Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency puma to v5.6.7 [SECURITY] #2605

Merged
merged 1 commit into from
Aug 19, 2023
Merged

Update dependency puma to v5.6.7 [SECURITY] #2605

merged 1 commit into from
Aug 19, 2023

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 19, 2023

Mend Renovate

This PR contains the following updates:

Package Update Change
puma (source, changelog) patch 5.6.4 -> 5.6.7

GitHub Vulnerability Alerts

CVE-2023-40175

Impact

Prior to version 6.3.1, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling.

The following vulnerabilities are addressed by this advisory:

  • Incorrect parsing of trailing fields in chunked transfer encoding bodies
  • Parsing of blank/zero-length Content-Length headers

Patches

The vulnerability has been fixed in 6.3.1 and 5.6.7.

Workarounds

No known workarounds.

References

HTTP Request Smuggling

For more information

If you have any questions or comments about this advisory:

Open an issue in Puma
See our security policy

Release Notes

puma/puma (puma)

v5.6.7

Compare Source

  • Security
    • Address HTTP request smuggling vulnerabilities with zero-length Content Length header and trailer fields (GHSA-68xg-gqqm-vgj8)

v5.6.6

Compare Source

  • Bugfix
    • Prevent loading with rack 3 ([#​3166])

v5.6.5

Compare Source

  • Feature

    • Puma::ControlCLI - allow refork command to be sent as a request ([#​2868], [#​2866])

  • Bugfixes

    • NullIO#closed should return false ([#​2883])
    • [jruby] Fix TLS verification hang ([#​2890], [#​2729])
    • extconf.rb - don't use pkg_config('openssl') if '--with-openssl-dir' is used ([#​2885], [#​2839])
    • MiniSSL - detect SSL_CTX_set_dh_auto ([#​2864], [#​2863])
    • Fix rack.after_reply exceptions breaking connections ([#​2861], [#​2856])
    • Escape SSL cert and filenames ([#​2855])
    • Fail hard if SSL certs or keys are invalid ([#​2848])
    • Fail hard if SSL certs or keys cannot be read by user ([#​2847])
    • Fix build with Opaque DH in LibreSSL 3.5. ([#​2838])
    • Pre-existing socket file removed when TERM is issued after USR2 (if puma is running in cluster mode) ([#​2817])
    • Fix Puma::StateFile#load incompatibility ([#​2810])

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@viezly
Copy link

viezly bot commented Aug 19, 2023

Pull request by bot. No need to analyze

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Aug 19, 2023
@renovate renovate bot merged commit e2d0e60 into master Aug 19, 2023
5 checks passed
@renovate renovate bot deleted the renovate/rubygems-puma-vulnerability branch August 19, 2023 04:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants