packages/rubygem-puma
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:1452df9a4b76168a784dbe447979a338d4194a6e
Branches Tags
packages:main
...
compare: packages:a3e3be2abd059154d4e146f630ae6c310aa03636
Branches Tags
packages:main

10 Commits
1452df9a4b ... a3e3be2abd

Author SHA1 Message Date
openeuler-ci-bot
a3e3be2abd
!56 Fix CVE-2024-45614 
From: @wk333 
Reviewed-by: @lyn1001 
Signed-off-by: @lyn1001
 2024-09-27 08:15:35 +00:00
wk333
aa79653bf7 Fix CVE-2024-45614 2024-09-27 15:35:56 +08:00
openeuler-ci-bot
f205dfbfa3
!33 Fix CVE-2021-41136 and CVE-2022-23634 
From: @starlet-dx 
Reviewed-by: @lyn1001 
Signed-off-by: @lyn1001
 2023-12-20 03:29:40 +00:00
starlet-dx
bf902eaf97 Fix CVE-2021-41136 and CVE-2022-23634 2023-12-20 10:01:15 +08:00
openeuler-ci-bot
e958570276 !7 [sync] PR-6: fix CVE-2021-29509 
From: @openeuler-sync-bot
Reviewed-by: @maminjie,@small_leek
Signed-off-by: @small_leek
 2021-06-01 18:49:17 +08:00
wang_yue111
8b04ec28fd fix CVE-2021-29509 
(cherry picked from commit e492fec2f7f07ba1f0bf796c6e6f29dc11291c1c)
 2021-05-31 14:26:09 +08:00
openeuler-ci-bot
b2f9ab33db !4 [sync] PR-2: 升级 rubygem-puma 到 3.12.6 
From: @openeuler-sync-bot
Reviewed-by: @shinwell_hu
Signed-off-by: @shinwell_hu
 2021-03-26 09:10:03 +08:00
Shinwell Hu
6f4bb97d6e upgrade puma to 3.12.6 
(cherry picked from commit 1fea37e15b7181337f84c550805adb44e2042bf9)
 2021-03-25 17:14:49 +08:00
openeuler-ci-bot
a48776205b !1 rubygem-puma初始化 
Merge pull request !1 from Lostway/master
 2020-09-01 09:56:11 +08:00
lostway
e2f8e80b96 modify patch2 to patch0 2020-08-28 17:12:00 +08:00
9 changed files with 470 additions and 3 deletions
Show Stats Expand all files Collapse all files

45
CVE-2021-29509.patch Normal file
View File

@ -0,0 +1,45 @@
From 2e9cf0b63b8de904d6ebca9fb1474cf0f979c53b Mon Sep 17 00:00:00 2001
From: Nate Berkopec <nate.berkopec@gmail.com>
Date: Tue, 11 May 2021 07:43:32 -0600
Subject: [PATCH] Close keepalive connections after MAX_FAST_INLINE requests
---
lib/puma/server.rb | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/lib/puma/server.rb b/lib/puma/server.rb
index 5b2cd94..4ce0c74 100644
--- a/lib/puma/server.rb
+++ b/lib/puma/server.rb
@@ -487,15 +487,20 @@ module Puma
requests += 1
- check_for_more_data = @status == :run
+ # Closing keepalive sockets after they've made a reasonable
+ # number of requests allows Puma to service many connections
+ # fairly, even when the number of concurrent connections exceeds
+ # the size of the threadpool. It also allows cluster mode Pumas
+ # to keep load evenly distributed across workers, because clients
+ # are randomly assigned a new worker when opening a new connection.
+ #
+ # Previously, Puma would kick connections in this conditional back
+ # to the reactor. However, because this causes the todo set to increase
+ # in size, the wait_until_full mutex would never unlock, leaving
+ # any additional connections unserviced.
+ break if requests >= MAX_FAST_INLINE
- if requests >= MAX_FAST_INLINE
- # This will mean that reset will only try to use the data it already
- # has buffered and won't try to read more data. What this means is that
- # every client, independent of their request speed, gets treated like a slow
- # one once every MAX_FAST_INLINE requests.
- check_for_more_data = false
- end
+ check_for_more_data = @status == :run
unless client.reset(check_for_more_data)
close_socket = false
--
2.23.0

