Merge #125

125: [Security] Bump puma from 4.1.1 to 4.3.1 r=michaelbaudino a=dependabot-preview[bot]

Bumps [puma](https://github.com/puma/puma) from 4.1.1 to 4.3.1. **This update includes a security fix.**
<details>
<summary>Vulnerabilities fixed</summary>

*Sourced from The GitHub Security Advisory Database.*

> **Moderate severity vulnerability that affects puma**
> ## Keepalive thread overload/DoS
> 
> ### Impact
> 
> A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack.
> 
> If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
> 
> ### Patches
> 
> This vulnerability is patched in Puma 4.3.1 and 3.12.2.
> 
> ### Workarounds
> 
> Reverse proxies in front of Puma could be configured to always allow less than X keepalive connections to a Puma cluster or process, where X is the number of threads configured in Puma's thread pool.
> 
> ### For more information
> 
> If you have any questions or comments about this advisory:
> 
></tr></table> ... (truncated)
> 
> Affected versions: >= 4.0.0, < 4.3.1

</details>
<details>
<summary>Release notes</summary>

*Sourced from [puma's releases](https://github.com/puma/puma/releases).*

> ## v4.3.0 - Mysterious Traveller
> ![0000492109](https://user-images.githubusercontent.com/845662/68427889-ff59cd00-0178-11ea-8329-8493b3de6906.jpg)
> 
> [Mysterious Traveller](https://www.youtube.com/watch?v=bZ44_P6iM18)
> 
> * Features
>   * Strip whitespace at end of HTTP headers ([#2010](https://github-redirect.dependabot.com/puma/puma/issues/2010))
>   * Optimize HTTP parser for JRuby ([#2012](https://github-redirect.dependabot.com/puma/puma/issues/2012))
>   * Add SSL support for the control app and cli ([#2046](https://github-redirect.dependabot.com/puma/puma/issues/2046), [#2052](https://github-redirect.dependabot.com/puma/puma/issues/2052))
> 
> * Bugfixes
>   * Fix Errno::EINVAL when SSL is enabled and browser rejects cert ([#1564](https://github-redirect.dependabot.com/puma/puma/issues/1564))
>   * Fix pumactl defaulting puma to development if an environment was not specified ([#2035](https://github-redirect.dependabot.com/puma/puma/issues/2035))
>   * Fix closing file stream when reading pid from pidfile ([#2048](https://github-redirect.dependabot.com/puma/puma/issues/2048))
>   * Fix a typo in configuration option `--extra_runtime_dependencies` ([#2050](https://github-redirect.dependabot.com/puma/puma/issues/2050))
> 
> ## 4.2.1
> * 3 bugfixes
>   * Fix socket activation of systemd (pre-existing) unix binder files ([#1842](https://github-redirect.dependabot.com/puma/puma/issues/1842), [#1988](https://github-redirect.dependabot.com/puma/puma/issues/1988))
>   * Deal with multiple calls to bind correctly ([#1986](https://github-redirect.dependabot.com/puma/puma/issues/1986), [#1994](https://github-redirect.dependabot.com/puma/puma/issues/1994), [#2006](https://github-redirect.dependabot.com/puma/puma/issues/2006))
>   * Accepts symbols for `verify_mode` ([#1222](https://github-redirect.dependabot.com/puma/puma/issues/1222))
> 
> ## 4.2.0 - Distant Airhorns
> * 6 features
>   * Pumactl has a new -e environment option and reads config/puma/<environment>.rb config files ([#1885](https://github-redirect.dependabot.com/puma/puma/issues/1885))
>   * Semicolons are now allowed in URL paths (MRI only), useful for Angular or Redmine ([#1934](https://github-redirect.dependabot.com/puma/puma/issues/1934))
>   * Allow extra dependencies to be defined when using prune_bundler ([#1105](https://github-redirect.dependabot.com/puma/puma/issues/1105))
>   * Puma now reports the correct port when binding to port 0, also reports other listeners when binding to localhost ([#1786](https://github-redirect.dependabot.com/puma/puma/issues/1786))
>   * Sending SIGINFO to any Puma worker now prints currently active threads and their backtraces ([#1320](https://github-redirect.dependabot.com/puma/puma/issues/1320))
>   * Puma threads all now have their name set on Ruby 2.3+ ([#1968](https://github-redirect.dependabot.com/puma/puma/issues/1968))
> * 4 bugfixes
>   * Fix some misbehavior with phased restart and externally SIGTERMed workers ([#1908](https://github-redirect.dependabot.com/puma/puma/issues/1908), [#1952](https://github-redirect.dependabot.com/puma/puma/issues/1952))
>   * Fix socket closing on error ([#1941](https://github-redirect.dependabot.com/puma/puma/issues/1941))
>   * Removed unnecessary SIGINT trap for JRuby that caused some race conditions ([#1961](https://github-redirect.dependabot.com/puma/puma/issues/1961))
>   * Fix socket files being left around after process stopped ([#1970](https://github-redirect.dependabot.com/puma/puma/issues/1970))
> * Absolutely thousands of lines of test improvements and fixes thanks to [@&#8203;MSP-Greg](https://github.com/MSP-Greg)
> 
> ![air-horn-sound-s-econd-air-horn-sound-me-this-23916124](https://user-images.githubusercontent.com/845662/65414357-d3b29b80-ddf3-11e9-8e77-2a66ff5672be.png)
</details>
<details>
<summary>Changelog</summary>

