puma 3.8.2 → 4.3.12

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 7b623ac72b5bea3525cc1c76bd48385e0eef0a17
-  data.tar.gz: d5a2ec55bef9deb959e22faa6c077e7b323a7834
+SHA256:
+  metadata.gz: 55de061927f854a6aa5886c0ef6573a6a95306afadf4eb156fbf3e59d54f3574
+  data.tar.gz: 9b58b994708cae549af93d92568f5111eb831404f9f189662ea73ff5c914ece3
 SHA512:
-  metadata.gz: 33c903e1d88e6552d8146a9fd1a829f8c6e8f15d131ec37854d29025952186a9cafda9204b89d12682f3905973bb8c6c0606948587e34b36b62d24c16ad5572b
-  data.tar.gz: d4137246420030c7e1deb7988c7cf15f20b8543211d6c1ef6fae240092941aeeae60c53353d81d8aa7b62064410119f4e4a80d8427b16a5d6c98d4a6fe51b495
+  metadata.gz: a5208ba5fc102a2d5df875490bf99afdf95aa2614a82503806aedf13dcf58c61cd62551aece57762bc6c54f5ae71a3517efb4b17d4d9eace27f99270ec1b9f6e
+  data.tar.gz: 5555c0290a7db01cdddfb19555caaa9b4d20085ef28297d436f3f37c2e5732d53f754d2ced9f76ffbc061c20e401ae68fd4819e630e12f17d335e6464dc42615

data/History.md

@@ -1,3 +1,299 @@
+## 4.3.12 / 2022-03-30
+
+* Security
+  * Close several HTTP Request Smuggling exploits (CVE-2022-24790)
+
+## 4.3.11 / 2022-02-11
+
+* Security
+  * Always close the response body (GHSA-rmj8-8hhh-gv5h)
+
+## 4.3.10 / 2021-10-12
+
+* Bugfixes
+  * Allow UTF-8 in HTTP header values
+
+## 4.3.9 / 2021-10-12
+
+* Security
+  * Do not allow LF as a line ending in a header (CVE-2021-41136)
+
+## 4.3.8 / 2021-05-11
+
+* Security
+  * Close keepalive connections after the maximum number of fast inlined requests (#2625)
+
+## 4.3.7 / 2020-11-30
+
+* Bugfixes
+  * Backport set CONTENT_LENGTH for chunked requests (Originally: #2287, backport: #2496)
+
+## 4.3.6 / 2020-09-05
+
+* Bugfixes
+  * Explicitly include ctype.h to fix compilation warning and build error on macOS with Xcode 12 (#2304)
+  * Don't require json at boot (#2269)
+  * Set `CONTENT_LENGTH` for chunked requests (#2287)
+
+## 4.3.4/4.3.5 and 3.12.5/3.12.6 / 2020-05-22
+
+Each patchlevel release contains a separate security fix. We recommend simply upgrading to 4.3.5/3.12.6.
+
+## 4.3.3 and 3.12.4 / 2020-02-28
+  * Bugfixes
+    * Fix: Fixes a problem where we weren't splitting headers correctly on newlines (#2132)
+  * Security
+    * Fix: Prevent HTTP Response splitting via CR in early hints.
+
+## 4.3.2 and 3.12.3 / 2020-02-27
+
+* Security
+  * Fix: Prevent HTTP Response splitting via CR/LF in header values. CVE-2020-5247.
+
+## 4.3.1 and 3.12.2 / 2019-12-05
+
+* Security
+  * Fix: a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. CVE-2019-16770.
