🚨 [security] Update puma 6.3.0 → 6.4.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ puma (6.3.0 → 6.4.0) · Repo · Changelog

Security Advisories 🚨

🚨 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in puma

Impact

Prior to version 6.3.1, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling.

The following vulnerabilities are addressed by this advisory:

• Incorrect parsing of trailing fields in chunked transfer encoding bodies
• Parsing of blank/zero-length Content-Length headers\r\n

Patches

The vulnerability has been fixed in 6.3.1 and 5.6.7.

Workarounds

No known workarounds.

References

HTTP Request Smuggling

🚨 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in puma

Impact

Prior to version 6.3.1, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling.

The following vulnerabilities are addressed by this advisory:

• Incorrect parsing of trailing fields in chunked transfer encoding bodies
• Parsing of blank/zero-length Content-Length headers\r\n

Patches

The vulnerability has been fixed in 6.3.1 and 5.6.7.

Workarounds

No known workarounds.

References

HTTP Request Smuggling

Release Notes

6.4.0

America is #1 in professional cycling, baby!

• Features

  • on_thread_exit hook ([#2920])
  • on_thread_start_hook ([#3195])
  • Shutdown on idle ([#3209], [#2580])
  • New error message when control server port taken ([#3204])

• Refactor

  • Remove Forwardable dependency ([#3191], #3190)
  • Update URLMap Regexp usage for Ruby v3.3 ([#3165])

• Bugfixes

  • Bring the cert_pem: parameter into parity with the cert: parameter to ssl_bind. ([#3174])
  • Fix using control server with IPv6 host ([#3181])
  • control_cli.rb - add require_relative 'log_writer' ([#3187])
  • Fix cases where fallback Rack response wasn't sent to the client ([#3094])

6.3.1

• Security
  • Address HTTP request smuggling vulnerabilities with zero-length Content Length header and trailer fields (GHSA-68xg-gqqm-vgj8)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 25 commits:

• 6.4.0 [ci skip] (#3224)
• [ci skip] | Docs | Clarify `worker_timeout` minimum value (#3226)
• Use the correct name for TruffleRuby (#3223)
• Update README.md [ci skip]
• Update README.md
• Update kubernetes.md [ci skip]
• [CI] Bump actions/checkout from 3 to 4 (#3220)
• Feature | Shutdown on idle (#3209)
• Remove `Forwardable` dependency (#3191)
• Added a Meaningful error msg for control server port taken (#3204)
• 5.6.7 release note [ci skip]
• 6.3.1
• Merge pull request from GHSA-68xg-gqqm-vgj8
• Add on_thread_start_hook (#3195)
• Closes #2341 - Make sure fallback Rack response are sent to the client (#3094)
• Add on_thread_exit hook (#2920)
• README.md - clarify use of localhost gem
• control_cli.rb - add `require_relative 'log_writer'` (#3187)
• Remove duplicated entry in history file (#3185)
• Fix using control server with IPv6 host (#3181)
• Correct change log entry for 5.6.6 (#3183)
• 5.6.6 release note (#3182)
• 5.6.6 release note
• Align `cert_pem:` and `cert:` ssl_bind functionality for chained certs (#3174)
• update URLMap Regexp usage for Ruby v3.3 (#3165)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[codecov]

Codecov Report

Patch and project coverage have no change.

Comparison is base (447eebe) 100.00% compared to head (c445f8e) 100.00%.

❗ Current head c445f8e differs from pull request most recent head a2673a7. Consider uploading reports for the commit a2673a7 to get more accurate results

Additional details and impacted files

@@            Coverage Diff            @@
##              main      #276   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           45        45           
  Lines          616       616           
=========================================
  Hits           616       616           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.