🚨 [security] Update puma 6.4.2 → 6.5.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ puma (6.4.2 → 6.5.0) · Repo · Changelog

Security Advisories 🚨

🚨 Puma's header normalization allows for client to clobber proxy set headers

Impact

Clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users trusting headers set by their proxy may be affected. Attackers may be able to downgrade connections to HTTP (non-SSL) or redirect responses, which could cause confidentiality leaks if combined with a separate MITM attack.

Patches

v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win.

Workarounds

Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level.

Any users that are implicitly trusting the proxy defined headers for security or availability should immediately cease doing so until upgraded to the fixed versions.

Release Notes

6.5.0

They say good things come to wait, and you've all had to wait a long time for 6.5.0 because @nateberkopec had another daughter: Sky!

• Features

  • Print RUBY_DESCRIPTION when Puma starts ([#3407])
  • Set the worker process count automatically when using WEB_CONCURRENCY=auto ([#3439], [#3437])
  • Mark as ractor-safe ([#3486], [#3422])
  • Add option enable_keep_alive. true mimics existing behavior, but now can use false to disable keepalive to reduce queue tail latency ([#3496])
  • Add parameters to Puma methods to allow CI to change ENV in isolation ([#3485])
  • Add ssl_ciphersuites option for TLSv1.3 ciphers ([#3359], [#3343])
  • You can now use --threads 5 or threads 5 to config max/min threads with a single number (used to need to say 5:5) ([#3309])
  • Option to turn off systemd plugin ([#3425], [#3424])
  • Add on_stopped hook ([#3411], [#3380])

• Bugfixes

  • Handle blank environment variables when loading config ([#3539])
  • lib/rack/handler/puma.rb - fix for rackup v1.0.1, adjust Gemfile ([#3532], [#3531])
  • null_io.rb - add external_encoding, set_encoding, binmode, binmode? ([#3214])
  • Implement NullIO#seek and #pos to mimic IO ([#3468])
  • add support in rack handler & fix regression in binder for linux abstract namespace sockets ([#3508])
  • Use actual thread local for Puma::Server.current. ([#3360])
  • client.rb - fix request chunked body handling ([#3338], [#3337])
  • Properly handle two requests seen in the initial buffer ([#3332])
  • Fix response repeated status line when request is invalid or errors are raised ([#3308], [#3307])
  • Fix child processes not being reaped when Process.detach used ([#3314], [#3313])

• JRuby

  • Make HTTP length constants configurable ([#3518])
  • Fixup jruby_restart.rb & launcher.rb to work with ARM64 macOS JRuby ([#3467])

• Performance

  • Avoid checking if all workers reached timeout unless idle timeout is configured ([#3341])
  • Request body - increase read size to 64 kB ([#3548])
  • single mode skip wait_for_less_busy_worker ([#3325])

• Refactor

  • A ton of CI/test improvements by @MSP-Greg, as usual.
  • Add ThreadPool#stats and adjust Server#stats to use it ([#3527])
  • normalize whitespace in worker stats string ([#3513])
  • rack/handler/puma.rb - ssl - use start_with?, add test ([#3510])
  • extconf.rb - add logging for OpenSSL versions ([#3370])
  • Lazily require Puma::Rack::Builder ([#3340])
  • Refactor: Constantize worker pipe request types ([#3318])

• Docs

  • stats.md improvements ([#3514])
  • control_cli.rb: Harmonize help message with bin/puma ([#3434])
  • dsl.rb: Clarify a callback's argument ([#3435])
  • lib/rack/handler/puma.rb - relocate and fixup module comment ([#3495])

6.4.3

• Security
  • Discards any headers using underscores if the non-underscore version also exists. Without this, an attacker could overwrite values set by intermediate proxies (e.g. X-Forwarded-For). (CVE-2024-45614/GHSA-9hf4-67fc-4vf4)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nio4r (indirect, 2.7.3 → 2.7.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 4 commits:

• Bump patch version.
• Mark as ractor-safe (#320)
• Update CI matrix. (#321)
• JRuby supports Java 8 and higher. Need to emit Java 8 classfile format (#317)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)