+
+## 4.3.0 / 2019-11-07
+
+* Features
+  * Strip whitespace at end of HTTP headers (#2010)
+  * Optimize HTTP parser for JRuby (#2012)
+  * Add SSL support for the control app and cli (#2046, #2052)
+
+* Bugfixes
+  * Fix Errno::EINVAL when SSL is enabled and browser rejects cert (#1564)
+  * Fix pumactl defaulting puma to development if an environment was not specified (#2035)
+  * Fix closing file stream when reading pid from pidfile (#2048)
+  * Fix a typo in configuration option `--extra_runtime_dependencies` (#2050)
+
+## 4.2.1 / 2019-10-07
+
+* 3 bugfixes
+  * Fix socket activation of systemd (pre-existing) unix binder files (#1842, #1988)
+  * Deal with multiple calls to bind correctly (#1986, #1994, #2006)
+  * Accepts symbols for `verify_mode` (#1222)
+
+## 4.2.0 / 2019-09-23
+
+* 6 features
+  * Pumactl has a new -e environment option and reads `config/puma/<environment>.rb` config files (#1885)
+  * Semicolons are now allowed in URL paths (MRI only), useful for Angular or Redmine (#1934)
+  * Allow extra dependencies to be defined when using prune_bundler (#1105)
+  * Puma now reports the correct port when binding to port 0, also reports other listeners when binding to localhost (#1786)
+  * Sending SIGINFO to any Puma worker now prints currently active threads and their backtraces (#1320)
+  * Puma threads all now have their name set on Ruby 2.3+ (#1968)
+* 4 bugfixes
+  * Fix some misbehavior with phased restart and externally SIGTERMed workers (#1908, #1952)
+  * Fix socket closing on error (#1941)
+  * Removed unnecessary SIGINT trap for JRuby that caused some race conditions (#1961)
+  * Fix socket files being left around after process stopped (#1970)
+* Absolutely thousands of lines of test improvements and fixes thanks to @MSP-Greg
+
+## 4.1.1 / 2019-09-05
+
+* 3 bugfixes
+  * Revert our attempt to not dup STDOUT/STDERR (#1946)
+  * Fix socket close on error (#1941)
+  * Fix workers not shutting down correctly (#1908)
+
+## 4.1.0 / 2019-08-08
+
+* 4 features
+  * Add REQUEST_PATH on parse error message (#1831)
+  * You can now easily add custom log formatters with the `log_formatter` config option (#1816)
+  * Puma.stats now provides process start times (#1844)
+  * Add support for disabling TLSv1.1 (#1836)
+
+* 7 bugfixes
+  * Fix issue where Puma was creating zombie process entries (#1887)
+  * Fix bugs with line-endings and chunked encoding (#1812)
+  * RACK_URL_SCHEME is now set correctly in all conditions (#1491)
+  * We no longer mutate global STDOUT/STDERR, particularly the sync setting (#1837)
+  * SSL read_nonblock no longer blocks (#1857)
+  * Swallow connection errors when sending early hints (#1822)
+  * Backtrace no longer dumped when invalid pumactl commands are run (#1863)
+
+* 5 other
+  * Avoid casting worker_timeout twice (#1838)
+  * Removed a call to private that wasn't doing anything (#1882)
+  * README, Rakefile, docs and test cleanups (#1848, #1847, #1846, #1853, #1859, #1850, #1866, #1870, #1872, #1833, #1888)
+  * Puma.io has proper documentation now (https://puma.io/puma/)
+  * Added the Contributor Covenant CoC
+
+* 1 known issue
+  * Some users are still experiencing issues surrounding socket activation and Unix sockets (#1842)
+
+## 4.0.1 / 2019-07-11
+
+* 2 bugfixes
+  * Fix socket removed after reload - should fix problems with systemd socket activation. (#1829)
+  * Add extconf tests for DTLS_method & TLS_server_method, use in minissl.rb. Should fix "undefined symbol: DTLS_method" when compiling against old OpenSSL versions. (#1832)
