DEBIAN-CVE-2022-23634
- Source
- https://security-tracker.debian.org/tracker/CVE-2022-23634
- Import Source
- https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2022-23634.json
- JSON Data
- https://api.osv.dev/v1/vulns/DEBIAN-CVE-2022-23634
- Upstream
- Published
- 2022-02-11T22:15:07Z
- Modified
- 2025-09-25T02:56:42.758627Z
- Summary
- [none]
- Details
-
Puma is a Ruby/Rack web server built for parallelism. Prior to
pumaversion5.6.2,pumamay not always callcloseon the response body. Rails, prior to version7.0.2.2, depended on the response body being closed in order for itsCurrentAttributesimplementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails or Puma version fixes the vulnerability. - References
Affected packages
Debian:11 / puma
Package
- Name
- puma
- Purl
- pkg:deb/debian/puma?arch=source
Debian:12 / puma
Package
- Name
- puma
- Purl
- pkg:deb/debian/puma?arch=source
Debian:13 / puma
Package
- Name
- puma
- Purl
- pkg:deb/debian/puma?arch=source
Debian:14 / puma
Package
- Name
- puma
- Purl
- pkg:deb/debian/puma?arch=source