Bump puma from 2.15.3 to 3.12.4

[dependabot[bot]]

Bumps puma from 2.15.3 to 3.12.4.

Release notes

Sourced from puma's releases.

v3.12.1

v3.11.4

No release notes provided.

3.11.0 - Love Song

• 2 features:

  • HTTP 103 Early Hints (#1403)
  • 421/451 status codes now have correct status messages attached (#1435)

• 9 bugfixes:

  • Environment config files (/config/puma/.rb) load correctly (#1340)
  • Specify windows dependencies correctly (#1434, #1436)
  • puma/events required in test helper (#1418)
  • Correct control CLI's option help text (#1416)
  • Remove a warning for unused variable in mini_ssl (#1409)
  • Correct pumactl docs argument ordering (#1427)
  • Fix an uninitialized variable warning in server.rb (#1430)
  • Fix docs typo/error in Launcher init (#1429)
  • Deal with leading spaces in RUBYOPT (#1455)

• 2 other:

  • Add docs about internals (#1425, #1452)
  • Tons of test fixes from @MSP-Greg (#1439, #1442, #1464)

3.10.0 - Russell's Teapot

• 3 features:

  • The status server has a new /gc and /gc-status command. (#1384)
  • The persistent and first data timeouts are now configurable (#1111)
  • Implemented RFC 2324 (#1392)

• 12 bugfixes:

  • Not really a Puma bug, but @NickolasVashchenko created a gem to workaround a Ruby bug that some users of Puma may be experiencing. See README for more. (#1347)
  • Fix hangups with SSL and persistent connections. (#1334)
  • Fix Rails double-binding to a port (#1383)
  • Fix incorrect thread names (#1368)
  • Fix issues with /etc/hosts and JRuby where localhost addresses were not correct. (#1318)
  • Fix compatibility with RUBYOPT="--enable-frozen-string-literal" (#1376)
  • Fixed some compiler warnings (#1388)
  • We actually run the integration tests in CI now (#1390)
  • No longer shipping unnecessary directories in the gemfile (#1391)
  • If RUBYOPT is nil, we no longer blow up on restart. (#1385)
  • Correct response to SIGINT (#1377)
  • Proper exit code returned when we receive a TERM signal (#1337)

• 3 refactors:

... (truncated)

Changelog

Sourced from puma's changelog.

4.3.3 and 3.12.4 / 2020-02-28

• Bugfixes
  • Fix: Fixes a problem where we weren't splitting headers correctly on newlines (#2132)
• Security
  • Fix: Prevent HTTP Response splitting via CR in early hints. CVE-2020-5249.

4.3.2 and 3.12.3 / 2020-02-27 (YANKED)

• Security
  • Fix: Prevent HTTP Response splitting via CR/LF in header values. CVE-2020-5247.

4.3.1 and 3.12.2 / 2019-12-05

• Security
  • Fix: a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. CVE-2019-16770.

4.3.0 / 2019-11-07

• Features

  • Strip whitespace at end of HTTP headers (#2010)
  • Optimize HTTP parser for JRuby (#2012)
  • Add SSL support for the control app and cli (#2046, #2052)

• Bugfixes

  • Fix Errno::EINVAL when SSL is enabled and browser rejects cert (#1564)
  • Fix pumactl defaulting puma to development if an environment was not specified (#2035)
  • Fix closing file stream when reading pid from pidfile (#2048)
  • Fix a typo in configuration option --extra_runtime_dependencies (#2050)

4.2.1 / 2019-10-07

• 3 bugfixes
  • Fix socket activation of systemd (pre-existing) unix binder files (#1842, #1988)
  • Deal with multiple calls to bind correctly (#1986, #1994, #2006)
  • Accepts symbols for verify_mode (#1222)

4.2.0 / 2019-09-23

• 6 features
  • Pumactl has a new -e environment option and reads config/puma/<environment>.rb config files (#1885)
  • Semicolons are now allowed in URL paths (MRI only), useful for Angular or Redmine (#1934)
  • Allow extra dependencies to be defined when using prune_bundler (#1105)
  • Puma now reports the correct port when binding to port 0, also reports other listeners when binding to localhost (#1786)
  • Sending SIGINFO to any Puma worker now prints currently active threads and their backtraces (#1320)
  • Puma threads all now have their name set on Ruby 2.3+ (#1968)
• 4 bugfixes
  • Fix some misbehavior with phased restart and externally SIGTERMed workers (#1908, #1952)
  • Fix socket closing on error (#1941)
  • Removed unnecessary SIGINT trap for JRuby that caused some race conditions (#1961)

... (truncated)

Commits

• f809e6b Add missing server_run
• 87fc7d7 3.12.4
• e79a5b2 HTTP Injection - fix bug + 1 more vector (#2136)
• 2ff978f 3.12.3
• 3a2b918 Test backport
• 37928cb 4.3.2 and 3.12.3 release notes
• 1b17e85 Merge pull request from GHSA-84j7-475p-hp8v
• bb29fc7 3.12.2
• 058df12 4.3.1 and 4.2.1 release notes
• 06053e6 Merge pull request from GHSA-7xx3-m584-x994
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/wellcomecollection/alpha/network/alerts).