*Sourced from [puma's changelog](https://github.com/puma/puma/blob/master/History.md).*

> ## 4.3.1 and 3.12.2 / 2019-12-05
> 
> * Security
>   * Fix: a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. CVE-2019-16770.
> 
> ## 4.3.0 / 2019-11-07
> 
> * Features
>   * Strip whitespace at end of HTTP headers ([#2010](https://github-redirect.dependabot.com/puma/puma/issues/2010))
>   * Optimize HTTP parser for JRuby ([#2012](https://github-redirect.dependabot.com/puma/puma/issues/2012))
>   * Add SSL support for the control app and cli ([#2046](https://github-redirect.dependabot.com/puma/puma/issues/2046), [#2052](https://github-redirect.dependabot.com/puma/puma/issues/2052))
> 
> * Bugfixes
>   * Fix Errno::EINVAL when SSL is enabled and browser rejects cert ([#1564](https://github-redirect.dependabot.com/puma/puma/issues/1564))
>   * Fix pumactl defaulting puma to development if an environment was not specified ([#2035](https://github-redirect.dependabot.com/puma/puma/issues/2035))
>   * Fix closing file stream when reading pid from pidfile ([#2048](https://github-redirect.dependabot.com/puma/puma/issues/2048))
>   * Fix a typo in configuration option `--extra_runtime_dependencies` ([#2050](https://github-redirect.dependabot.com/puma/puma/issues/2050))
> 
> ## 4.2.1 / 2019-10-07
> 
> * 3 bugfixes
>   * Fix socket activation of systemd (pre-existing) unix binder files ([#1842](https://github-redirect.dependabot.com/puma/puma/issues/1842), [#1988](https://github-redirect.dependabot.com/puma/puma/issues/1988))
>   * Deal with multiple calls to bind correctly ([#1986](https://github-redirect.dependabot.com/puma/puma/issues/1986), [#1994](https://github-redirect.dependabot.com/puma/puma/issues/1994), [#2006](https://github-redirect.dependabot.com/puma/puma/issues/2006))
>   * Accepts symbols for `verify_mode` ([#1222](https://github-redirect.dependabot.com/puma/puma/issues/1222))
> 
> ## 4.2.0 / 2019-09-23
> 
> * 6 features
>   * Pumactl has a new -e environment option and reads `config/puma/<environment>.rb` config files ([#1885](https://github-redirect.dependabot.com/puma/puma/issues/1885))
>   * Semicolons are now allowed in URL paths (MRI only), useful for Angular or Redmine ([#1934](https://github-redirect.dependabot.com/puma/puma/issues/1934))
>   * Allow extra dependencies to be defined when using prune_bundler ([#1105](https://github-redirect.dependabot.com/puma/puma/issues/1105))
>   * Puma now reports the correct port when binding to port 0, also reports other listeners when binding to localhost ([#1786](https://github-redirect.dependabot.com/puma/puma/issues/1786))
>   * Sending SIGINFO to any Puma worker now prints currently active threads and their backtraces ([#1320](https://github-redirect.dependabot.com/puma/puma/issues/1320))
>   * Puma threads all now have their name set on Ruby 2.3+ ([#1968](https://github-redirect.dependabot.com/puma/puma/issues/1968))
> * 4 bugfixes
>   * Fix some misbehavior with phased restart and externally SIGTERMed workers ([#1908](https://github-redirect.dependabot.com/puma/puma/issues/1908), [#1952](https://github-redirect.dependabot.com/puma/puma/issues/1952))
>   * Fix socket closing on error ([#1941](https://github-redirect.dependabot.com/puma/puma/issues/1941))
>   * Removed unnecessary SIGINT trap for JRuby that caused some race conditions ([#1961](https://github-redirect.dependabot.com/puma/puma/issues/1961))
>   * Fix socket files being left around after process stopped ([#1970](https://github-redirect.dependabot.com/puma/puma/issues/1970))
> * Absolutely thousands of lines of test improvements and fixes thanks to [@&#8203;MSP-Greg](https://github.com/MSP-Greg)
</details>
<details>
<summary>Commits</summary>

