Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency puma to v5.6.4 [SECURITY] #2327

Merged
merged 1 commit into from
Apr 1, 2022
Merged

Update dependency puma to v5.6.4 [SECURITY] #2327

merged 1 commit into from
Apr 1, 2022

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 30, 2022
edited
Loading

WhiteSource Renovate

This PR contains the following updates:

Package Update Change
puma patch 5.6.2 -> 5.6.4

GitHub Vulnerability Alerts

CVE-2022-24790

Impact

When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma.

The following vulnerabilities are addressed by this advisory:

  • Lenient parsing of Transfer-Encoding headers, when unsupported encodings should be rejected and the final encoding must be chunked.
  • Lenient parsing of malformed Content-Length headers and chunk sizes, when only digits and hex digits should be allowed.
  • Lenient parsing of duplicate Content-Length headers, when they should be rejected.
  • Lenient parsing of the ending of chunked segments, when they should end with \r\n.

Patches

The vulnerability has been fixed in 5.6.4 and 4.3.12.

Workarounds

When deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.

These proxy servers are known to have "good" behavior re: this standard and upgrading Puma may not be necessary. Users are encouraged to validate for themselves.

  • Nginx (latest)
  • Apache (latest)
  • Haproxy 2.5+
  • Caddy (latest)
  • Traefik (latest)

References

HTTP Request Smuggling

For more information

If you have any questions or comments about this advisory:

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Mar 30, 2022
@viezly
Copy link

viezly bot commented Mar 30, 2022

Pull request by bot. No need to analyze

@renovate renovate bot force-pushed the renovate/rubygems-puma-vulnerability branch from 6504e67 to 08e8594 Compare March 31, 2022 14:32
@renovate renovate bot force-pushed the renovate/rubygems-puma-vulnerability branch from 08e8594 to 2f34781 Compare April 1, 2022 04:31
@renovate renovate bot merged commit a55797e into master Apr 1, 2022
@renovate renovate bot deleted the renovate/rubygems-puma-vulnerability branch April 1, 2022 17:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@renovate-bot