!6 fix CVE-2021-29509

From: @wang_yue111 Reviewed-by: @maminjie,@shinwell_hu Signed-off-by: @shinwell_hu
2021-05-31 14:26:05 +08:00 · 2021-05-31 14:26:05 +08:00 · ab50fbd816
commit ab50fbd816
parent a99bf02d26 e492fec2f7
2 changed files with 53 additions and 1 deletions
--- a/CVE-2021-29509.patch
+++ b/CVE-2021-29509.patch
@ -0,0 +1,45 @@
 From 2e9cf0b63b8de904d6ebca9fb1474cf0f979c53b Mon Sep 17 00:00:00 2001
 From: Nate Berkopec <nate.berkopec@gmail.com>
 Date: Tue, 11 May 2021 07:43:32 -0600
 Subject: [PATCH] Close keepalive connections after MAX_FAST_INLINE requests
 ---
 lib/puma/server.rb | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)
 diff --git a/lib/puma/server.rb b/lib/puma/server.rb
 index 5b2cd94..4ce0c74 100644
 --- a/lib/puma/server.rb
 +++ b/lib/puma/server.rb
@@ -487,15 +487,20 @@ module Puma
             requests += 1
 -            check_for_more_data = @status == :run
 +            # Closing keepalive sockets after they've made a reasonable
 +            # number of requests allows Puma to service many connections
 +            # fairly, even when the number of concurrent connections exceeds
 +            # the size of the threadpool. It also allows cluster mode Pumas
 +            # to keep load evenly distributed across workers, because clients
 +            # are randomly assigned a new worker when opening a new connection.
 +            #
 +            # Previously, Puma would kick connections in this conditional back
 +            # to the reactor. However, because this causes the todo set to increase
 +            # in size, the wait_until_full mutex would never unlock, leaving
 +            # any additional connections unserviced.
 +            break if requests >= MAX_FAST_INLINE
 -            if requests >= MAX_FAST_INLINE
 -              # This will mean that reset will only try to use the data it already
 -              # has buffered and won't try to read more data. What this means is that
 -              # every client, independent of their request speed, gets treated like a slow
 -              # one once every MAX_FAST_INLINE requests.
 -              check_for_more_data = false
 -            end
 +            check_for_more_data = @status == :run
             unless client.reset(check_for_more_data)
               close_socket = false
 -- 
 2.23.0
--- a/rubygem-puma.spec
+++ b/rubygem-puma.spec
@ -2,7 +2,7 @@
 %bcond_with ragel
 Name:                rubygem-%{gem_name}
 Version:             3.12.6
-Release:             1
+Release:             2
 Summary:             A simple, fast, threaded, and highly concurrent HTTP 1.1 server
 License:             BSD
 URL:                 http://puma.io
@ -11,6 +11,8 @@ Source1:             https://github.com/puma/%{gem_name}/archive/v%{version}.tar
 # Set the default cipher list "PROFILE=SYSTEM".
 # https://fedoraproject.org/wiki/Packaging:CryptoPolicies
 Patch0:              rubygem-puma-3.6.0-fedora-crypto-policy-cipher-list.patch
 Patch1:              CVE-2021-29509.patch
 BuildRequires:       openssl-devel ruby(release) rubygems-devel ruby-devel rubygem(rack)
 BuildRequires:       rubygem(minitest)
 %if %{with ragel}
@ -31,6 +33,8 @@ Documentation for %{name}.
 %prep
 %setup -q -n  %{gem_name}-%{version} -b 1
 %patch0 -p1
 %patch1 -p1
 %if %{with ragel}
 rm -f ext/puma_http11/http11_parser.c
 ragel ext/puma_http11/http11_parser.rl -C -G2 -I ext/puma_http11 \
@ -96,6 +100,9 @@ popd
 %{gem_instdir}/tools
 %changelog
 * Mon May 31 2021 wangyue <wangyue92@huawei.com>  - 3.12.6-2
 - Fix CVE-2021-29509
 * Wed Feb 03 2021 shinwell_hu <micromotive@qq.com> - 3.12.6-1
 - Upgrade to 3.12.6 to fix following known CVEs
  CVE-2020-11077