Bump puma from 3.9.1 to 3.12.6

[dependabot]

Bumps puma from 3.9.1 to 3.12.6.

Release notes

Sourced from [puma's releases](https://github.com/puma/puma/releases).

v3.12.1

v3.11.4

No release notes provided.

3.11.0 - Love Song


• 2 features:

  • HTTP 103 Early Hints ([#1403](https://github-redirect.dependabot.com/Add early hints feature puma/puma#1403))
  • 421/451 status codes now have correct status messages attached ([#1435](https://github-redirect.dependabot.com/Added two new HTTP Status Codes 421, and 451. puma/puma#1435))

• 9 bugfixes:

  • Environment config files (/config/puma/.rb) load correctly ([#1340](https://github-redirect.dependabot.com/Fix environment file loader puma/puma#1340))
  • Specify windows dependencies correctly ([#1434](https://github-redirect.dependabot.com/Add msys2_mingw_dependencies to puma.gemspec puma/puma#1434), [#1436](https://github-redirect.dependabot.com/gemspec: correct msys2 metadata typo puma/puma#1436))
  • puma/events required in test helper ([#1418](https://github-redirect.dependabot.com/Require puma/events in test helper puma/puma#1418))
  • Correct control CLI's option help text ([#1416](https://github-redirect.dependabot.com/Control CLI Bug Fix puma/puma#1416))
  • Remove a warning for unused variable in mini_ssl ([#1409](https://github-redirect.dependabot.com/mini_ssl.c: Avoid warning: unused variable 'eng' puma/puma#1409))
  • Correct pumactl docs argument ordering ([#1427](https://github-redirect.dependabot.com/pumactl example in README doesn't work puma/puma#1427))
  • Fix an uninitialized variable warning in server.rb ([#1430](https://github-redirect.dependabot.com/Add @early_hints to Puma:Server initialize to avoid warnings puma/puma#1430))
  • Fix docs typo/error in Launcher init ([#1429](https://github-redirect.dependabot.com/puma/launcher: Fixed typo puma/puma#1429))
  • Deal with leading spaces in RUBYOPT ([#1455](https://github-redirect.dependabot.com/Puma::Launcher: avoid a leading space character in RUBYOPT puma/puma#1455))

• 2 other:

  • Add docs about internals ([#1425](https://github-redirect.dependabot.com/add Puma internal threads explaining puma/puma#1425), [#1452](https://github-redirect.dependabot.com/architecture documentation puma/puma#1452))
  • Tons of test fixes from @​MSP-Greg ([#1439](https://github-redirect.dependabot.com/Add ssl support to Windows builds, Appveyor puma/puma#1439), [#1442](https://github-redirect.dependabot.com/No more ubygems.rb in trunk / 2.5. Change -rubygems to -rrubygems puma/puma#1442), [#1464](https://github-redirect.dependabot.com/Combine PR's #1437, 44, & 63 puma/puma#1464))

3.10.0 - Russell's Teapot


• 3 features:

  • The status server has a new /gc and /gc-status command. ([#1384](https://github-redirect.dependabot.com/Add /gc URL to status server to do a major GC. Add a /gc-status URL for GC.stats. puma/puma#1384))
  • The persistent and first data timeouts are now configurable ([#1111](https://github-redirect.dependabot.com/Config first data timeout puma/puma#1111))
  • Implemented RFC 2324 ([#1392](https://github-redirect.dependabot.com/Implement rfc2324 section 2.3.2, Status 418: I'm a teapot. puma/puma#1392))

• 12 bugfixes:

  • Not really a Puma bug, but @​NickolasVashchenko created a gem to workaround a Ruby bug that some users of Puma may be experiencing. See README for more. ([#1347](https://github-redirect.dependabot.com/Mri gli pipe bug puma/puma#1347))
  • Fix hangups with SSL and persistent connections. ([#1334](https://github-redirect.dependabot.com/fix #1214 Puma >= 3.6.1 + SSL + Persistent Connections. Puma Hangs :( puma/puma#1334))
  • Fix Rails double-binding to a port ([#1383](https://github-redirect.dependabot.com/[close #1327] Fix double port bind in Rails puma/puma#1383))
  • Fix incorrect thread names ([#1368](https://github-redirect.dependabot.com/Fix incorrect thread name puma/puma#1368))
  • Fix issues with /etc/hosts and JRuby where localhost addresses were not correct. ([#1318](https://github-redirect.dependabot.com/Use Socket.ip_address_list to get loopback addresses puma/puma#1318))
  • Fix compatibility with RUBYOPT="--enable-frozen-string-literal" ([#1376](https://github-redirect.dependabot.com/Updates for frozen string literal compatibility. puma/puma#1376))
  • Fixed some compiler warnings ([#1388](https://github-redirect.dependabot.com/Compiler warnings fixes puma/puma#1388))
  • We actually run the integration tests in CI now ([#1390](https://github-redirect.dependabot.com/Fix failed tests for "rake test:integration" puma/puma#1390))
  • No longer shipping unnecessary directories in the gemfile ([#1391](https://github-redirect.dependabot.com/Include source and documdnts files only in the gem file. puma/puma#1391))
  • If RUBYOPT is nil, we no longer blow up on restart. ([#1385](https://github-redirect.dependabot.com/do not blow up when RUBYOPT is not defined puma/puma#1385))
  • Correct response to SIGINT ([#1377](https://github-redirect.dependabot.com/Setup signal to trap SIGINT and gracefully stop server puma/puma#1377))
  • Proper exit code returned when we receive a TERM signal ([#1337](https://github-redirect.dependabot.com/Return proper exit code for TERM signal puma/puma#1337))

• 3 refactors:

... (truncated)

Changelog

Sourced from [puma's changelog](https://github.com/puma/puma/blob/master/History.md).

