hyrax/Gemfile: Bump puma to >= 5.6.9

This fixes the following security vulnerabilities: Name: puma Version: 3.12.6 CVE: CVE-2021-29509 GHSA: GHSA-q28m-8xjw-8vr5 Criticality: High URL: https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5 Title: Keepalive Connections Causing Denial Of Service in puma Solution: update to '~> 4.3.8', '>= 5.3.1' Name: puma Version: 3.12.6 CVE: CVE-2021-41136 GHSA: GHSA-48w2-rm65-62xx Criticality: Low URL: https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx Title: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma Solution: update to '~> 4.3.9', '>= 5.5.1' Name: puma Version: 3.12.6 CVE: CVE-2022-23634 GHSA: GHSA-rmj8-8hhh-gv5h Criticality: High URL: https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h Title: Information Exposure with Puma when used with Rails Solution: update to '~> 4.3.11', '>= 5.6.2' Name: puma Version: 3.12.6 CVE: CVE-2022-24790 GHSA: GHSA-h99w-9q5r-gjq9 Criticality: Critical URL: https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9 Title: HTTP Request Smuggling in puma Solution: update to '~> 4.3.12', '>= 5.6.4' Name: puma Version: 3.12.6 CVE: CVE-2023-40175 GHSA: GHSA-68xg-gqqm-vgj8 Criticality: Medium URL: https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8 Title: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in puma Solution: update to '~> 5.6.7', '>= 6.3.1' Name: puma Version: 3.12.6 CVE: CVE-2024-21647 GHSA: GHSA-c2f4-cvqm-65w2 Criticality: Medium URL: https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2 Title: Puma HTTP Request/Response Smuggling vulnerability Solution: update to '~> 5.6.8', '>= 6.4.2' Name: puma Version: 3.12.6 CVE: CVE-2024-45614 GHSA: GHSA-9hf4-67fc-4vf4 Criticality: Medium URL: https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4 Title: Puma's header normalization allows for client to clobber proxy set headers Solution: update to '~> 5.6.9', '>= 6.4.3' Signed-off-by: Pascal Ernster <pascal.ernster@rub.de>

hyrax/Gemfile: Bump puma to >= 5.6.9
da79ada7 · Pascal Ernster · c78c95bb · da79ada7 · da79ada7
Verified Commit da79ada7 authored 1 month ago by Pascal Ernster
--- a/hyrax/Gemfile
+++ b/hyrax/Gemfile
@@ -8,7 +8,7 @@ gem 'rails', '~> 5.2.6'
 # Use sqlite3 as the database for Active Record
 gem "sqlite3", "~> 1.3.0"
 # Use Puma as the app server
-gem 'puma', '~> 3.11'
+gem 'puma', '>= 5.6.9', '< 6'
 # Use SCSS for stylesheets
 gem 'sass-rails', '~> 5.0'
 # Use Uglifier as compressor for JavaScript assets

--- a/hyrax/Gemfile.lock
+++ b/hyrax/Gemfile.lock
@@ -695,7 +695,8 @@ GEM
    power_converter (0.1.2)
    psych (3.3.4)
    public_suffix (5.1.1)
-    puma (3.12.6)
+    puma (5.6.9)
+      nio4r (~> 2.0)
    qa (5.14.0)
      activerecord-import
      deprecation
@@ -1076,7 +1077,7 @@ DEPENDENCIES
  omniauth-rails_csrf_protection
  omniauth-saml (>= 2.1.3, < 3)
  pg
-  puma (~> 3.11)
+  puma (>= 5.6.9, < 6)
  rails (~> 5.2.6)
  redis (~> 4.0)
  riiif (~> 2.3)