Bump puma from 5.5.0 to 5.6.4

[dependabot[bot]]

trafficstars

Bumps puma from 5.5.0 to 5.6.4.

Release notes

Sourced from puma's releases.

5.6.4

• Security
  • Close several HTTP Request Smuggling exploits (CVE-2022-24790)

The 5.6.3 release was a mistake (released the wrong branch), 5.6.4 is correct.

5.6.2 / 2022-02-11

• Bugfix/Security
  • Response body will always be closed. (GHSA-rmj8-8hhh-gv5h, related to #2809)

5.6.1

Bugfixes

• Reverted a commit which appeared to be causing occasional blank header values (see issue #2808) (#2809)

Full Changelog: https://github.com/puma/puma/compare/v5.6.0...v5.6.1

5.6.0 - Birdie's Version

Maintainer @​nateberkopec had a daughter, nicknamed Birdie:

5.6.0 / 2022-01-25

• Features

  • Support localhost integration in ssl_bind (#2764, #2708)
  • Allow backlog parameter to be set with ssl_bind DSL (#2780)
  • Remove yaml (psych) requirement in StateFile (#2784)
  • Allow culling of oldest workers, previously was only youngest (#2773, #2794)
  • Add worker_check_interval configuration option (#2759)
  • Always send lowlevel_error response to client (#2731, #2341)
  • Support for cert_pem and key_pem with ssl_bind DSL (#2728)

• Bugfixes

  • Keep thread names under 15 characters, prevents breakage on some OSes (#2733)
  • Fix two 'old-style-definition' compile warning (#2807, #2806)
  • Log environment correctly using option value (#2799)
  • Fix warning from Ruby master (will be 3.2.0) (#2785)
  • extconf.rb - fix openssl with old Windows builds (#2757)
  • server.rb - rescue handling (Errno::EBADF) for @notify.close (#2745)

• Refactor

  • server.rb - refactor code using @​options[:remote_address] (#2742)
  • [jruby] a couple refactorings - avoid copy-ing bytes (#2730)

5.5.2

Re-allows UTF-8 in HTTP header values

5.5.1

https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx

Changelog

Sourced from puma's changelog.

5.6.4 / 2022-03-30

• Security
  • Close several HTTP Request Smuggling exploits (CVE-2022-24790)

5.6.2 / 2022-02-11

• Bugfix/Security
  • Response body will always be closed. (GHSA-rmj8-8hhh-gv5h, related to #2809)

5.6.1 / 2022-01-26

• Bugfixes
  • Reverted a commit which appeared to be causing occasional blank header values (#2809)

5.6.0 / 2022-01-25

• Features

  • Support localhost integration in ssl_bind (#2764, #2708)
  • Allow backlog parameter to be set with ssl_bind DSL (#2780)
  • Remove yaml (psych) requirement in StateFile (#2784)
  • Allow culling of oldest workers, previously was only youngest (#2773, #2794)
  • Add worker_check_interval configuration option (#2759)
  • Always send lowlevel_error response to client (#2731, #2341)
  • Support for cert_pem and key_pem with ssl_bind DSL (#2728)

• Bugfixes

  • Keep thread names under 15 characters, prevents breakage on some OSes (#2733)
  • Fix two 'old-style-definition' compile warning (#2807, #2806)
  • Log environment correctly using option value (#2799)
  • Fix warning from Ruby master (will be 3.2.0) (#2785)
  • extconf.rb - fix openssl with old Windows builds (#2757)
  • server.rb - rescue handling (Errno::EBADF) for @notify.close (#2745)

• Refactor

  • server.rb - refactor code using @​options[:remote_address] (#2742)
  • [jruby] a couple refactorings - avoid copy-ing bytes (#2730)

5.5.2 / 2021-10-12

• Bugfixes
  • Allow UTF-8 in HTTP header values

5.5.1 / 2021-10-12

• Feature (added as mistake - we don't normally do this on bugfix releases, sorry!)

  • Allow setting APP_ENV in preference to RACK_ENV or RAILS_ENV (#2702)

• Security

  • Do not allow LF as a line ending in a header (CVE-2021-41136)

Commits

• 7add06a 5.6.4
• 4475a46 5.6.3
• 5bb7d20 Merge pull request from GHSA-h99w-9q5r-gjq9
• c6340d1 5.6.2 (#2821)
• e0753de 2.6.1
• 7008a61 Revert "Always send lowlevel_error response to client (#2731)" (#2809)
• 61ebbbe 5.6.0
• d20915d Fix two 'old-style-definition' compile warning (#2807)
• 930e5b4 Fix typo in CONTRIBUTING (#2805)
• c38d61c CONTRIBUTING: file limits
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)