- [`2986bc4`](puma/puma@2986bc4) 4.3.1
- [`285c3f9`](puma/puma@285c3f9) 4.3.1 and 4.2.1 release notes
- [`98a1f03`](puma/puma@98a1f03) Merge pull request from GHSA-7xx3-m584-x994
- [`d20242b`](puma/puma@d20242b) 4.3.0
- [`4852902`](puma/puma@4852902) Merge pull request [#2068](https://github-redirect.dependabot.com/puma/puma/issues/2068) from ahorek/travis_fixes
- [`2d89d7c`](puma/puma@2d89d7c) travis fixes
- [`3203159`](puma/puma@3203159) dont set frozen-string-literal for ruby 2.2 [changelog skip] ([#2066](https://github-redirect.dependabot.com/puma/puma/issues/2066))
- [`8e751a8`](puma/puma@8e751a8) Add TruffleRuby to (Travis) CI
- [`536c3ed`](puma/puma@536c3ed) Rubocop failures
- [`554c02c`](puma/puma@554c02c) Also make request_body_wait_chunked less strict
- Additional commits viewable in [compare view](puma/puma@v4.1.1...v4.3.1)
</details>
<br />

[![Dependabot compatibility score](https://api.dependabot.com/badges/compatibility_score?dependency-name=puma&package-manager=bundler&previous-version=4.1.1&new-version=4.3.1)](https://dependabot.com/compatibility-score.html?dependency-name=puma&package-manager=bundler&previous-version=4.1.1&new-version=4.3.1)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
Dependabot will **not** automatically merge this PR because it includes a minor update to a production dependency.

[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)



</details>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>

Gemfile

@@ -8,7 +8,7 @@ gem "bootsnap", ">= 1.1.0", require: false
 gem "haml", "~> 5.1"
 gem "jbuilder", "~> 2.9"
 gem "pg", ">= 0.18", "< 2.0"
-gem "puma", "~> 4.1"
+gem "puma", "~> 4.3"
 gem "rails", "~> 5.2.3"
 gem "sass-rails", "~> 5.0"
 gem "turbolinks", "~> 5.2"

Gemfile.lock

@@ -83,7 +83,7 @@ GEM
     mini_portile2 (2.4.0)
     minitest (5.11.3)
     msgpack (1.2.10)
-    nio4r (2.5.1)
+    nio4r (2.5.2)
     nokogiri (1.10.5)
       mini_portile2 (~> 2.4.0)
     parallel (1.17.0)
@@ -96,7 +96,7 @@ GEM
     pry-rails (0.3.9)
       pry (>= 0.10.4)
     psych (3.1.0)
-    puma (4.1.1)
+    puma (4.3.1)
       nio4r (~> 2.0)
     rack (2.0.7)
     rack-proxy (0.6.5)
@@ -197,7 +197,7 @@ DEPENDENCIES
   listen (>= 3.0.5, < 3.2)
   pg (>= 0.18, < 2.0)
   pry-rails (~> 0.3)
-  puma (~> 4.1)
+  puma (~> 4.3)
   rails (~> 5.2.3)
   rubocop (~> 0.67)
   sass-rails (~> 5.0)