[Security] Bump puma from 5.1.1 to 5.3.1

[dependabot-preview[bot]]

Bumps puma from 5.1.1 to 5.3.1. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Keepalive Connections Causing Denial Of Service in puma This vulnerability is related to CVE-2019-16770.

Impact

The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster.

A puma server which received more concurrent keep-alive connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections.

Patches

This problem has been fixed in puma 4.3.8 and 5.3.1.

Workarounds

Setting queue_requests false also fixes the issue. This is not advised when using puma without a reverse proxy, such as nginx or apache, because you will open yourself to slow client attacks (e.g. slowloris).

The fix is very small. A git patch is available here for those using unsupported versions of Puma.

For more information

... (truncated)

Affected versions: >= 5.0.0, <= 5.3.0

Release notes

Sourced from puma's releases.

5.3.1

• Security
  • Close keepalive connections after the maximum number of fast inlined requests (#2625)

5.3.0 - Sweetnighter

5.3.0 / 2021-05-07

Contributor @​MSP-Greg codenamed this release "Sweetnighter".

• Features

  • Add support for Linux's abstract sockets (#2564, #2526)
  • Add debug to worker timeout and startup (#2559, #2528)
  • Print warning when running one-worker cluster (#2565, #2534)
  • Don't close systemd activated socket on pumactl restart (#2563, #2504)

• Bugfixes

  • systemd - fix event firing (#2591, #2572)
  • Immediately unlink temporary files (#2613)
  • Improve parsing of HTTP_HOST header (#2605, #2584)
  • Handle fatal error that has no backtrace (#2607, #2552)
  • Fix timing out requests too early (#2606, #2574)
  • Handle segfault in Ruby 2.6.6 on thread-locals (#2567, #2566)
  • Server#closed_socket? - parameter may be a MiniSSL::Socket (#2596)
  • Define UNPACK_TCP_STATE_FROM_TCP_INFO in the right place (#2588, #2556)
  • request.rb - fix chunked assembly for ascii incompatible encodings, add test (#2585, #2583)

• Performance

  • Reset peerip only if remote_addr_header is set (#2609)
  • Reduce puma_parser struct size (#2590)

• Refactor

  • Refactor drain on shutdown (#2600)
  • Micro optimisations in wait_for_less_busy_worker feature (#2579)
  • Lots of test fixes

5.2.2

• Bugfixes
  • Add #flush and #sync methods to Puma::NullIO (#2553)
  • Restore sync=true on STDOUT and STDERR streams (#2557)

5.2.1

2021-02-05

• Bugfixes
  • Fix TCP cork/uncork operations to work with ssl clients (#2550)
  • Require rack/common_logger explicitly if :verbose is true (#2547)
  • MiniSSL::Socket#write - use data.byteslice(wrote..-1) (#2543)
  • Set @env[CONTENT_LENGTH] value as string. (#2549)

... (truncated)

Changelog

Sourced from puma's changelog.

5.3.1 / 2021-05-11

• Security
  • Close keepalive connections after the maximum number of fast inlined requests (#2625)

5.3.0 / 2021-05-07

• Features

  • Add support for Linux's abstract sockets (#2564, #2526)
  • Add debug to worker timeout and startup (#2559, #2528)
  • Print warning when running one-worker cluster (#2565, #2534)
  • Don't close systemd activated socket on pumactl restart (#2563, #2504)

• Bugfixes

  • systemd - fix event firing (#2591, #2572)
  • Immediately unlink temporary files (#2613)
  • Improve parsing of HTTP_HOST header (#2605, #2584)
  • Handle fatal error that has no backtrace (#2607, #2552)
  • Fix timing out requests too early (#2606, #2574)
  • Handle segfault in Ruby 2.6.6 on thread-locals (#2567, #2566)
  • Server#closed_socket? - parameter may be a MiniSSL::Socket (#2596)
  • Define UNPACK_TCP_STATE_FROM_TCP_INFO in the right place (#2588, #2556)
  • request.rb - fix chunked assembly for ascii incompatible encodings, add test (#2585, #2583)

• Performance

  • Reset peerip only if remote_addr_header is set (#2609)
  • Reduce puma_parser struct size (#2590)

• Refactor

  • Refactor drain on shutdown (#2600)
  • Micro optimisations in wait_for_less_busy_worker feature (#2579)
  • Lots of test fixes

5.2.2 / 2021-02-22

• Bugfixes
  • Add #flush and #sync methods to Puma::NullIO (#2553)
  • Restore sync=true on STDOUT and STDERR streams (#2557)

5.2.1 / 2021-02-05

• Bugfixes
  • Fix TCP cork/uncork operations to work with ssl clients (#2550)
  • Require rack/common_logger explicitly if :verbose is true (#2547)
  • MiniSSL::Socket#write - use data.byteslice(wrote..-1) (#2543)
  • Set @env[CONTENT_LENGTH] value as string. (#2549)

5.2.0 / 2021-01-27

• Features

... (truncated)

Commits

• 1c91a4f 5.3.1
• 6b4a68a 4.3.8 release note
• df72887 Close keepalive connections after MAX_FAST_INLINE requests
• 6dfb8bc 5.3.0 history (#2622)
• fb71323 Ignore DS_Store
• f7a2d4e systemd - fix event firing (#2591)
• 2654f02 Bump version to 5.3.0 [ci skip] (#2616)
• cc1768e Few documentations fixes. [ci skip] [changelog skip] (#2619)
• ff17194 Refactor drain on shutdown (#2600)
• 3e80f7c fix some spell errors (#2615)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)