CVE-2022-23634: Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability. Please bump to 5.6.2.
Puma 5.6.2 has now been added.
Thanks, please cleanup!
(In reply to John Helmert III from comment #2) > Thanks, please cleanup! Sorry, this one needs stabilization.
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=74f54f14d9074878f0b2b711ab3064799b15e9cb commit 74f54f14d9074878f0b2b711ab3064799b15e9cb Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-14 21:41:58 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-14 21:43:20 +0000 [ GLSA 202208-28 ] Puma: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/794034 Bug: https://bugs.gentoo.org/817893 Bug: https://bugs.gentoo.org/833155 Bug: https://bugs.gentoo.org/836431 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202208-28.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+)
GLSA done, all done.