From da79ada72a9930917c3d205a1f1c86ac0e629973 Mon Sep 17 00:00:00 2001
From: Pascal Ernster <pascal.ernster@rub.de>
Date: Thu, 13 Mar 2025 18:03:55 +0100
Subject: [PATCH] hyrax/Gemfile: Bump puma to >= 5.6.9

This fixes the following security vulnerabilities:

Name: puma
Version: 3.12.6
CVE: CVE-2021-29509
GHSA: GHSA-q28m-8xjw-8vr5
Criticality: High
URL: https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5
Title: Keepalive Connections Causing Denial Of Service in puma
Solution: update to '~> 4.3.8', '>= 5.3.1'

Name: puma
Version: 3.12.6
CVE: CVE-2021-41136
GHSA: GHSA-48w2-rm65-62xx
Criticality: Low
URL: https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx
Title: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma
Solution: update to '~> 4.3.9', '>= 5.5.1'

Name: puma
Version: 3.12.6
CVE: CVE-2022-23634
GHSA: GHSA-rmj8-8hhh-gv5h
Criticality: High
URL: https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
Title: Information Exposure with Puma when used with Rails
Solution: update to '~> 4.3.11', '>= 5.6.2'

Name: puma
Version: 3.12.6
CVE: CVE-2022-24790
GHSA: GHSA-h99w-9q5r-gjq9
Criticality: Critical
URL: https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9
Title: HTTP Request Smuggling in puma
Solution: update to '~> 4.3.12', '>= 5.6.4'

Name: puma
Version: 3.12.6
CVE: CVE-2023-40175
GHSA: GHSA-68xg-gqqm-vgj8
Criticality: Medium
URL: https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8
Title: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in puma
Solution: update to '~> 5.6.7', '>= 6.3.1'

Name: puma
Version: 3.12.6
CVE: CVE-2024-21647
GHSA: GHSA-c2f4-cvqm-65w2
Criticality: Medium
URL: https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2
Title: Puma HTTP Request/Response Smuggling vulnerability
Solution: update to '~> 5.6.8', '>= 6.4.2'

Name: puma
Version: 3.12.6
CVE: CVE-2024-45614
GHSA: GHSA-9hf4-67fc-4vf4
Criticality: Medium
URL: https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4
Title: Puma's header normalization allows for client to clobber proxy set headers
Solution: update to '~> 5.6.9', '>= 6.4.3'

Signed-off-by: Pascal Ernster <pascal.ernster@rub.de>
---
 hyrax/Gemfile      | 2 +-
 hyrax/Gemfile.lock | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/hyrax/Gemfile b/hyrax/Gemfile
index a39a067b..e20b7e23 100644
--- a/hyrax/Gemfile
+++ b/hyrax/Gemfile
@@ -8,7 +8,7 @@ gem 'rails', '~> 5.2.6'
 # Use sqlite3 as the database for Active Record
 gem "sqlite3", "~> 1.3.0"
 # Use Puma as the app server
-gem 'puma', '~> 3.11'
+gem 'puma', '>= 5.6.9', '< 6'
 # Use SCSS for stylesheets
 gem 'sass-rails', '~> 5.0'
 # Use Uglifier as compressor for JavaScript assets
diff --git a/hyrax/Gemfile.lock b/hyrax/Gemfile.lock
index 86b49f9e..d73fca84 100644
--- a/hyrax/Gemfile.lock
+++ b/hyrax/Gemfile.lock
@@ -695,7 +695,8 @@ GEM
     power_converter (0.1.2)
     psych (3.3.4)
     public_suffix (5.1.1)
-    puma (3.12.6)
+    puma (5.6.9)
+      nio4r (~> 2.0)
     qa (5.14.0)
       activerecord-import
       deprecation
@@ -1076,7 +1077,7 @@ DEPENDENCIES
   omniauth-rails_csrf_protection
   omniauth-saml (>= 2.1.3, < 3)
   pg
-  puma (~> 3.11)
+  puma (>= 5.6.9, < 6)
   rails (~> 5.2.6)
   redis (~> 4.0)
   riiif (~> 2.3)
-- 
GitLab