+* 1 other
+  * Removed unnecessary RUBY_VERSION checks. (#1827)
+
+## 4.0.0 / 2019-06-25
+
+* 9 features
+  * Add support for disabling TLSv1.0 (#1562)
+  * Request body read time metric (#1569)
+  * Add out_of_band hook (#1648)
+  * Re-implement (native) IOBuffer for JRuby (#1691)
+  * Min worker timeout (#1716)
+  * Add option to suppress SignalException on SIGTERM (#1690)
+  * Allow mutual TLS CA to be set using `ssl_bind` DSL (#1689)
+  * Reactor now uses nio4r instead of `select` (#1728)
+  * Add status to pumactl with pidfile (#1824)
+
+* 10 bugfixes
+  * Do not accept new requests on shutdown (#1685, #1808)
+  * Fix 3 corner cases when request body is chunked (#1508)
+  * Change pid existence check's condition branches (#1650)
+  * Don't call .stop on a server that doesn't exist (#1655)
+  * Implemented NID_X9_62_prime256v1 (P-256) curve over P-521 (#1671)
+  * Fix @notify.close can't modify frozen IOError (RuntimeError) (#1583)
+  * Fix Java 8 support (#1773)
+  * Fix error `uninitialized constant Puma::Cluster` (#1731)
+  * Fix `not_token` being able to be set to true (#1803)
+  * Fix "Hang on SIGTERM with ruby 2.6 in clustered mode" ([PR #1741], [#1674], [#1720], [#1730], [#1755])
+
+[PR #1741]: https://github.com/puma/puma/pull/1741
+[#1674]: https://github.com/puma/puma/issues/1674
+[#1720]: https://github.com/puma/puma/issues/1720
+[#1730]: https://github.com/puma/puma/issues/1730
+[#1755]: https://github.com/puma/puma/issues/1755
+
+## 3.12.1 / 2019-03-19
+
+* 1 features
+  * Internal strings are frozen (#1649)
+* 3 bugfixes
+  * Fix chunked ending check (#1607)
+  * Rack handler should use provided default host (#1700)
+  * Better support for detecting runtimes that support `fork` (#1630)
+
+## 3.12.0 / 2018-07-13
+
+* 5 features:
+  * You can now specify which SSL ciphers the server should support, default is unchanged (#1478)
+  * The setting for Puma's `max_threads` is now in `Puma.stats` (#1604)
+  * Pool capacity is now in `Puma.stats` (#1579)
+  * Installs restricted to Ruby 2.2+ (#1506)
+  * `--control` is now deprecated in favor of `--control-url` (#1487)
+
+* 2 bugfixes:
+  * Workers will no longer accept more web requests than they have capacity to process. This prevents an issue where one worker would accept lots of requests while starving other workers (#1563)
+  * In a test env puma now emits the stack on an exception (#1557)
+
+## 3.11.4 / 2018-04-12
+
+* 2 features:
+  * Manage puma as a service using rc.d (#1529)
+  * Server stats are now available from a top level method (#1532)
+* 5 bugfixes:
+  * Fix parsing CLI options (#1482)
+  * Order of stderr and stdout is made before redirecting to a log file (#1511)
+  * Init.d fix of `ps -p` to check if pid exists (#1545)
+  * Early hints bugfix (#1550)
+  * Purge interrupt queue when closing socket fails (#1553)
+
+## 3.11.3 / 2018-03-05
+
+* 3 bugfixes:
+  * Add closed? to MiniSSL::Socket for use in reactor (#1510)
+  * Handle EOFError at the toplevel of the server threads (#1524) (#1507)
+  * Deal with zero sized bodies when using SSL (#1483)
+
+## 3.11.2 / 2018-01-19
+
+* 1 bugfix:
+  * Deal with read\_nonblock returning nil early
+
+## 3.11.1 / 2018-01-18
+
+* 1 bugfix:
+  * Handle read\_nonblock returning nil when the socket close (#1502)
+
+## 3.11.0 / 2017-11-20
+
+* 2 features:
+  * HTTP 103 Early Hints (#1403)
+  * 421/451 status codes now have correct status messages attached (#1435)
+
