Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 833155 (CVE-2022-23634)

Summary: <www-servers/puma-5.6.2: information leak between requests
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
See Also: https://bugs.gentoo.org/show_bug.cgi?id=833150
Whiteboard: B4 [glsa+]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-12 03:56:49 UTC
CVE-2022-23634:

Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.

Please bump to 5.6.2.
Comment 1 Hans de Graaff gentoo-dev 2022-02-12 07:24:11 UTC
Puma 5.6.2 has now been added.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-12 17:28:10 UTC
Thanks, please cleanup!
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-12 17:29:03 UTC
(In reply to John Helmert III from comment #2)
> Thanks, please cleanup!

Sorry, this one needs stabilization.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 05:05:18 UTC
GLSA request filed
Comment 5 Larry the Git Cow gentoo-dev 2022-08-14 21:43:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=74f54f14d9074878f0b2b711ab3064799b15e9cb

commit 74f54f14d9074878f0b2b711ab3064799b15e9cb
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 21:41:58 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-14 21:43:20 +0000

    [ GLSA 202208-28 ] Puma: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/794034
    Bug: https://bugs.gentoo.org/817893
    Bug: https://bugs.gentoo.org/833155
    Bug: https://bugs.gentoo.org/836431
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202208-28.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 21:44:15 UTC
GLSA done, all done.