252
CVE-2021-41136.patch Normal file
View File

@ -0,0 +1,252 @@
From acdc3ae571dfae0e045cf09a295280127db65c7f Mon Sep 17 00:00:00 2001
From: Nate Berkopec <nate.berkopec@gmail.com>
Date: Tue, 12 Oct 2021 08:38:40 -0600
Subject: [PATCH] Merge pull request from GHSA-48w2-rm65-62xx
* Fix HTTP request smuggling vulnerability
See GHSA-48w2-rm65-62xx or CVE-2021-41136 for more info.
* 4.3.9 release note
* 5.5.1 release note
* 5.5.1
---
ext/puma_http11/http11_parser.c | 17 +++-
ext/puma_http11/http11_parser_common.rl | 2 +-
.../org/jruby/puma/Http11Parser.java | 92 +++++++++----------
test/test_http11.rb | 30 ++++++
4 files changed, 88 insertions(+), 53 deletions(-)
diff --git a/ext/puma_http11/http11_parser.c b/ext/puma_http11/http11_parser.c
index e8844a3..be40555 100644
--- a/ext/puma_http11/http11_parser.c
+++ b/ext/puma_http11/http11_parser.c
@@ -428,10 +428,13 @@ st18:
case 18:
#line 428 "ext/puma_http11/http11_parser.c"
switch( (*p) ) {
+ case 9: goto tr25;
case 13: goto tr26;
case 32: goto tr27;
}
- goto tr25;
+ if ( 33 <= (*p) && (*p) <= 126 )
+ goto tr25;
+ goto st0;
tr25:
#line 44 "ext/puma_http11/http11_parser.rl"
{ MARK(mark, p); }
@@ -440,10 +443,14 @@ st19:
if ( ++p == pe )
goto _test_eof19;
case 19:
-#line 442 "ext/puma_http11/http11_parser.c"
- if ( (*p) == 13 )
- goto tr29;
- goto st19;
+#line 447 "ext/puma_http11/http11_parser.c"
+ switch( (*p) ) {
+ case 9: goto st19;
+ case 13: goto tr29;
+ }
+ if ( 32 <= (*p) && (*p) <= 126 )
+ goto st19;
+ goto st0;
tr9:
#line 51 "ext/puma_http11/http11_parser.rl"
{
diff --git a/ext/puma_http11/http11_parser_common.rl b/ext/puma_http11/http11_parser_common.rl
index a4cf89d..567a786 100644
--- a/ext/puma_http11/http11_parser_common.rl
+++ b/ext/puma_http11/http11_parser_common.rl
@@ -43,7 +43,7 @@
field_name = ( token -- ":" )+ >start_field $snake_upcase_field %write_field;
- field_value = any* >start_value %write_value;
+ field_value = ( print | "\t" )* >start_value %write_value;
message_header = field_name ":" " "* field_value :> CRLF;
diff --git a/ext/puma_http11/org/jruby/puma/Http11Parser.java b/ext/puma_http11/org/jruby/puma/Http11Parser.java
index 626ee81..92dd4ed 100644
--- a/ext/puma_http11/org/jruby/puma/Http11Parser.java
+++ b/ext/puma_http11/org/jruby/puma/Http11Parser.java
@@ -32,9 +32,9 @@ private static short[] init__puma_parser_key_offsets_0()
{
return new short [] {
0, 0, 8, 17, 27, 29, 30, 31, 32, 33, 34, 36,
- 39, 41, 44, 45, 61, 62, 78, 80, 81, 89, 97, 107,
- 115, 125, 134, 142, 150, 159, 168, 177, 186, 195, 204, 213,
- 222, 231, 240, 249, 258, 267, 276, 285, 294, 303, 312, 313
+ 39, 41, 44, 45, 61, 62, 78, 83, 87, 95, 103, 113,
+ 121, 130, 138, 146, 155, 164, 173, 182, 191, 200, 209, 218,
+ 227, 236, 245, 254, 263, 272, 281, 290, 299, 308, 309
};
}
@@ -50,27 +50,26 @@ private static char[] init__puma_parser_trans_keys_0()
46, 48, 57, 48, 57, 13, 48, 57, 10, 13, 33, 124,
126, 35, 39, 42, 43, 45, 46, 48, 57, 65, 90, 94,
122, 10, 33, 58, 124, 126, 35, 39, 42, 43, 45, 46,
- 48, 57, 65, 90, 94, 122, 13, 32, 13, 32, 60, 62,
- 127, 0, 31, 34, 35, 32, 60, 62, 127, 0, 31, 34,
