several HTTP Request Smuggling exploits (CVE-2022-24790) ### [`v5.6.2`](https://togithub.com/puma/puma/blob/HEAD/History.md#562--2022-02-11) [Compare Source](https://togithub.com/puma/puma/compare/v5.6.1...v5.6.2) - Bugfix/Security - Response body will always be `close`d. (GHSA-rmj8-8hhh-gv5h, related to \[[#​2809](https://togithub.com/puma/puma/issues/2809)]) ### [`v5.6.1`](https://togithub.com/puma/puma/blob/HEAD/History.md#561--2022-01-26) [Compare Source](https://togithub.com/puma/puma/compare/v5.6.0...v5.6.1) - Bugfixes - Reverted a commit which appeared to be causing occasional blank header values (\[[#​2809](https://togithub.com/puma/puma/issues/2809)]) ### [`v5.6.0`](https://togithub.com/puma/puma/blob/HEAD/History.md#560--2022-01-25) [Compare Source](https://togithub.com/puma/puma/compare/v5.5.2...v5.6.0) - Features - Support `localhost` integration in `ssl_bind` (\[[#​2764](https://togithub.com/puma/puma/issues/2764)], \[[#​2708](https://togithub.com/puma/puma/issues/2708)]) - Allow backlog parameter to be set with ssl_bind DSL (\[[#​2780](https://togithub.com/puma/puma/issues/2780)]) - Remove yaml (psych) requirement in StateFile (\[[#​2784](https://togithub.com/puma/puma/issues/2784)]) - Allow culling of oldest workers, previously was only youngest (\[[#​2773](https://togithub.com/puma/puma/issues/2773)], \[[#​2794](https://togithub.com/puma/puma/issues/2794)]) - Add worker_check_interval configuration option (\[[#​2759](https://togithub.com/puma/puma/issues/2759)]) - Always send lowlevel_error response to client (\[[#​2731](https://togithub.com/puma/puma/issues/2731)], \[[#​2341](https://togithub.com/puma/puma/issues/2341)]) - Support for cert_pem and key_pem with ssl_bind DSL (\[[#​2728](https://togithub.com/puma/puma/issues/2728)]) - Bugfixes - Keep thread names under 15 characters, prevents breakage on some OSes (\[[#​2733](https://togithub.com/puma/puma/issues/2733)]) - Fix two 'old-style-definition' compile warning (\[[#​2807](https://togithub.com/puma/puma/issues/2807)], \[[#​2806](https://togithub.com/puma/puma/issues/2806)]) - Log environment correctly using option value (\[[#​2799](https://togithub.com/puma/puma/issues/2799)]) - Fix warning from Ruby master (will be 3.2.0) (\[[#​2785](https://togithub.com/puma/puma/issues/2785)]) - extconf.rb - fix openssl with old Windows builds (\[[#​2757](https://togithub.com/puma/puma/issues/2757)]) - server.rb - rescue handling (`Errno::EBADF`) for `@notify.close` (\[[#​2745](https://togithub.com/puma/puma/issues/2745)]) - Refactor - server.rb - refactor code using [@​options](https://togithub.com/options)\[:remote_address] (\[[#​2742](https://togithub.com/puma/puma/issues/2742)]) - \[jruby] a couple refactorings - avoid copy-ing bytes (\[[#​2730](https://togithub.com/puma/puma/issues/2730)]) ### [`v5.5.2`](https://togithub.com/puma/puma/blob/HEAD/History.md#552--2021-10-12) [Compare Source](https://togithub.com/puma/puma/compare/v5.5.1...v5.5.2) - Bugfixes - Allow UTF-8 in HTTP header values ### [`v5.5.1`](https://togithub.com/puma/puma/blob/HEAD/History.md#551--2021-10-12) [Compare Source](https://togithub.com/puma/puma/compare/v5.5.0...v5.5.1) - Feature (added as mistake - we don't normally do this on bugfix releases, sorry!) - Allow setting APP_ENV in preference to RACK_ENV or RAILS_ENV (\[[#​2702](https://togithub.com/puma/puma/issues/2702)]) - Security - Do not allow LF as a line ending in a header (CVE-2021-41136) ### [`v5.5.0`](https://togithub.com/puma/puma/blob/HEAD/History.md#550--2021-09-19) [Compare Source](https://togithub.com/puma/puma/compare/v5.4.0...v5.5.0) - Features - Automatic SSL certificate provisioning for localhost, via localhost gem (\[[#​2610](https://togithub.com/puma/puma/issues/2610)], \[[#​2257](https://togithub.com/puma/puma/issues/2257)]) - add support for the PROXY protocol (v1 only) (\[[#​2654](https://togithub.com/puma/puma/issues/2654)], \[[#​2651](https://togithub.com/puma/puma/issues/2651)]) - Add a semantic CLI option for no config file (\[[#​2689](https://togithub.com/puma/puma/issues/2689)]) - Bugfixes - More elaborate exception handling - lets some dead pumas