Puma may not always call `close` on the response body. Rails depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. References: https://github.com/advisories/GHSA-rmj8-8hhh-gv5h https://github.com/advisories/GHSA-wh98-p28r-vrc9
Created rubygem-puma tracking bugs for this issue: Affects: fedora-all [bug 2054212] Created rubygem-rails tracking bugs for this issue: Affects: fedora-all [bug 2054213]
This issue has been addressed in the following products: Red Hat Satellite 6.11 for RHEL 7 Red Hat Satellite 6.11 for RHEL 8 Via RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-23634
(In reply to Marian Rehak from comment #0) > Puma may not always call `close` on the response body. Rails depended on the > response body being closed in order for its `CurrentAttributes` > implementation to work correctly. > > References: > > https://github.com/advisories/GHSA-rmj8-8hhh-gv5h > https://github.com/advisories/GHSA-wh98-p28r-vrc9 I don't understand why the 2 links are here together in the References. It seems the 1st link is for the puma gem and rails gem to pull the latest puma. But the 2nd link is for actionpack gem. I don't understand why the 2nd link is related. Why did you put the second link? Do you think we need to fix actionpack gem too?
FEDORA-2022-de968d1b6c has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2022-52d0032596 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.