Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 833155 (CVE-2022-23634) - <www-servers/puma-5.6.2.: information leak between requests
Summary: <www-servers/puma-5.6.2.: information leak between requests
Status: IN_PROGRESS
Alias: CVE-2022-23634
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/puma/puma/security...
Whiteboard: B4 [stable?]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-02-12 03:56 UTC by John Helmert III
Modified: 2022-02-12 17:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-12 03:56:49 UTC
CVE-2022-23634:

Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.

Please bump to 5.6.2.
Comment 1 Hans de Graaff gentoo-dev 2022-02-12 07:24:11 UTC
Puma 5.6.2 has now been added.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-12 17:28:10 UTC
Thanks, please cleanup!
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-12 17:29:03 UTC
(In reply to John Helmert III from comment #2)
> Thanks, please cleanup!

Sorry, this one needs stabilization.