- 35, 43, 58, 45, 46, 48, 57, 65, 90, 97, 122, 32,
- 34, 35, 60, 62, 127, 0, 31, 32, 34, 35, 59, 60,
- 62, 63, 127, 0, 31, 32, 34, 35, 60, 62, 63, 127,
- 0, 31, 32, 34, 35, 60, 62, 127, 0, 31, 32, 34,
- 35, 60, 62, 127, 0, 31, 32, 36, 95, 45, 46, 48,
- 57, 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90,
- 32, 36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95,
- 45, 46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48,
- 57, 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90,
- 32, 36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95,
- 45, 46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48,
- 57, 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90,
- 32, 36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95,
- 45, 46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48,
- 57, 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90,
- 32, 36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95,
- 45, 46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48,
- 57, 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90,
- 32, 0
+ 48, 57, 65, 90, 94, 122, 9, 13, 32, 33, 126, 9,
+ 13, 32, 126, 32, 60, 62, 127, 0, 31, 34, 35, 32,
+ 60, 62, 127, 0, 31, 34, 35, 43, 58, 45, 46, 48,
+ 57, 65, 90, 97, 122, 32, 34, 35, 60, 62, 127, 0,
+ 31, 32, 34, 35, 60, 62, 63, 127, 0, 31, 32, 34,
+ 35, 60, 62, 127, 0, 31, 32, 34, 35, 60, 62, 127,
+ 0, 31, 32, 36, 95, 45, 46, 48, 57, 65, 90, 32,
+ 36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95, 45,
+ 46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48, 57,
+ 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, 32,
+ 36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95, 45,
+ 46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48, 57,
+ 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, 32,
+ 36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95, 45,
+ 46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48, 57,
+ 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, 32,
+ 36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95, 45,
+ 46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48, 57,
+ 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, 32,
+ 36, 95, 45, 46, 48, 57, 65, 90, 32, 0
};
}
@@ -81,7 +80,7 @@ private static byte[] init__puma_parser_single_lengths_0()
{
return new byte [] {
0, 2, 3, 4, 2, 1, 1, 1, 1, 1, 0, 1,
- 0, 1, 1, 4, 1, 4, 2, 1, 4, 4, 2, 6,
+ 0, 1, 1, 4, 1, 4, 3, 2, 4, 4, 2, 6,
8, 7, 6, 6, 3, 3, 3, 3, 3, 3, 3, 3,
3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 1, 0
};
@@ -94,7 +93,7 @@ private static byte[] init__puma_parser_range_lengths_0()
{
return new byte [] {
0, 3, 3, 3, 0, 0, 0, 0, 0, 0, 1, 1,
- 1, 1, 0, 6, 0, 6, 0, 0, 2, 2, 4, 1,
+ 1, 1, 0, 6, 0, 6, 1, 1, 2, 2, 4, 1,
1, 1, 1, 1, 3, 3, 3, 3, 3, 3, 3, 3,
3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 0, 0
};
@@ -107,9 +106,9 @@ private static short[] init__puma_parser_index_offsets_0()
{
return new short [] {
0, 0, 6, 13, 21, 24, 26, 28, 30, 32, 34, 36,
- 39, 41, 44, 46, 57, 59, 70, 73, 75, 82, 89, 96,
