๐Ÿšจ [security][ruby] ์—…๋ฐ์ดํŠธ puma:4.3.3โ†’ 4.3.6(ํŒจ์น˜)

5313 ๋‹จ์–ด mshauri

๋ฌ˜์‚ฌ

๐Ÿšจ ํ˜„์žฌ ์˜์กด ํ•ญ๋ชฉ์— ์•Œ๋ ค์ง„ ๋ณด์•ˆ ๊ฒฐํ•จ์ด ์žˆ์Šต๋‹ˆ๋‹ค๐Ÿšจ
์ด ์˜์กด ํ•ญ๋ชฉ ์—…๋ฐ์ดํŠธ๋Š” ์ด๋ฏธ ์•Œ๋ ค์ง„ ๋ณด์•ˆ ๋นˆํ‹ˆ์„ ๋ณต๊ตฌํ–ˆ์Šต๋‹ˆ๋‹ค.์•„๋ž˜์˜ ์ƒ์„ธํ•œ ์ •๋ณด๋ฅผ ๋ณด๊ณ  ๊ทธ ์˜ํ–ฅ์„ ์ž์„ธํžˆ ํ‰๊ฐ€ํ•ด ์ฃผ์‹ญ์‹œ์˜ค.์šฐ๋ฆฌ๋Š” ๊ฐ€๋Šฅํ•œ ํ•œ ๋นจ๋ฆฌ ๊ทธ๊ฒƒ์„ ํ•ฉ๋ณ‘ํ•˜๊ณ  ๋ฐฐ์น˜ํ•  ๊ฒƒ์„ ๊ฑด์˜ํ•ฉ๋‹ˆ๋‹ค.
๋‹ค์Œ์€ ์—…๋ฐ์ดํŠธ์— ๋Œ€ํ•ด ์•Œ์•„์•ผ ํ•  ๋ชจ๋“  ์ •๋ณด์ž…๋‹ˆ๋‹ค.์ด ์š”์ฒญ์„ ํ†ตํ•ฉํ•˜๊ธฐ ์ „์— ๋ณ€๊ฒฝ๋œ ๋‚ด์šฉ๊ณผ ํ…Œ์ŠคํŠธ ๊ฒฐ๊ณผ๋ฅผ ์ž์„ธํžˆ ๋ณด์‹ญ์‹œ์˜ค.

๋ญ๊ฐ€ ๋ฐ”๋€Œ์—ˆ์–ด?


โœณ๏ธ ํ“จ๋งˆ(4.3.3)โ†’ 4.3.6)ยทํ™˜๋งคยท๋ณ€๊ฒฝ๊ธฐ๋ก


์•ˆ์ „ ์ž๋ฌธ๐Ÿšจ

๐Ÿšจ Puma์—์„œ ์ „์†ก ์ฝ”๋”ฉ ํ—ค๋”๋ฅผ ํ†ตํ•ด HTTP ๋ฐ€์ˆ˜


์˜ํ–ฅ

By using an invalid transfer-encoding header, an attacker could
smuggle an HTTP response.

ํ—<unk>์„ ๊น๋‹ค

The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.


๐Ÿšจ Puma์—์„œ ์ „์†ก ์ฝ”๋”ฉ ํ—ค๋”๋ฅผ ํ†ตํ•ด HTTP ๋ฐ€์ˆ˜


์˜ํ–ฅ

This is a similar but different vulnerability to the one patched in 3.12.5 and 4.3.4.

A client could smuggle a request through a proxy, causing the proxy to send a response
back to another unknown client.

If the proxy uses persistent connections and the client adds another request in via HTTP
pipelining, the proxy may mistake it as the first request's body. Puma, however,
would see it as two requests, and when processing the second request, send back
a response that the proxy does not expect. If the proxy has reused the persistent
connection to Puma to send another request for a different client, the second response
from the first client will be sent to the second client.

ํ—<unk>์„ ๊น๋‹ค

The problem has been fixed in Puma 3.12.6 and Puma 4.3.5.


