[Git][security-tracker-team/security-tracker][master] CVE-2022-32224/rails: compatibility improvement

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Tue May 5 08:59:49 BST 2026 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
843f225e by Sylvain Beucler at 2026-05-05T09:59:42+02:00
CVE-2022-32224/rails: compatibility improvement

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -397764,6 +397764,18 @@ CVE-2022-32224 (A possible escalation to RCE vulnerability exists when using YAM
 	NOTE: Psych 4.0 redirects 'YAML.load' from 'YAML.unsafe_load' to 'YAML.safe_load'; 'unsafe_load' introduced in 3.3.2.
 	NOTE: "This may introduce backwards compatibility issues with existing data."
 	NOTE: https://lists.debian.org/debian-lts/2022/09/msg00004.html
+	NOTE: Adding 'Symbol' to 'yaml_column_permitted_classes' by default:
+	NOTE: https://github.com/rails/rails/commit/fbb7f0b407c96cb38fba6b2e8cb8ce12252738da (v6.1.7)
+	NOTE: https://github.com/rails/rails/commit/6a421e4a6a16eacfb7444108fd24c33d11cdd0a7 (v6.1.7)
+	NOTE: https://github.com/rails/rails/commit/b521e2ecfc1f94b2d594f9ba9c5fa80b1c58566e (v6.0.6)
+	NOTE: https://github.com/rails/rails/commit/aa5cac1c960190829be7c5e9441d9c07ac2ede69 (5-2-stable)
+	NOTE: Performance follow-up:
+	NOTE: https://github.com/rails/rails/commit/efc58abc8860a4901393e69361a216203cb21043 (v6.1.7)
+	NOTE: https://github.com/rails/rails/commit/f69034d94868e58c83aeb4125dad80531b74efd4 (v6.1.7)
+	NOTE: https://github.com/rails/rails/commit/9db14db093d2065a50ed1f14e70f78d35810e05a (v6.0.6)
+	NOTE: https://github.com/rails/rails/commit/a5f27f6ace95e07ae30b6d92e71cb35f891d9b1a (v6.0.6)
+	NOTE: https://github.com/rails/rails/commit/5436676014340247ee4e53ecd2c71cab34059383 (5-2-stable)
+	NOTE: https://github.com/rails/rails/commit/21cd60ee88c413b2a58552c4b31c4d9e8c17f4eb (5-2-stable)
 CVE-2022-32223 (Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under ce ...)
 	- nodejs <not-affected> (Only affects Windows)
 	NOTE: https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#dll-hijacking-on-windows-high-cve-2022-32223



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/843f225e6e9913a2bada97e5bbe09ef36baf8abd

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/843f225e6e9913a2bada97e5bbe09ef36baf8abd
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260505/a0a9510d/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list