- 104, 114, 123, 131, 139, 146, 153, 160, 167, 174, 181, 188,
- 195, 202, 209, 216, 223, 230, 237, 244, 251, 258, 265, 267
+ 39, 41, 44, 46, 57, 59, 70, 75, 79, 86, 93, 100,
+ 108, 117, 125, 133, 140, 147, 154, 161, 168, 175, 182, 189,
+ 196, 203, 210, 217, 224, 231, 238, 245, 252, 259, 261
};
}
@@ -124,24 +123,23 @@ private static byte[] init__puma_parser_indicies_0()
10, 1, 11, 1, 12, 1, 13, 1, 14, 1, 15, 1,
16, 15, 1, 17, 1, 18, 17, 1, 19, 1, 20, 21,
21, 21, 21, 21, 21, 21, 21, 21, 1, 22, 1, 23,
- 24, 23, 23, 23, 23, 23, 23, 23, 23, 1, 26, 27,
- 25, 29, 28, 30, 1, 1, 1, 1, 1, 31, 32, 1,
- 1, 1, 1, 1, 33, 34, 35, 34, 34, 34, 34, 1,
- 8, 1, 9, 1, 1, 1, 1, 35, 36, 1, 38, 39,
- 1, 1, 40, 1, 1, 37, 8, 1, 9, 1, 1, 42,
- 1, 1, 41, 43, 1, 45, 1, 1, 1, 1, 44, 46,
- 1, 48, 1, 1, 1, 1, 47, 2, 49, 49, 49, 49,
- 49, 1, 2, 50, 50, 50, 50, 50, 1, 2, 51, 51,
- 51, 51, 51, 1, 2, 52, 52, 52, 52, 52, 1, 2,
- 53, 53, 53, 53, 53, 1, 2, 54, 54, 54, 54, 54,
- 1, 2, 55, 55, 55, 55, 55, 1, 2, 56, 56, 56,
- 56, 56, 1, 2, 57, 57, 57, 57, 57, 1, 2, 58,
- 58, 58, 58, 58, 1, 2, 59, 59, 59, 59, 59, 1,
- 2, 60, 60, 60, 60, 60, 1, 2, 61, 61, 61, 61,
- 61, 1, 2, 62, 62, 62, 62, 62, 1, 2, 63, 63,
- 63, 63, 63, 1, 2, 64, 64, 64, 64, 64, 1, 2,
- 65, 65, 65, 65, 65, 1, 2, 66, 66, 66, 66, 66,
- 1, 2, 1, 1, 0
+ 24, 23, 23, 23, 23, 23, 23, 23, 23, 1, 25, 26,
+ 27, 25, 1, 28, 29, 28, 1, 30, 1, 1, 1, 1,
+ 1, 31, 32, 1, 1, 1, 1, 1, 33, 34, 35, 34,
+ 34, 34, 34, 1, 8, 1, 9, 1, 1, 1, 1, 35,
+ 36, 1, 38, 1, 1, 39, 1, 1, 37, 40, 1, 42,
+ 1, 1, 1, 1, 41, 43, 1, 45, 1, 1, 1, 1,
+ 44, 2, 46, 46, 46, 46, 46, 1, 2, 47, 47, 47,
+ 47, 47, 1, 2, 48, 48, 48, 48, 48, 1, 2, 49,
+ 49, 49, 49, 49, 1, 2, 50, 50, 50, 50, 50, 1,
+ 2, 51, 51, 51, 51, 51, 1, 2, 52, 52, 52, 52,
+ 52, 1, 2, 53, 53, 53, 53, 53, 1, 2, 54, 54,
+ 54, 54, 54, 1, 2, 55, 55, 55, 55, 55, 1, 2,
+ 56, 56, 56, 56, 56, 1, 2, 57, 57, 57, 57, 57,
+ 1, 2, 58, 58, 58, 58, 58, 1, 2, 59, 59, 59,
+ 59, 59, 1, 2, 60, 60, 60, 60, 60, 1, 2, 61,
+ 61, 61, 61, 61, 1, 2, 62, 62, 62, 62, 62, 1,
+ 2, 63, 63, 63, 63, 63, 1, 2, 1, 1, 0
};
}
diff --git a/test/test_http11.rb b/test/test_http11.rb
index 2a30047..79a8b75 100644
--- a/test/test_http11.rb
+++ b/test/test_http11.rb
@@ -183,4 +183,34 @@ class Http11ParserTest < Minitest::Test
end
end
+
+ def test_newline_smuggler
+ parser = Puma::HttpParser.new
+ req = {}
+ http = "GET / HTTP/1.1\r\nHost: localhost:8080\r\nDummy: x\nDummy2: y\r\n\r\n"
+
+ parser.execute(req, http, 0) rescue nil # We test the raise elsewhere.
+
+ assert parser.error?, "Parser SHOULD have error"
+ end
+
+ def test_newline_smuggler_two
+ parser = Puma::HttpParser.new
+ req = {}
+ http = "GET / HTTP/1.1\r\nHost: localhost:8080\r\nDummy: x\r\nDummy: y\nDummy2: z\r\n\r\n"
+
+ parser.execute(req, http, 0) rescue nil
+
+ assert parser.error?, "Parser SHOULD have error"
+ end
+
+ def test_htab_in_header_val
+ parser = Puma::HttpParser.new
+ req = {}
+ http = "GET / HTTP/1.1\r\nHost: localhost:8080\r\nDummy: Valid\tValue\r\n\r\n"
+
+ parser.execute(req, http, 0)
+
+ assert_equal "Valid\tValue", req['HTTP_DUMMY']
+ end
end
--
2.30.0