die. (\[[#​2700](https://togithub.com/puma/puma/issues/2700)], \[[#​2699](https://togithub.com/puma/puma/issues/2699)]) - allow multiple after_worker_fork hooks (\[[#​2690](https://togithub.com/puma/puma/issues/2690)]) - Preserve BUNDLE_APP_CONFIG on worker fork (\[[#​2688](https://togithub.com/puma/puma/issues/2688)], \[[#​2687](https://togithub.com/puma/puma/issues/2687)]) - Performance - Fix performance of server-side SSL connection close. (\[[#​2675](https://togithub.com/puma/puma/issues/2675)]) ### [`v5.4.0`](https://togithub.com/puma/puma/blob/HEAD/History.md#540--2021-07-28) [Compare Source](https://togithub.com/puma/puma/compare/v5.3.2...v5.4.0) - Features - Better/expanded names for threadpool threads (\[[#​2657](https://togithub.com/puma/puma/issues/2657)]) - Allow pkg_config for OpenSSL (\[[#​2648](https://togithub.com/puma/puma/issues/2648)], \[[#​1412](https://togithub.com/puma/puma/issues/1412)]) - Add `rack_url_scheme` to Puma::DSL, allows setting of `rack.url_scheme` header (\[[#​2586](https://togithub.com/puma/puma/issues/2586)], \[[#​2569](https://togithub.com/puma/puma/issues/2569)]) - Bugfixes - `Binder#parse` - allow for symlinked unix path, add create_activated_fds debug ENV (\[[#​2643](https://togithub.com/puma/puma/issues/2643)], \[[#​2638](https://togithub.com/puma/puma/issues/2638)]) - Fix deprecation warning: minissl.c - Use Random.bytes if available (\[[#​2642](https://togithub.com/puma/puma/issues/2642)]) - Client certificates: set session id context while creating SSLContext (\[[#​2633](https://togithub.com/puma/puma/issues/2633)]) - Fix deadlock issue in thread pool (\[[#​2656](https://togithub.com/puma/puma/issues/2656)]) - Refactor - Replace `IO.select` with `IO#wait_*` when checking a single IO (\[[#​2666](https://togithub.com/puma/puma/issues/2666)]) ### [`v5.3.2`](https://togithub.com/puma/puma/blob/HEAD/History.md#532--2021-05-21) [Compare Source](https://togithub.com/puma/puma/compare/v5.3.1...v5.3.2) - Bugfixes - Gracefully handle Rack not accepting CLI options (\[[#​2630](https://togithub.com/puma/puma/issues/2630)], \[[#​2626](https://togithub.com/puma/puma/issues/2626)]) - Fix sigterm misbehavior (\[[#​2629](https://togithub.com/puma/puma/issues/2629)]) - Improvements to keepalive-connection shedding (\[[#​2628](https://togithub.com/puma/puma/issues/2628)]) ### [`v5.3.1`](https://togithub.com/puma/puma/blob/HEAD/History.md#531--2021-05-11) [Compare Source](https://togithub.com/puma/puma/compare/v5.3.0...v5.3.1) - Security - Close keepalive connections after the maximum number of fast inlined requests (CVE-2021-29509) (\[[#​2625](https://togithub.com/puma/puma/issues/2625)]) ### [`v5.3.0`](https://togithub.com/puma/puma/blob/HEAD/History.md#530--2021-05-07) [Compare Source](https://togithub.com/puma/puma/compare/v5.2.2...v5.3.0) - Features - Add support for Linux's abstract sockets (\[[#​2564](https://togithub.com/puma/puma/issues/2564)], \[[#​2526](https://togithub.com/puma/puma/issues/2526)]) - Add debug to worker timeout and startup (\[[#​2559](https://togithub.com/puma/puma/issues/2559)], \[[#​2528](https://togithub.com/puma/puma/issues/2528)]) - Print warning when running one-worker cluster (\[[#​2565](https://togithub.com/puma/puma/issues/2565)], \[[#​2534](https://togithub.com/puma/puma/issues/2534)]) - Don't close systemd activated socket on pumactl restart (\[[#​2563](https://togithub.com/puma/puma/issues/2563)], \[[#​2504](https://togithub.com/puma/puma/issues/2504)]) - Bugfixes - systemd - fix event firing (\[[#​2591](https://togithub.com/puma/puma/issues/2591)], \[[#​2572](https://togithub.com/puma/puma/issues/2572)]) - Immediately unlink temporary files (\[[#​2613](https://togithub.com/puma/puma/issues/2613)]) - Improve parsing of HTTP_HOST header (\[[#​2605](https://togithub.com/puma/puma/issues/2605)], \[[#​2584](https://togithub.com/puma/puma/issues/2584)]) - Handle fatal error that has no backtrace (\[[#​2607](https://togithub.com/puma/puma/issues/2607)], \[[#​2552](https://togithub.com/puma/puma/issues/2552)]) - Fix timing out requests too early (\[[#​2606](https://togithub.com/puma/puma/issues/2606)], \[[#​2574](https://togithub.com/puma/puma/issues/2574)]) - Handle