[DRE-maint] Bug#1005391: puma: CVE-2022-23634
Salvatore Bonaccorso
carnil at debian.org
Sat Feb 12 18:51:10 GMT 2022
Source: puma
Version: 5.5.2-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for puma.
CVE-2022-23634[0]:
| Puma is a Ruby/Rack web server built for parallelism. Prior to `puma`
| version `5.6.2`, `puma` may not always call `close` on the response
| body. Rails, prior to version `7.0.2.2`, depended on the response body
| being closed in order for its `CurrentAttributes` implementation to
| work correctly. The combination of these two behaviors (Puma not
| closing the body + Rails' Executor implementation) causes information
| leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This
| problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and
| 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the
| vulnerability.
Note that the respective rails CVE is CVE-2022-23633.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-23634
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634
[1] https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
[2] https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list