+* 9 bugfixes:
+  * Environment config files (/config/puma/<ENV>.rb) load correctly (#1340)
+  * Specify windows dependencies correctly (#1434, #1436)
+  * puma/events required in test helper (#1418)
+  * Correct control CLI's option help text (#1416)
+  * Remove a warning for unused variable in mini_ssl (#1409)
+  * Correct pumactl docs argument ordering (#1427)
+  * Fix an uninitialized variable warning in server.rb (#1430)
+  * Fix docs typo/error in Launcher init (#1429)
+  * Deal with leading spaces in RUBYOPT (#1455)
+
+* 2 other:
+  * Add docs about internals (#1425, #1452)
+  * Tons of test fixes from @MSP-Greg (#1439, #1442, #1464)
+
+## 3.10.0 / 2017-08-17
+
+* 3 features:
+  * The status server has a new /gc and /gc-status command. (#1384)
+  * The persistent and first data timeouts are now configurable (#1111)
+  * Implemented RFC 2324 (#1392)
+
+* 12 bugfixes:
+  * Not really a Puma bug, but @NickolasVashchenko created a gem to workaround a Ruby bug that some users of Puma may be experiencing. See README for more. (#1347)
+  * Fix hangups with SSL and persistent connections. (#1334)
+  * Fix Rails double-binding to a port (#1383)
+  * Fix incorrect thread names (#1368)
+  * Fix issues with /etc/hosts and JRuby where localhost addresses were not correct. (#1318)
+  * Fix compatibility with RUBYOPT="--enable-frozen-string-literal" (#1376)
+  * Fixed some compiler warnings (#1388)
+  * We actually run the integration tests in CI now (#1390)
+  * No longer shipping unnecessary directories in the gemfile (#1391)
+  * If RUBYOPT is nil, we no longer blow up on restart. (#1385)
+  * Correct response to SIGINT (#1377)
+  * Proper exit code returned when we receive a TERM signal (#1337)
+
+* 3 refactors:
+  * Various test improvements from @grosser
+  * Rubocop (#1325)
+  * Hoe has been removed (#1395)
+
+* 1 known issue:
+  * Socket activation doesn't work in JRuby. Their fault, not ours. (#1367)
+
+## 3.9.1 / 2017-06-03
+
+* 2 bugfixes:
+  * Fixed compatibility with older Bundler versions (#1314)
+  * Some internal test/development cleanup (#1311, #1313)
+
+## 3.9.0 / 2017-06-01
+
+* 2 features:
+  * The ENV is now reset to its original values when Puma restarts via USR1/USR2 (#1260) (MRI only, no JRuby support)
+  * Puma will no longer accept more clients than the maximum number of threads. (#1278)
+
+* 9 bugfixes:
+  * Reduce information leakage by preventing HTTP parse errors from writing environment hashes to STDERR (#1306)
+  * Fix SSL/WebSocket compatibility (#1274)
+  * HTTP headers with empty values are no longer omitted from responses. (#1261)
+  * Fix a Rack env key which was set to nil. (#1259)
+  * peercert has been implemented for JRuby (#1248)
+  * Fix port settings when using rails s (#1277, #1290)
+  * Fix compat w/LibreSSL (#1285)
+  * Fix restarting Puma w/symlinks and a new Gemfile (#1282)
+  * Replace Dir.exists? with Dir.exist? (#1294)
+
+* 1 known issue:
+  * A bug in MRI 2.2+ can result in IOError: stream closed. See #1206. This issue has existed since at least Puma 3.6, and probably further back.
+
+* 1 refactor:
+  * Lots of test fixups from @grosser.
+
 ## 3.8.2 / 2017-03-14
 
 * 1 bugfix:
@@ -1274,3 +1570,12 @@ be added back in a future date when a java Puma::MiniSSL is added.
 ## 1.0.0 / 2012-03-29
 
 * Released!
+
+## Ignore - this is for maintainers to copy-paste during release
+## Master
+
+* Features
+  * Your feature goes here (#Github Number)
+
+* Bugfixes
+  * Your bugfix goes here (#Github Number)