segfault in Ruby 2.6.6 on thread-locals (\[[#​2567](https://togithub.com/puma/puma/issues/2567)], \[[#​2566](https://togithub.com/puma/puma/issues/2566)]) - Server#closed_socket? - parameter may be a MiniSSL::Socket (\[[#​2596](https://togithub.com/puma/puma/issues/2596)]) - Define UNPACK_TCP_STATE_FROM_TCP_INFO in the right place (\[[#​2588](https://togithub.com/puma/puma/issues/2588)], \[[#​2556](https://togithub.com/puma/puma/issues/2556)]) - request.rb - fix chunked assembly for ascii incompatible encodings, add test (\[[#​2585](https://togithub.com/puma/puma/issues/2585)], \[[#​2583](https://togithub.com/puma/puma/issues/2583)]) - Performance - Reset peerip only if remote_addr_header is set (\[[#​2609](https://togithub.com/puma/puma/issues/2609)]) - Reduce puma_parser struct size (\[[#​2590](https://togithub.com/puma/puma/issues/2590)]) - Refactor - Refactor drain on shutdown (\[[#​2600](https://togithub.com/puma/puma/issues/2600)]) - Micro optimisations in `wait_for_less_busy_worker` feature (\[[#​2579](https://togithub.com/puma/puma/issues/2579)]) - Lots of test fixes ### [`v5.2.2`](https://togithub.com/puma/puma/blob/HEAD/History.md#522--2021-02-22) [Compare Source](https://togithub.com/puma/puma/compare/v5.2.1...v5.2.2) - Bugfixes - Add `#flush` and `#sync` methods to `Puma::NullIO` (\[[#​2553](https://togithub.com/puma/puma/issues/2553)]) - Restore `sync=true` on `STDOUT` and `STDERR` streams (\[[#​2557](https://togithub.com/puma/puma/issues/2557)]) ### [`v5.2.1`](https://togithub.com/puma/puma/blob/HEAD/History.md#521--2021-02-05) [Compare Source](https://togithub.com/puma/puma/compare/v5.2.0...v5.2.1) - Bugfixes - Fix TCP cork/uncork operations to work with ssl clients (\[[#​2550](https://togithub.com/puma/puma/issues/2550)]) - Require rack/common_logger explicitly if :verbose is true (\[[#​2547](https://togithub.com/puma/puma/issues/2547)]) - MiniSSL::Socket#write - use data.byteslice(wrote..-1) (\[[#​2543](https://togithub.com/puma/puma/issues/2543)]) - Set `@env[CONTENT_LENGTH]` value as string. (\[[#​2549](https://togithub.com/puma/puma/issues/2549)]) ### [`v5.2.0`](https://togithub.com/puma/puma/blob/HEAD/History.md#520--2021-01-27) [Compare Source](https://togithub.com/puma/puma/compare/v5.1.1...v5.2.0) - Features - 10x latency improvement for MRI on ssl connections by reducing overhead (\[[#​2519](https://togithub.com/puma/puma/issues/2519)]) - Add option to specify the desired IO selector backend for libev (\[[#​2522](https://togithub.com/puma/puma/issues/2522)]) - Add ability to set OpenSSL verification flags (MRI only) (\[[#​2490](https://togithub.com/puma/puma/issues/2490)]) - Uses `flush` after writing messages to avoid mutating $stdout and $stderr using `sync=true` (\[[#​2486](https://togithub.com/puma/puma/issues/2486)]) - Bugfixes - MiniSSL - Update dhparam to 2048 bit for use with SSL_CTX_set_tmp_dh (\[[#​2535](https://togithub.com/puma/puma/issues/2535)]) - Change 'Goodbye!' message to be output after listeners are closed (\[[#​2529](https://togithub.com/puma/puma/issues/2529)]) - Fix ssl bind logging with 0.0.0.0 and localhost (\[[#​2533](https://togithub.com/puma/puma/issues/2533)]) - Fix compiler warnings, but skipped warnings related to ragel state machine generated code (\[[#​1953](https://togithub.com/puma/puma/issues/1953)]) - Fix phased restart errors related to nio4r gem when using the Puma control server (\[[#​2516](https://togithub.com/puma/puma/issues/2516)]) - Add `#string` method to `Puma::NullIO` (\[[#​2520](https://togithub.com/puma/puma/issues/2520)]) - Fix binding via Rack handler to IPv6 addresses (\[[#​2521](https://togithub.com/puma/puma/issues/2521)]) - Refactor - Refactor MiniSSL::Context on MRI, fix MiniSSL::Socket#write (\[[#​2519](https://togithub.com/puma/puma/issues/2519)]) - Remove `Server#read_body` (\[[#​2531](https://togithub.com/puma/puma/issues/2531)]) - Fail build if compiling extensions raises warnings on GH Actions, configurable via `MAKE_WARNINGS_INTO_ERRORS` (\[[#​1953](https://togithub.com/puma/puma/issues/1953)]) ### [`v5.1.1`](https://togithub.com/puma/puma/blob/HEAD/History.md#511--2020-12-10) [Compare