ruby-docs-samples icon indicating copy to clipboard operation
ruby-docs-samples copied to clipboard

Published 20 hours ago verified publisher icon GoogleCloudPlatform

chore(deps): update dependency puma to v4 [security]

Open renovate-bot opened this issue 3 years ago • 2 comments

Mend Renovate

This PR contains the following updates:

Package Update Change
puma major ~> 3.11 -> ~> 4.0
puma major ~> 3.11 -> ~> 4.3.0
puma major 3.12.0 -> 4.3.12

GitHub Vulnerability Alerts

CVE-2022-24790

When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma.

The following vulnerabilities are addressed by this advisory:

  • Lenient parsing of Transfer-Encoding headers, when unsupported encodings should be rejected and the final encoding must be chunked.
  • Lenient parsing of malformed Content-Length headers and chunk sizes, when only digits and hex digits should be allowed.
  • Lenient parsing of duplicate Content-Length headers, when they should be rejected.
  • Lenient parsing of the ending of chunked segments, when they should end with \r\n.

The vulnerability has been fixed in 5.6.4 and 4.3.12. When deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.

These proxy servers are known to have "good" behavior re: this standard and upgrading Puma may not be necessary. Users are encouraged to validate for themselves.

  • Nginx (latest)
  • Apache (latest)
  • Haproxy 2.5+
  • Caddy (latest)
  • Traefik (latest)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • [ ] If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

renovate-bot avatar Mar 07 '22 12:03 renovate-bot

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: appengine/static_files/rails/Gemfile.lock
Installing v1 tool bundler v1.16.2
Successfully installed bundler-1.16.2
1 gem installed
Bundler version 1.16.2
Installed v1 bundler in 2 seconds
ruby 2.7.6p219 (2022-04-12 revision c9c2245c0a) [x86_64-linux]
Fetching gem metadata from https://rubygems.org/...........
Fetching gem metadata from https://rubygems.org/.
Resolving dependencies.....
Your bundle is locked to mimemagic (0.3.2), but that version could not be found
in any of the sources listed in your Gemfile. If you haven't changed sources,
that means the author of mimemagic (0.3.2) has removed it. You'll need to update
your bundle to a version other than mimemagic (0.3.2) that hasn't been removed
in order to install.

forking-renovate[bot] avatar Mar 07 '22 12:03 forking-renovate[bot]

@dazuma Would you mind taking a look at this? I think it's a dependency conflict and don't know what the right thing to do is.

enocom avatar May 24 '22 21:05 enocom