OESA-2024-1005
- Source
- https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1005
- Import Source
- https://repo.openeuler.org/security/data/osv/OESA-2024-1005.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/OESA-2024-1005
- Upstream
- Published
- 2024-01-05T11:06:39Z
- Modified
- 2025-08-12T05:12:39.758759Z
- Summary
- rubygem-puma security update
- Details
-
A simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications.
Security Fix(es):
Puma is a Ruby/Rack web server built for parallelism. Prior to
pumaversion5.6.2,pumamay not always callcloseon the response body. Rails, prior to version7.0.2.2, depended on the response body being closed in order for itsCurrentAttributesimplementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails or Puma version fixes the vulnerability.(CVE-2022-23634) - Database specific
{ "severity": "Medium" }- References
Affected packages
openEuler:20.03-LTS-SP4 / rubygem-puma
Package
- Name
- rubygem-puma
- Purl
- pkg:rpm/openEuler/rubygem-puma&distro=openEuler-20.03-LTS-SP4
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.12.6-3.oe2003sp4
Ecosystem specific
{
"aarch64": [
"rubygem-puma-3.12.6-3.oe2003sp4.aarch64.rpm",
"rubygem-puma-debugsource-3.12.6-3.oe2003sp4.aarch64.rpm",
"rubygem-puma-debuginfo-3.12.6-3.oe2003sp4.aarch64.rpm"
],
"noarch": [
"rubygem-puma-doc-3.12.6-3.oe2003sp4.noarch.rpm"
],
"src": [
"rubygem-puma-3.12.6-3.oe2003sp4.src.rpm"
],
"x86_64": [
"rubygem-puma-debuginfo-3.12.6-3.oe2003sp4.x86_64.rpm",
"rubygem-puma-3.12.6-3.oe2003sp4.x86_64.rpm",
"rubygem-puma-debugsource-3.12.6-3.oe2003sp4.x86_64.rpm"
]
}