47
CVE-2022-23634.patch Normal file
View File

@ -0,0 +1,47 @@
From b70f451fe8abc0cff192c065d549778452e155bb Mon Sep 17 00:00:00 2001
From: Jean Boussier <jean.boussier@gmail.com>
Date: Fri, 11 Feb 2022 15:58:08 +0100
Subject: [PATCH] Ensure `close` is called on the response body no matter
what
Another fallout from https://github.com/puma/puma/pull/2809 is that
in some cases the `res_body.close` wasn't called because some previous
code
raised.
For Rails apps it means CurrentAttributes and a few other important
states aren't reset properly.
This is being improved on the Rails side too, but I believe it would
be good to harden this on the puma side as well.
---
lib/puma/server.rb | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/lib/puma/server.rb b/lib/puma/server.rb
index 4ce0c74..7871c91 100644
--- a/lib/puma/server.rb
+++ b/lib/puma/server.rb
@@ -866,11 +866,14 @@ module Puma
end
ensure
- uncork_socket client
+ begin
+ uncork_socket client
- body.close
- req.tempfile.unlink if req.tempfile
- res_body.close if res_body.respond_to? :close
+ body.close
+ req.tempfile.unlink if req.tempfile
+ ensure
+ res_body.close if res_body.respond_to? :close
+ end
after_reply.each { |o| o.call }
end
--
2.30.0

95
CVE-2024-45614.patch Normal file
View File

@ -0,0 +1,95 @@
From f196b23be24712fb8fb16051cc124798cc84f70e Mon Sep 17 00:00:00 2001
From: Evan Phoenix <evan@phx.io>
Date: Wed, 18 Sep 2024 21:56:07 -0700
Subject: [PATCH] Merge commit from fork
Refer:
https://bugzilla.suse.com/attachment.cgi?id=877575
https://github.com/puma/puma/commit/f196b23be24712fb8fb16051cc124798cc84f70e
* Prevent underscores from clobbering hyphen headers
* Special case encoding headers to prevent app confusion
* Handle _ as , in jruby as well
* Silence RuboCop offense
---------
Co-authored-by: Patrik Ragnarsson <patrik@starkast.net>
---
ext/puma_http11/org/jruby/puma/Http11.java | 2 ++
lib/puma/const.rb | 5 +++++
lib/puma/server.rb | 11 +++++++++--
3 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/ext/puma_http11/org/jruby/puma/Http11.java b/ext/puma_http11/org/jruby/puma/Http11.java
index 59dde37..25573ad 100644
--- a/ext/puma_http11/org/jruby/puma/Http11.java
+++ b/ext/puma_http11/org/jruby/puma/Http11.java
@@ -91,6 +91,8 @@ public class Http11 extends RubyObject {
for(int i = 0,j = b.length();i<j;i++) {
if((b.get(i) & 0xFF) == '-') {
b.set(i, (byte)'_');
+ } else if((b.get(i) & 0xFF) == '_') {
+ b.set(i, (byte)',');
} else {
b.set(i, (byte)Character.toUpperCase((char)b.get(i)));
}
diff --git a/lib/puma/const.rb b/lib/puma/const.rb
index 8b08ed0..3068add 100644
--- a/lib/puma/const.rb
+++ b/lib/puma/const.rb
@@ -235,5 +235,10 @@ module Puma
HIJACK_IO = "rack.hijack_io".freeze
EARLY_HINTS = "rack.early_hints".freeze
+
+ UNMASKABLE_HEADERS = {
+ "HTTP_TRANSFER,ENCODING" => true,
+ "HTTP_CONTENT,LENGTH" => true,
+ }
end
end
diff --git a/lib/puma/server.rb b/lib/puma/server.rb
index 7871c91..35b4099 100644
--- a/lib/puma/server.rb
+++ b/lib/puma/server.rb
@@ -681,23 +681,30 @@ module Puma
to_add = nil
env.each do |k,v|
- if k.start_with?("HTTP_") and k.include?(",") and k != "HTTP_TRANSFER,ENCODING"
+ if k.start_with?("HTTP_") && k.include?(",") && !UNMASKABLE_HEADERS.key?(k)
if to_delete
to_delete << k
else
to_delete = [k]
end
+ new_k = k.gsub(",", "_")
+ if env.key?(new_k)
+ next
+ end
+
unless to_add
to_add = {}
end
- to_add[k.gsub(",", "_")] = v
+ to_add[new_k] = v
end
end
if to_delete
to_delete.each { |k| env.delete(k) }
+ end
+ if to_add
env.merge! to_add
end
--
2.46.0