Source](https://togithub.com/puma/puma/compare/v5.1.0...v5.1.1) - Bugfixes - Fix over eager matching against banned header names (\[[#​2510](https://togithub.com/puma/puma/issues/2510)]) ### [`v5.1.0`](https://togithub.com/puma/puma/blob/HEAD/History.md#510--2020-11-30) [Compare Source](https://togithub.com/puma/puma/compare/v5.0.4...v5.1.0) - Features - Phased restart availability is now always logged, even if it is not available. - Prints the loaded configuration if the environment variable `PUMA_LOG_CONFIG` is present (\[[#​2472](https://togithub.com/puma/puma/issues/2472)]) - Integrate with systemd's watchdog and notification features (\[[#​2438](https://togithub.com/puma/puma/issues/2438)]) - Adds max_fast_inline as a configuration option for the Server object (\[[#​2406](https://togithub.com/puma/puma/issues/2406)]) - You can now fork workers from worker 0 using SIGURG w/o fork_worker enabled \[[#​2449](https://togithub.com/puma/puma/issues/2449)] - Add option to bind to systemd activated sockets (\[[#​2362](https://togithub.com/puma/puma/issues/2362)]) - Add compile option to change the `QUERY_STRING` max length (\[[#​2485](https://togithub.com/puma/puma/issues/2485)]) - Bugfixes - Fix JRuby handling in Puma::DSL#ssl_bind (\[[#​2489](https://togithub.com/puma/puma/issues/2489)]) - control_cli.rb - all normal output should be to [@​stdout](https://togithub.com/stdout) (\[[#​2487](https://togithub.com/puma/puma/issues/2487)]) - Catch 'Error in reactor loop escaped: mode not supported for this object: r' (\[[#​2477](https://togithub.com/puma/puma/issues/2477)]) - Ignore Rails' reaper thread (and any thread marked forksafe) for warning (\[[#​2475](https://togithub.com/puma/puma/issues/2475)]) - Ignore illegal (by Rack spec) response header (\[[#​2439](https://togithub.com/puma/puma/issues/2439)]) - Close idle connections immediately on shutdown (\[[#​2460](https://togithub.com/puma/puma/issues/2460)]) - Fix some instances of phased restart errors related to the `json` gem (\[[#​2473](https://togithub.com/puma/puma/issues/2473)]) - Remove use of `json` gem to fix phased restart errors (\[[#​2479](https://togithub.com/puma/puma/issues/2479)]) - Fix grouping regexp of ILLEGAL_HEADER_KEY_REGEX (\[[#​2495](https://togithub.com/puma/puma/issues/2495)]) ### [`v5.0.4`](https://togithub.com/puma/puma/blob/HEAD/History.md#504--2020-10-27) [Compare Source](https://togithub.com/puma/puma/compare/v5.0.3...v5.0.4) - Bugfixes - Pass preloaded application into new workers if available when using `preload_app` (\[[#​2461](https://togithub.com/puma/puma/issues/2461)], \[[#​2454](https://togithub.com/puma/puma/issues/2454)]) ### [`v5.0.3`](https://togithub.com/puma/puma/blob/HEAD/History.md#503--2020-10-26) [Compare Source](https://togithub.com/puma/puma/compare/v5.0.2...v5.0.3) - Bugfixes - Add Client#io_ok?, check before Reactor#register (\[[#​2432](https://togithub.com/puma/puma/issues/2432)]) - Fix hang on shutdown in refork (\[[#​2442](https://togithub.com/puma/puma/issues/2442)]) - Fix `Bundler::GemNotFound` errors for `nio4r` gem during phased restarts (\[[#​2427](https://togithub.com/puma/puma/issues/2427)], \[[#​2018](https://togithub.com/puma/puma/issues/2018)]) - Server run thread safety fix (\[[#​2435](https://togithub.com/puma/puma/issues/2435)]) - Fire `on_booted` after server starts (\[[#​2431](https://togithub.com/puma/puma/issues/2431)], \[[#​2212](https://togithub.com/puma/puma/issues/2212)]) - Cleanup daemonization in rc.d script (\[[#​2409](https://togithub.com/puma/puma/issues/2409)]) - Refactor - Remove accept_nonblock.rb, add test_integration_ssl.rb (\[[#​2448](https://togithub.com/puma/puma/issues/2448)]) - Refactor status.rb - dry it up a bit (\[[#​2450](https://togithub.com/puma/puma/issues/2450)]) - Extract req/resp methods to new request.rb from server.rb (\[[#​2419](https://togithub.com/puma/puma/issues/2419)]) - Refactor Reactor and Client request buffering (\[[#​2279](https://togithub.com/puma/puma/issues/2279)]) - client.rb - remove JRuby specific 'finish' code (\[[#​2412](https://togithub.com/puma/puma/issues/2412)]) - Consolidate fast_write calls in Server, extract early_hints assembly (\[[#​2405](https://togithub.com/puma/puma/issues/2405)]) - Remove upstart from docs (\[[#​2408](https://togithub.com/puma/puma/issues/2408)]) - Extract worker process into separate class (\[[#​2374](https://togithub.com/puma/puma/issues/2374)]) - Consolidate option handling in Server, Server small refactors, doc changes (\[[#​2389](https://togithub.com/puma/puma/issues/2389)]) ### [`v5.0.2`](https://togithub.com/puma/puma/blob/HEAD/History.md#502--2020-09-28) [Compare Source](https://togithub.com/puma/puma/compare/v5.0.1...v5.0.2) - Bugfixes - Reverted API changes to Server. ### [`v5.0.1`](https://togithub.com/puma/puma/blob/HEAD/History.md#501--2020-09-28) [Compare Source](https://togithub.com/puma/puma/compare/v5.0.0...v5.0.1) - Bugfixes - Fix LoadError in CentOS 8 (\[[#​2381](https://togithub.com/puma/puma/issues/2381)]) - Better error handling during force shutdown (\[[#​2271](https://togithub.com/puma/puma/issues/2271)]) - Prevent connections from entering Reactor after shutdown begins (\[[#​2377](https://togithub.com/puma/puma/issues/2377)]) - Fix error backtrace debug logging && Do not log request dump if it is not parsed (\[[#​2376](https://togithub.com/puma/puma/issues/2376)]) - Split TCP_CORK and TCP_INFO (\[[#​2372](https://togithub.com/puma/puma/issues/2372)]) - Do not log EOFError when a client connection is closed without write (\[[#​2384](https://togithub.com/puma/puma/issues/2384)]) - Refactor - Change Events#ssl_error signature from (error, peeraddr, peercert) to (error, ssl_socket) (\[[#​2375](https://togithub.com/puma/puma/issues/2375)]) - Consolidate option handling in Server, Server small refactors, doc chang (\[[#​2373](https://togithub.com/puma/puma/issues/2373)]) ### [`v5.0.0`](https://togithub.com/puma/puma/blob/HEAD/History.md#500--2020-09-17) [Compare Source](https://togithub.com/puma/puma/compare/v4.3.12...v5.0.0) - Features - Allow compiling without OpenSSL and dynamically load files needed for SSL, add 'no ssl' CI (\[[#​2305](https://togithub.com/puma/puma/issues/2305)]) - EXPERIMENTAL: Add `fork_worker` option and `refork` command for reduced memory usage by forking from a worker process instead of the master process. (\[[#​2099](https://togithub.com/puma/puma/issues/2099)]) - EXPERIMENTAL: Added `wait_for_less_busy_worker` config. This may reduce latency on MRI through inserting a small delay before re-listening on the socket if worker is busy (\[[#​2079](https://togithub.com/puma/puma/issues/2079)]). - EXPERIMENTAL: Added `nakayoshi_fork` option. Reduce memory usage in preloaded cluster-mode apps by GCing before fork and compacting, where available. (\[[#​2093](https://togithub.com/puma/puma/issues/2093)], \[[#​2256](https://togithub.com/puma/puma/issues/2256)]) - Added pumactl `thread-backtraces` command to print thread backtraces (\[[#​2054](https://togithub.com/puma/puma/issues/2054)]) - Added incrementing `requests_count` to `Puma.stats`. (\[[#​2106](https://togithub.com/puma/puma/issues/2106)]) - Increased maximum URI path length from 2048 to 8192 bytes (\[[#​2167](https://togithub.com/puma/puma/issues/2167)], \[[#​2344](https://togithub.com/puma/puma/issues/2344)]) - `lowlevel_error_handler` is now called during a forced threadpool shutdown, and if a callable with 3 arguments is set, we now also pass the status code (\[[#​2203](https://togithub.com/puma/puma/issues/2203)]) - Faster phased restart and worker timeout (\[[#​2220](https://togithub.com/puma/puma/issues/2220)]) - Added `state_permission` to config DSL to set state file permissions (\[[#​2238](https://togithub.com/puma/puma/issues/2238)]) - Added `Puma.stats_hash`, which returns a stats in Hash instead of a JSON string (\[[#​2086](https://togithub.com/puma/puma/issues/2086)], \[[#​2253](https://togithub.com/puma/puma/issues/2253)]) - `rack.multithread` and `rack.multiprocess` now dynamically resolved by `max_thread` and `workers` respectively (\[[#​2288](https://togithub.com/puma/puma/issues/2288)]) - Deprecations, Removals and Breaking API Changes - `--control` has been removed. Use `--control-url` (\[[#​1487](https://togithub.com/puma/puma/issues/1487)]) - `worker_directory` has been removed. Use `directory`. - min_threads now set by environment variables PUMA_MIN_THREADS and MIN_THREADS. (\[[#​2143](https://togithub.com/puma/puma/issues/2143)]) - max_threads now set by environment variables PUMA_MAX_THREADS and MAX_THREADS. (\[[#​2143](https://togithub.com/puma/puma/issues/2143)]) - max_threads default to 5 in MRI or 16 for all other interpreters. (\[[#​2143](https://togithub.com/puma/puma/issues/2143)]) - `preload_app!