Hello community, here is the log from the commit of package rubygem-puma for openSUSE:Factory checked in at 2019-12-14 12:21:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-puma (Old) and /work/SRC/openSUSE:Factory/.rubygem-puma.new.4691 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-puma" Sat Dec 14 12:21:40 2019 rev:35 rq:756941 version:4.3.1 Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-puma/rubygem-puma.changes 2019-11-13 13:26:09.827562435 +0100 +++ /work/SRC/openSUSE:Factory/.rubygem-puma.new.4691/rubygem-puma.changes 2019-12-14 12:23:56.775194187 +0100 @@ -1,0 +2,9 @@ +Sat Dec 14 00:29:15 UTC 2019 - Manuel Schnitzer <mschnit...@suse.com> + +- updated to version 4.3.1 + + * Fix: a poorly-behaved client could use keepalive requests + to monopolize Puma's reactor and create a denial of service + attack (CVE-2019-16770) + +------------------------------------------------------------------- Old: ---- puma-4.3.0.gem New: ---- puma-4.3.1.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-puma.spec ++++++ --- /var/tmp/diff_new_pack.gZ1Gvp/_old 2019-12-14 12:23:57.631194058 +0100 +++ /var/tmp/diff_new_pack.gZ1Gvp/_new 2019-12-14 12:23:57.635194057 +0100 @@ -24,7 +24,7 @@ # Name: rubygem-puma -Version: 4.3.0 +Version: 4.3.1 Release: 0 %define mod_name puma %define mod_full_name %{mod_name}-%{version} ++++++ puma-4.3.0.gem -> puma-4.3.1.gem ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/History.md new/History.md --- old/History.md 2019-11-07 21:50:54.000000000 +0100 +++ new/History.md 2019-12-05 08:36:00.000000000 +0100 @@ -6,6 +6,11 @@ * Bugfixes * Your bugfix goes here (#Github Number) +## 4.3.1 and 3.12.2 / 2019-12-05 + +* Security + * Fix: a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. CVE-2019-16770. + ## 4.3.0 / 2019-11-07 * Features Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/puma/const.rb new/lib/puma/const.rb --- old/lib/puma/const.rb 2019-11-07 21:50:54.000000000 +0100 +++ new/lib/puma/const.rb 2019-12-05 08:36:00.000000000 +0100 @@ -100,7 +100,7 @@ # too taxing on performance. module Const - PUMA_VERSION = VERSION = "4.3.0".freeze + PUMA_VERSION = VERSION = "4.3.1".freeze CODE_NAME = "Mysterious Traveller".freeze PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze @@ -118,6 +118,13 @@ # sending data back WRITE_TIMEOUT = 10 + # How many requests to attempt inline before sending a client back to + # the reactor to be subject to normal ordering. The idea here is that + # we amortize the cost of going back to the reactor for a well behaved + # but very "greedy" client across 10 requests. This prevents a not + # well behaved client from monopolizing the thread forever. + MAX_FAST_INLINE = 10 + # The original URI requested by the client. REQUEST_URI= 'REQUEST_URI'.freeze REQUEST_PATH = 'REQUEST_PATH'.freeze diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/puma/server.rb new/lib/puma/server.rb --- old/lib/puma/server.rb 2019-11-07 21:50:54.000000000 +0100 +++ new/lib/puma/server.rb 2019-12-05 08:36:00.000000000 +0100 @@ -466,6 +466,8 @@ clean_thread_locals = @options[:clean_thread_locals] close_socket = true + requests = 0 + while true case handle_request(client, buffer) when false @@ -479,7 +481,19 @@ ThreadPool.clean_thread_locals if clean_thread_locals - unless client.reset(@status == :run) + requests += 1 + + check_for_more_data = @status == :run + + if requests >= MAX_FAST_INLINE + # This will mean that reset will only try to use the data it already + # has buffered and won't try to read more data. What this means is that + # every client, independent of their request speed, gets treated like a slow + # one once every MAX_FAST_INLINE requests. + check_for_more_data = false + end + + unless client.reset(check_for_more_data) close_socket = false client.set_timeout @persistent_timeout @reactor.add client diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2019-11-07 21:50:54.000000000 +0100 +++ new/metadata 2019-12-05 08:36:00.000000000 +0100 @@ -1,14 +1,14 @@ --- !ruby/object:Gem::Specification name: puma version: !ruby/object:Gem::Version - version: 4.3.0 + version: 4.3.1 platform: ruby authors: - Evan Phoenix autorequire: bindir: bin cert_chain: [] -date: 2019-11-07 00:00:00.000000000 Z +date: 2019-12-05 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: nio4r