4.3.4/4.3.5 and 3.12.5/3.12.6 / 2020-05-22

Each patchlevel release contains a separate security fix. We recommend simply upgrading to 4.3.5/3.12.6.

• Security
  • Fix: Fixed two separate HTTP smuggling vulnerabilities that used the Transfer-Encoding header. CVE-2020-11076 and CVE-2020-11077.

4.3.3 and 3.12.4 / 2020-02-28

• Bugfixes
  • Fix: Fixes a problem where we weren't splitting headers correctly on newlines ([#2132](https://github-redirect.dependabot.com/4.3.2 Unable to set cookie puma/puma#2132))
• Security
  • Fix: Prevent HTTP Response splitting via CR in early hints. CVE-2020-5249.

4.3.2 and 3.12.3 / 2020-02-27 (YANKED)

• Security
  • Fix: Prevent HTTP Response splitting via CR/LF in header values. CVE-2020-5247.

4.3.1 and 3.12.2 / 2019-12-05

• Security
  • Fix: a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. CVE-2019-16770.

4.3.0 / 2019-11-07

• Features

  • Strip whitespace at end of HTTP headers ([#2010](https://github-redirect.dependabot.com/Strip header whitespace. Fix #1890. Code by @matthewd puma/puma#2010))
  • Optimize HTTP parser for JRuby ([#2012](https://github-redirect.dependabot.com/Small JRuby cleanups and optimizations puma/puma#2012))
  • Add SSL support for the control app and cli ([#2046](https://github-redirect.dependabot.com/Add SSL support for the control app puma/puma#2046), [#2052](https://github-redirect.dependabot.com/Add ssl support to the control_cli puma/puma#2052))

• Bugfixes

  • Fix Errno::EINVAL when SSL is enabled and browser rejects cert ([#1564](https://github-redirect.dependabot.com/Errno::EINVAL when SSL is enabled and Firefox does not trust self-signed cert puma/puma#1564))
  • Fix pumactl defaulting puma to development if an environment was not specified ([#2035](https://github-redirect.dependabot.com/Update pumactl to remove development as default environment puma/puma#2035))
  • Fix closing file stream when reading pid from pidfile ([#2048](https://github-redirect.dependabot.com/Close file stream when reading pid from pidfile puma/puma#2048))
  • Fix a typo in configuration option --extra_runtime_dependencies ([#2050](https://github-redirect.dependabot.com/Fix typo "c" -> "user_config" for --extra_runtime_dependencies puma/puma#2050))

4.2.1 / 2019-10-07

• 3 bugfixes
  • Fix socket activation of systemd (pre-existing) unix binder files ([#1842](https://github-redirect.dependabot.com/Socket removed after reload, part II puma/puma#1842), [#1988](https://github-redirect.dependabot.com/Socket removed after restart puma/puma#1988))
  • Deal with multiple calls to bind correctly ([#1986](https://github-redirect.dependabot.com/Error after binding to socket and port in one config puma/puma#1986), [#1994](https://github-redirect.dependabot.com/NoMethodError: undefined method `local_address' for #<Puma::MiniSSL::Server:0x000055903b829710> puma/puma#1994), [#2006](https://github-redirect.dependabot.com/Binder fixes for 4.2.1 puma/puma#2006))
  • Accepts symbols for verify_mode ([#1222](https://github-redirect.dependabot.com/Puma does not load a CA when verification mode is set to :peer puma/puma#1222))

4.2.0 / 2019-09-23

• 6 features
  • Pumactl has a new -e environment option and reads config/puma/<environment>.rb config files ([#1885](https://github-redirect.dependabot.com/Check puma config environment file on control_cli puma/puma#1885))
  • Semicolons are now allowed in URL paths (MRI only), useful for Angular or Redmine ([#1934](https://github-redirect.dependabot.com/Allow semicolon in url-path puma/puma#1934))
  • Allow extra dependencies to be defined when using prune_bundler ([#1105](https://github-redirect.dependabot.com/Allow extra runtime deps to be defined when using prune_bundler puma/puma#1105))

... (truncated)

Commits

• 0a3c09a Adjust test to match real world value
• e503cce Bump version
• 089df07 Reduce ambiguity of headers
• 99b18e8 Bump version
• 87e7fe4 Better handle client input
• f809e6b Add missing server_run
• 87fc7d7 3.12.4
• e79a5b2 HTTP Injection - fix bug + 1 more vector ([#2136](https://github-redirect.dependabot.com/HTTP Injection - fix bug + 1 more vectors puma/puma#2136))
• 2ff978f 3.12.3
• 3a2b918 Test backport
• Additional commits viewable in [compare view](https://github.com/puma/puma/compare/v3.9.1...v3.12.6)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

┆Issue is synchronized with this Asana task by Unito

[dependabot]

Superseded by #16.