` is on by default if number of workers > 1 and set via `WEB_CONCURRENCY` (\[[#​2143](https://togithub.com/puma/puma/issues/2143)]) - Puma::Plugin.workers_supported? has been removed. Use Puma.forkable? instead. (\[[#​2143](https://togithub.com/puma/puma/issues/2143)]) - `tcp_mode` has been removed without replacement. (\[[#​2169](https://togithub.com/puma/puma/issues/2169)]) - Daemonization has been removed without replacement. (\[[#​2170](https://togithub.com/puma/puma/issues/2170)]) - Changed #connected_port to #connected_ports (\[[#​2076](https://togithub.com/puma/puma/issues/2076)]) - Configuration: `environment` is read from `RAILS_ENV`, if `RACK_ENV` can't be found (\[[#​2022](https://togithub.com/puma/puma/issues/2022)]) - Log binding on http:// for TCP bindings to make it clickable (\[[#​2300](https://togithub.com/puma/puma/issues/2300)]) - Bugfixes - Fix JSON loading issues on phased-restarts (\[[#​2269](https://togithub.com/puma/puma/issues/2269)]) - Improve shutdown reliability (\[[#​2312](https://togithub.com/puma/puma/issues/2312)], \[[#​2338](https://togithub.com/puma/puma/issues/2338)]) - Close client http connections made to an ssl server with TLSv1.3 (\[[#​2116](https://togithub.com/puma/puma/issues/2116)]) - Do not set user_config to quiet by default to allow for file config (\[[#​2074](https://togithub.com/puma/puma/issues/2074)]) - Always close SSL connection in Puma::ControlCLI (\[[#​2211](https://togithub.com/puma/puma/issues/2211)]) - Windows update extconf.rb for use with ssp and varied Ruby/MSYS2 combinations (\[[#​2069](https://togithub.com/puma/puma/issues/2069)]) - Ensure control server Unix socket is closed on shutdown (\[[#​2112](https://togithub.com/puma/puma/issues/2112)]) - Preserve `BUNDLE_GEMFILE` env var when using `prune_bundler` (\[[#​1893](https://togithub.com/puma/puma/issues/1893)]) - Send 408 request timeout even when queue requests is disabled (\[[#​2119](https://togithub.com/puma/puma/issues/2119)]) - Rescue IO::WaitReadable instead of EAGAIN for blocking read (\[[#​2121](https://togithub.com/puma/puma/issues/2121)]) - Ensure `BUNDLE_GEMFILE` is unspecified in workers if unspecified in master when using `prune_bundler` (\[[#​2154](https://togithub.com/puma/puma/issues/2154)]) - Rescue and log exceptions in hooks defined by users (on_worker_boot, after_worker_fork etc) (\[[#​1551](https://togithub.com/puma/puma/issues/1551)]) - Read directly from the socket in #read_and_drop to avoid raising further SSL errors (\[[#​2198](https://togithub.com/puma/puma/issues/2198)]) - Set `Connection: closed` header when queue requests is disabled (\[[#​2216](https://togithub.com/puma/puma/issues/2216)]) - Pass queued requests to thread pool on server shutdown (\[[#​2122](https://togithub.com/puma/puma/issues/2122)]) - Fixed a few minor concurrency bugs in ThreadPool that may have affected non-GVL Rubies (\[[#​2220](https://togithub.com/puma/puma/issues/2220)]) - Fix `out_of_band` hook never executed if the number of worker threads is > 1 (\[[#​2177](https://togithub.com/puma/puma/issues/2177)]) - Fix ThreadPool#shutdown timeout accuracy (\[[#​2221](https://togithub.com/puma/puma/issues/2221)]) - Fix `UserFileDefaultOptions#fetch` to properly use `default` (\[[#​2233](https://togithub.com/puma/puma/issues/2233)]) - Improvements to `out_of_band` hook (\[[#​2234](https://togithub.com/puma/puma/issues/2234)]) - Prefer the rackup file specified by the CLI (\[[#​2225](https://togithub.com/puma/puma/issues/2225)]) - Fix for spawning subprocesses with fork_worker option (\[[#​2267](https://togithub.com/puma/puma/issues/2267)]) - Set `CONTENT_LENGTH` for chunked requests (\[[#​2287](https://togithub.com/puma/puma/issues/2287)]) - JRuby - Add Puma::MiniSSL::Engine#init? and #teardown methods, run all SSL tests (\[[#​2317](https://togithub.com/puma/puma/issues/2317)]) - Improve shutdown reliability (\[[#​2312](https://togithub.com/puma/puma/issues/2312)]) - Resolve issue with threadpool waiting counter decrement when thread is killed - Constrain rake-compiler version to 0.9.4 to fix `ClassNotFound` exception when using MiniSSL with Java8. - Fix recursive `prune_bundler` (\[[#​2319](https://togithub.com/puma/puma/issues/2319)]). - Ensure that TCP_CORK is usable - Fix corner case when request body is chunked (\[[#​2326](https://togithub.com/puma/puma/issues/2326)]) - Fix filehandle leak in MiniSSL (\[[#​2299](https://togithub.com/puma/puma/issues/2299)]) - Refactor - Remove unused loader argument from Plugin initializer (\[[#​2095](https://togithub.com/puma/puma/issues/2095)]) - Simplify `Configuration.random_token` and remove insecure fallback (\[[#​2102](https://togithub.com/puma/puma/issues/2102)]) - Simplify `Runner#start_control` URL parsing (\[[#​2111](https://togithub.com/puma/puma/issues/2111)]) - Removed the IOBuffer extension and replaced with Ruby (\[[#​1980](https://togithub.com/puma/puma/issues/1980)]) - Update `Rack::Handler::Puma.run` to use `**options` (\[[#​2189](https://togithub.com/puma/puma/issues/2189)]) - ThreadPool concurrency refactoring (\[[#​2220](https://togithub.com/puma/puma/issues/2220)]) - JSON parse cluster worker stats instead of regex (\[[#​2124](https://togithub.com/puma/puma/issues/2124)]) - Support parallel tests in verbose progress reporting (\[[#​2223](https://togithub.com/puma/puma/issues/2223)]) - Refactor error handling in server accept loop (\[[#​2239](https://togithub.com/puma/puma/issues/2239)]) ### [`v4.3.12`](https://togithub.com/puma/puma/blob/HEAD/History.md#4312--2022-03-30) [Compare Source](https://togithub.com/puma/puma/compare/v4.3.11...v4.3.12) - Security - Close several HTTP Request Smuggling exploits (CVE-2022-24790) ### [`v4.3.11`](https://togithub.com/puma/puma/blob/HEAD/History.md#4311--2022-02-11) [Compare Source](https://togithub.com/puma/puma/compare/v4.3.10...v4.3.11) - Security - Always close the response body (GHSA-rmj8-8hhh-gv5h) ### [`v4.3.10`](https://togithub.com/puma/puma/blob/HEAD/History.md#4310--2021-10-12) [Compare Source](https://togithub.com/puma/puma/compare/v4.3.9...v4.3.10) - Bugfixes - Allow UTF-8 in HTTP header values ### [`v4.3.9`](https://togithub.com/puma/puma/blob/HEAD/History.md#439--2021-10-12) [Compare Source](https://togithub.com/puma/puma/compare/v4.3.8...v4.3.9) - Security - Do not allow LF as a line ending in a header (CVE-2021-41136) ### [`v4.3.8`](https://togithub.com/puma/puma/blob/HEAD/History.md#438--2021-05-11) [Compare Source](https://togithub.com/puma/puma/compare/v4.3.7...v4.3.8) - Security - Close keepalive connections after the maximum number of fast inlined requests (CVE-2021-29509) (\[[#​2625](https://togithub.com/puma/puma/issues/2625)]) ### [`v4.3.7`](https://togithub.com/puma/puma/blob/HEAD/History.md#437--2020-11-30) [Compare Source](https://togithub.com/puma/puma/compare/v4.3.6...v4.3.7) - Bugfixes - Backport set CONTENT_LENGTH for chunked requests (Originally: \[[#​2287](https://togithub.com/puma/puma/issues/2287)], backport: \[[#​2496](https://togithub.com/puma/puma/issues/2496)]) ### [`v4.3.6`](https://togithub.com/puma/puma/blob/HEAD/History.md#436--2020-09-05) [Compare Source](https://togithub.com/puma/puma/compare/v4.3.5...v4.3.6) - Bugfixes - Explicitly include ctype.h to fix compilation warning and build error on macOS with Xcode 12 (\[[#​2304](https://togithub.com/puma/puma/issues/2304)]) - Don't require json at boot (\[[#​2269](https://togithub.com/puma/puma/issues/2269)])

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

renovate[bot] commented 1 year ago

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

The artifact failure details are included below:

File name: Gemfile.lock
[01:30:20.951] INFO (9): Installing tool ruby v2.7.1...
