Hello community,
here is the log from the commit of package rubygem-puma for openSUSE:Factory
checked in at 2019-12-14 12:21:40
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-puma (Old)
and /work/SRC/openSUSE:Factory/.rubygem-puma.new.4691 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-puma"
Sat Dec 14 12:21:40 2019 rev:35 rq:756941 version:4.3.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/rubygem-puma/rubygem-puma.changes
2019-11-13 13:26:09.827562435 +0100
+++ /work/SRC/openSUSE:Factory/.rubygem-puma.new.4691/rubygem-puma.changes
2019-12-14 12:23:56.775194187 +0100
@@ -1,0 +2,9 @@
+Sat Dec 14 00:29:15 UTC 2019 - Manuel Schnitzer <mschnit...@suse.com>
+
+- updated to version 4.3.1
+
+ * Fix: a poorly-behaved client could use keepalive requests
+ to monopolize Puma's reactor and create a denial of service
+ attack (CVE-2019-16770)
+
+-------------------------------------------------------------------
Old:
----
puma-4.3.0.gem
New:
----
puma-4.3.1.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-puma.spec ++++++
--- /var/tmp/diff_new_pack.gZ1Gvp/_old 2019-12-14 12:23:57.631194058 +0100
+++ /var/tmp/diff_new_pack.gZ1Gvp/_new 2019-12-14 12:23:57.635194057 +0100
@@ -24,7 +24,7 @@
#
Name: rubygem-puma
-Version: 4.3.0
+Version: 4.3.1
Release: 0
%define mod_name puma
%define mod_full_name %{mod_name}-%{version}
++++++ puma-4.3.0.gem -> puma-4.3.1.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/History.md new/History.md
--- old/History.md 2019-11-07 21:50:54.000000000 +0100
+++ new/History.md 2019-12-05 08:36:00.000000000 +0100
@@ -6,6 +6,11 @@
* Bugfixes
* Your bugfix goes here (#Github Number)
+## 4.3.1 and 3.12.2 / 2019-12-05
+
+* Security
+ * Fix: a poorly-behaved client could use keepalive requests to monopolize
Puma's reactor and create a denial of service attack. CVE-2019-16770.
+
## 4.3.0 / 2019-11-07
* Features
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/puma/const.rb new/lib/puma/const.rb
--- old/lib/puma/const.rb 2019-11-07 21:50:54.000000000 +0100
+++ new/lib/puma/const.rb 2019-12-05 08:36:00.000000000 +0100
@@ -100,7 +100,7 @@
# too taxing on performance.
module Const
- PUMA_VERSION = VERSION = "4.3.0".freeze
+ PUMA_VERSION = VERSION = "4.3.1".freeze
CODE_NAME = "Mysterious Traveller".freeze
PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze
@@ -118,6 +118,13 @@
# sending data back
WRITE_TIMEOUT = 10
+ # How many requests to attempt inline before sending a client back to
+ # the reactor to be subject to normal ordering. The idea here is that
+ # we amortize the cost of going back to the reactor for a well behaved
+ # but very "greedy" client across 10 requests. This prevents a not
+ # well behaved client from monopolizing the thread forever.
+ MAX_FAST_INLINE = 10
+
# The original URI requested by the client.
REQUEST_URI= 'REQUEST_URI'.freeze
REQUEST_PATH = 'REQUEST_PATH'.freeze
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/puma/server.rb new/lib/puma/server.rb
--- old/lib/puma/server.rb 2019-11-07 21:50:54.000000000 +0100
+++ new/lib/puma/server.rb 2019-12-05 08:36:00.000000000 +0100
@@ -466,6 +466,8 @@
clean_thread_locals = @options[:clean_thread_locals]
close_socket = true
+ requests = 0
+
while true
case handle_request(client, buffer)
when false
@@ -479,7 +481,19 @@
ThreadPool.clean_thread_locals if clean_thread_locals
- unless client.reset(@status == :run)
+ requests += 1
+
+ check_for_more_data = @status == :run
+
+ if requests >= MAX_FAST_INLINE
+ # This will mean that reset will only try to use the data it
already
+ # has buffered and won't try to read more data. What this means
is that
+ # every client, independent of their request speed, gets treated
like a slow
+ # one once every MAX_FAST_INLINE requests.
+ check_for_more_data = false
+ end
+
+ unless client.reset(check_for_more_data)
close_socket = false
client.set_timeout @persistent_timeout
@reactor.add client
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2019-11-07 21:50:54.000000000 +0100
+++ new/metadata 2019-12-05 08:36:00.000000000 +0100
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: puma
version: !ruby/object:Gem::Version
- version: 4.3.0
+ version: 4.3.1
platform: ruby
authors:
- Evan Phoenix
autorequire:
bindir: bin
cert_chain: []
-date: 2019-11-07 00:00:00.000000000 Z
+date: 2019-12-05 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: nio4r