BIN
puma-3.12.4.gem
View File

Binary file not shown.

BIN
puma-3.12.6.gem Normal file
View File

Binary file not shown.

34
rubygem-puma.spec
View File

@ -1,8 +1,8 @@
%global gem_name puma
%bcond_with ragel
Name: rubygem-%{gem_name}
Version: 3.12.4
Release: 1
Version: 3.12.6
Release: 4
Summary: A simple, fast, threaded, and highly concurrent HTTP 1.1 server
License: BSD
URL: http://puma.io
@ -10,7 +10,14 @@ Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
Source1: https://github.com/puma/%{gem_name}/archive/v%{version}.tar.gz
# Set the default cipher list "PROFILE=SYSTEM".
# https://fedoraproject.org/wiki/Packaging:CryptoPolicies
Patch2: rubygem-puma-3.6.0-fedora-crypto-policy-cipher-list.patch
Patch0: rubygem-puma-3.6.0-fedora-crypto-policy-cipher-list.patch
Patch1: CVE-2021-29509.patch
# https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f
Patch2: CVE-2021-41136.patch
# https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb
Patch3: CVE-2022-23634.patch
Patch4: CVE-2024-45614.patch
BuildRequires: openssl-devel ruby(release) rubygems-devel ruby-devel rubygem(rack)
BuildRequires: rubygem(minitest)
%if %{with ragel}
@ -30,7 +37,12 @@ Documentation for %{name}.
%prep
%setup -q -n %{gem_name}-%{version} -b 1
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%if %{with ragel}
rm -f ext/puma_http11/http11_parser.c
ragel ext/puma_http11/http11_parser.rl -C -G2 -I ext/puma_http11 \
@ -64,6 +76,7 @@ sed -i "/require 'minitest\/retry'/ s/^/#/" test/helper.rb
sed -i "/Minitest::Retry/ s/^/#/" test/helper.rb
sed -i '/^ def test_timeout_in_data_phase$/a\
skip "Unstable test"' test/test_puma_server.rb
sed -i "s/X_FORWARDED_PROTO/X-FORWARDED-PROTO/g" test/test_puma_server.rb
sed -i '/^ def test_control_url$/a\
skip "Unstable test"' test/test_pumactl.rb
sed -i '/^ def test_ssl_v3_rejection$/a\
@ -95,5 +108,20 @@ popd
%{gem_instdir}/tools
%changelog
* Fri Sep 27 2024 wangkai <13474090681@163.com> - 3.12.6-4
- Fix CVE-2024-45614
* Tue Dec 19 2023 yaoxin <yao_xin001@hoperun.com> - 3.12.6-3
- Fix CVE-2021-41136 and CVE-2022-23634
* Mon May 31 2021 wangyue <wangyue92@huawei.com> - 3.12.6-2
- Fix CVE-2021-29509
* Wed Feb 03 2021 shinwell_hu <micromotive@qq.com> - 3.12.6-1
- Upgrade to 3.12.6 to fix following known CVEs
CVE-2020-11077
CVE-2020-11076
- Workaround test failure on x forwarded protol
* Thu Aug 20 2020 luoshengwei <luoshengwei@huawei.com> - 3.12.4-1
- package init

BIN
v3.12.4.tar.gz
View File

Binary file not shown.

BIN
v3.12.6.tar.gz Normal file
View File

Binary file not shown.