๋ฆด๋ฆฌ์ฆˆ ๋…ธํŠธ

4.3.6


v4.3.5...4.3.6

A quick fix for a build error on Mac OS and a JSON require fix for those using phased restart.

  • Explicitly include ctype.h to fix compilation warning and build error on macOS with Xcode 12 (#2304)
  • Don't require json at boot (#2269)

์ด๊ฒŒ ํ‹€๋ฆฐ ๊ฒƒ ๊ฐ™๋‚˜์š”?Please let us know.
์–ธ์•ฝ
See the full diff on Github . ์ƒˆ ๋ฆด๋ฆฌ์ฆˆ์—์„œ๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์€ 8๊ฐ€์ง€ ์ฐจ์ด์ ์ด ์žˆ์Šต๋‹ˆ๋‹ค.
  • v4.3.6
  • Merge pull request #2314 from venables/fix-include
  • Merge pull request #2269 from MSP-Greg/json-require
  • Bump version
  • Adjust test to match real world value
  • Reduce ambiguity of headers
  • Bump version
  • Better handle client input
    • Depfu Status
    Depfu ๋ถ„๊ธฐ์— ์ปค๋ฐ‹์„ ์ถ”๊ฐ€ํ•˜์ง€ ์•Š๋Š” ํ•œ ์ด PR์ด ์ถฉ๋Œํ•˜์ง€ ์•Š๋„๋ก ์ž๋™์œผ๋กœ ์œ ์ง€๋ฉ๋‹ˆ๋‹ค.@depfu rebase ์ฃผ์„์„ ์‚ฌ์šฉํ•˜์—ฌ ์ˆ˜๋™์œผ๋กœ ํ„ฐ์น˜ํ•  ์ˆ˜๋„ ์žˆ์Šต๋‹ˆ๋‹ค.
    ๋ชจ๋“  Depfu ์ฃผ์„ ๋ช…๋ น
    @โ€‹depfu rebase
    Rebases against your default branch and redoes this update
    @โ€‹depfu recreate
    Recreates this PR, overwriting any edits that you've made to it
    @โ€‹depfu merge
    Merges this PR once your tests are passing and conflicts are resolved
    @โ€‹depfu close
    Closes this PR and deletes the branch
    @โ€‹depfu reopen
    Restores the branch and reopens this PR (if it's closed)
    @โ€‹depfu pause
    Ignores all future updates for this dependency and closes this PR
    @โ€‹depfu pause [minor|major]
    Ignores all future minor/major updates for this dependency and closes this PR
    @โ€‹depfu resume
    Future versions of this dependency will create PRs again (leaves this PR as is)

    ํ† ๋ก  #1

    #231์— ์œ ๋ฆฌํ•ฉ๋‹ˆ๋‹ค.
    opencv ๊ธฐํ•˜ํ•™์  ํ˜•์ƒ ์ถ”์ถœ
    python zip ํ•จ์ˆ˜ ํ™œ์šฉ

    ์ข‹์€ ์›นํŽ˜์ด์ง€ ์ฆ๊ฒจ์ฐพ๊ธฐ

    ๊ฐœ๋ฐœ์ž ์šฐ์ˆ˜ ์‚ฌ์ดํŠธ ์ˆ˜์ง‘

    ๊ฐœ๋ฐœ์ž๊ฐ€ ์•Œ์•„์•ผ ํ•  ํ•„์ˆ˜ ์‚ฌ์ดํŠธ 100์„  ์ถ”์ฒœ ์šฐ๋ฆฌ๋Š” ๋‹น์‹ ์„ ์œ„ํ•ด 100๊ฐœ์˜ ์ž์ฃผ ์‚ฌ์šฉํ•˜๋Š” ๊ฐœ๋ฐœ์ž ํ•™์Šต ์‚ฌ์ดํŠธ๋ฅผ ์ •๋ฆฌํ–ˆ์Šต๋‹ˆ๋‹ค
    best100-homepage