Source: rails Version: 2:6.1.4.1+dfsg-8 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 2:6.0.3.7+dfsg-2
Hi, The following vulnerability was published for rails. CVE-2022-23633[0]: | Action Pack is a framework for handling and responding to web | requests. Under certain circumstances response bodies will not be | closed. In the event a response is *not* notified of a `close`, | `ActionDispatch::Executor` will not know to reset thread local state | for the next request. This can lead to data being leaked to subsequent | requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and | 5.2.6.1. Upgrading is highly recommended, but to work around this | problem a middleware described in GHSA-wh98-p28r-vrc9 can be used. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-23633 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633 [1] https://www.openwall.com/lists/oss-security/2022/02/11/5 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
