Upgrade to version 4.3.9 in order to CVE-2021-41136

2021-11-09 20:45:38 +08:00 · 2021-11-09 20:45:38 +08:00 · 8229c5f275
commit 8229c5f275
parent ab50fbd816
6 changed files with 17 additions and 54 deletions
--- a/CVE-2021-29509.patch
+++ b/CVE-2021-29509.patch
@ -1,45 +0,0 @@
 From 2e9cf0b63b8de904d6ebca9fb1474cf0f979c53b Mon Sep 17 00:00:00 2001
 From: Nate Berkopec <nate.berkopec@gmail.com>
 Date: Tue, 11 May 2021 07:43:32 -0600
 Subject: [PATCH] Close keepalive connections after MAX_FAST_INLINE requests
 ---
 lib/puma/server.rb | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)
 diff --git a/lib/puma/server.rb b/lib/puma/server.rb
 index 5b2cd94..4ce0c74 100644
 --- a/lib/puma/server.rb
 +++ b/lib/puma/server.rb
@@ -487,15 +487,20 @@ module Puma
             requests += 1
 -            check_for_more_data = @status == :run
 +            # Closing keepalive sockets after they've made a reasonable
 +            # number of requests allows Puma to service many connections
 +            # fairly, even when the number of concurrent connections exceeds
 +            # the size of the threadpool. It also allows cluster mode Pumas
 +            # to keep load evenly distributed across workers, because clients
 +            # are randomly assigned a new worker when opening a new connection.
 +            #
 +            # Previously, Puma would kick connections in this conditional back
 +            # to the reactor. However, because this causes the todo set to increase
 +            # in size, the wait_until_full mutex would never unlock, leaving
 +            # any additional connections unserviced.
 +            break if requests >= MAX_FAST_INLINE
 -            if requests >= MAX_FAST_INLINE
 -              # This will mean that reset will only try to use the data it already
 -              # has buffered and won't try to read more data. What this means is that
 -              # every client, independent of their request speed, gets treated like a slow
 -              # one once every MAX_FAST_INLINE requests.
 -              check_for_more_data = false
 -            end
 +            check_for_more_data = @status == :run
             unless client.reset(check_for_more_data)
               close_socket = false
 -- 
 2.23.0
--- a/puma-3.12.6.gem
+++ b/puma-3.12.6.gem
--- a/puma-4.3.9.gem
+++ b/puma-4.3.9.gem
--- a/rubygem-puma.spec
+++ b/rubygem-puma.spec
@ -1,20 +1,20 @@
 %global gem_name puma
 %bcond_with ragel
 Name:                rubygem-%{gem_name}
-Version:             3.12.6
+Version:             4.3.9
-Release:             2
+Release:             1
 Summary:             A simple, fast, threaded, and highly concurrent HTTP 1.1 server
 License:             BSD
 URL:                 http://puma.io
 Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
-Source1:             https://github.com/puma/%{gem_name}/archive/v%{version}.tar.gz
+Source1:             https://github.com/puma/%{gem_name}/archive/refs/tags/v%{version}.tar.gz
 # Set the default cipher list "PROFILE=SYSTEM".
 # https://fedoraproject.org/wiki/Packaging:CryptoPolicies
 Patch0:              rubygem-puma-3.6.0-fedora-crypto-policy-cipher-list.patch
 Patch1:              CVE-2021-29509.patch
 BuildRequires:       openssl-devel ruby(release) rubygems-devel ruby-devel rubygem(rack)
 BuildRequires:       rubygem(minitest)
 BuildRequires: 	     rubygem(nio4r)
 %if %{with ragel}
 BuildRequires:       %{_bindir}/ragel
 %endif
@ -33,7 +33,6 @@ Documentation for %{name}.
 %prep
 %setup -q -n  %{gem_name}-%{version} -b 1
 %patch0 -p1
 %patch1 -p1
 %if %{with ragel}
 rm -f ext/puma_http11/http11_parser.c
@ -64,17 +63,23 @@ find %{buildroot}%{gem_instdir}/bin -type f | \
 pushd .%{gem_instdir}
 ln -s %{_builddir}/%{gem_name}-%{version}/test test
 ln -s %{_builddir}/%{gem_name}-%{version}/examples examples
-sed -i "/require 'minitest\/retry'/ s/^/#/" test/helper.rb
+sed -i -e "/require..minitest\/\(retry\|proveit\)./ s/^/#/" test/helper.rb
 sed -i "/Minitest::Retry/ s/^/#/" test/helper.rb
 sed -i '/prove_it!/ s/^/#/' test/helper.rb
 sed -i '/^  def test_timeout_in_data_phase$/a\
    skip "Unstable test"' test/test_puma_server.rb
 sed -i "s/X_FORWARDED_PROTO/X-FORWARDED-PROTO/g" test/test_puma_server.rb
 sed -i '/^  def test_control_url$/a\
    skip "Unstable test"' test/test_pumactl.rb
 sed -i '/^  def test_ssl_v3_rejection$/a\
    skip' test/test_puma_server_ssl.rb
-sed -i '/^  def test_term_signal_exit_code_in_clustered_mode$/a\
+sed -i '/^  def test_usr1_all_respond_unix$/a\
-    skip "Clustered server does not stop properly"' test/test_integration.rb
+    skip' test/test_integration_cluster.rb
 sed -i '/^  def test_usr1_all_respond_tcp$/a\
    skip' test/test_integration_cluster.rb
 sed -i '/^  def test_term_closes_listeners_unix$/a\
    skip' test/test_integration_cluster.rb
 sed -i '/^  def test_term_closes_listeners_tcp$/a\
    skip' test/test_integration_cluster.rb
 RUBYOPT="-Ilib:$(dirs +1 -l)%{gem_extdir_mri}" CI=1 ruby \
  -e 'Dir.glob "./test/**/test_*.rb", &method(:require)' \
  -- -v
@ -100,6 +105,9 @@ popd
 %{gem_instdir}/tools
 %changelog
 * Mon Nov 15 2021 houyingchao <houyingchao@huawei.com> - 4.3.9-1
 - Fix CVE-2021-41136
 * Mon May 31 2021 wangyue <wangyue92@huawei.com>  - 3.12.6-2
 - Fix CVE-2021-29509
--- a/v3.12.6.tar.gz
+++ b/v3.12.6.tar.gz
--- a/v4.3.9.tar.gz
+++ b/v4.3.9.tar.gz