installing v2 tool ruby v2.7.1
linking tool ruby v2.7.1
ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-linux]
gem 3.1.2
RubyGems Environment:
  - RUBYGEMS VERSION: 3.1.2
  - RUBY VERSION: 2.7.1 (2020-03-31 patchlevel 83) [x86_64-linux]
  - INSTALLATION DIRECTORY: /tmp/worker/19e81c/b60443/cache/others/bundler
  - USER INSTALLATION DIRECTORY: /home/ubuntu/.gem/ruby/2.7.0
  - RUBY EXECUTABLE: /opt/containerbase/tools/ruby/2.7.1/bin/ruby
  - GIT EXECUTABLE: /usr/bin/git
  - EXECUTABLE DIRECTORY: /tmp/worker/19e81c/b60443/cache/others/bundler/bin
  - SPEC CACHE DIRECTORY: /home/ubuntu/.gem/specs
  - SYSTEM CONFIGURATION DIRECTORY: /usr/local/ruby/2.7.1/etc
  - RUBYGEMS PLATFORMS:
    - ruby
    - x86_64-linux
  - GEM PATHS:
     - /tmp/worker/19e81c/b60443/cache/others/bundler
     - /home/ubuntu/.gem/ruby/2.7.0
     - /opt/containerbase/tools/ruby/2.7.1/lib/ruby/gems/2.7.0
  - GEM CONFIGURATION:
     - :update_sources => true
     - :verbose => true
     - :backtrace => false
     - :bulk_threshold => 1000
     - "gem" => "--bindir /home/ubuntu/bin --no-document"
     - :benchmark => false
  - REMOTE SOURCES:
     - https://rubygems.org/
  - SHELL PATH:
     - /home/ubuntu/.cargo/bin
     - /home/ubuntu/.local/bin
     - /go/bin
     - /home/ubuntu/bin
     - /home/ubuntu/.cargo/bin
     - /home/ubuntu/.local/bin
     - /go/bin
     - /home/ubuntu/bin
     - /home/ubuntu/.cargo/bin
     - /home/ubuntu/.local/bin
     - /go/bin
     - /home/ubuntu/bin
     - /home/ubuntu/bin
     - /home/ubuntu/.cargo/bin
     - /home/ubuntu/.local/bin
     - /go/bin
     - /home/ubuntu/bin
     - /home/ubuntu/bin
     - /usr/local/sbin
     - /usr/local/bin
     - /usr/sbin
     - /usr/bin
     - /sbin
     - /bin
[01:30:22.912] INFO (9): Installed tool ruby in 1.9s.
[01:30:23.011] INFO (103): Installing tool bundler v2.1.4...
installing v2 tool bundler v2.1.4
Successfully installed bundler-2.1.4
1 gem installed
linking tool bundler v2.1.4
Bundler version 2.1.4
[01:30:34.456] INFO (103): Installed tool bundler in 11.4s.
ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-linux]
Fetching gem metadata from https://rubygems.org/.........
Fetching gem metadata from https://rubygems.org/.
Resolving dependencies...

/usr/local/bin/docker: line 4: .: filename argument required
.: usage: . filename [arguments]
Your bundle is locked to mimemagic (0.3.5), but that version could not be found
in any of the sources listed in your Gemfile. If you haven't changed sources,
that means the author of mimemagic (0.3.5) has removed it. You'll need to update
your bundle to a version other than mimemagic (0.3.5) that hasn't been removed
in order to install.