[Git][security-tracker-team/security-tracker][master] CVE-2022-32224/rails: reconsider bullseye triage

Mon, 04 May 2026 13:27:35 -0700 


Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
dde9d0f4 by Sylvain Beucler at 2026-05-04T22:27:17+02:00
CVE-2022-32224/rails: reconsider bullseye triage

The fix does not require ruby-psych >= v4, really warns that v4
behaves differently.

At first glance we should introduce
'config.active_record.use_yaml_unsafe_load' (even if we eventually
decide to set it to 'True' for backward compatibility), so that
end-users may at least protect themselves against the RCE.

Follow-up to:
10b3d6f9ac56ebafd59a82d9a8204e5fa1a1119d [debusine test now removed]
b18f0c329e5a5695beccdd009560f3b419e28b2e

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -397368,13 +397368,14 @@ CVE-2022-32225 (A reflected DOM-Based XSS 
vulnerability has been discovered in t
        NOT-FOR-US: Veeam
 CVE-2022-32224 (A possible escalation to RCE vulnerability exists when using 
YAML seri ...)
        - rails 2:6.1.6.1+dfsg-1 (bug #1016140)
-       [bullseye] - rails <ignored> (Mitigation is too invasive to backport)
        NOTE: https://github.com/advisories/GHSA-3hhc-qp5v-9p2j
+       NOTE: 
https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017
        NOTE: Fixed by: 
https://github.com/rails/rails/commit/611990f1a6c137c2d56b1ba06b27e5d2434dcd6a 
(main)
        NOTE: Fixed by: 
https://github.com/rails/rails/commit/8ce4bd1be83c08c30c34af4d0f1a726066128176 
(v6.1.6.1)
        NOTE: Fixed by: 
https://github.com/rails/rails/commit/d28f278788b599c0a9f6e3ea437c6642eb56f16c 
(v6.0.5.1)
        NOTE: Fixed by: 
https://github.com/rails/rails/commit/6576aa7bbcf52ebd39853363e29f92b4dd53b6f1 
(v5.2.8.1)
-       NOTE: Break compatibility and need ruby-psych (>= 4.0.0)
+       NOTE: "This may introduce backwards compatibility issues with existing 
data."
+       NOTE: Psych 4.0 redirects 'YAML.load' from 'YAML.unsafe_load' to 
'YAML.safe_load'; 'unsafe_load' introduced in 3.3.2.
 CVE-2022-32223 (Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking 
under ce ...)
        - nodejs <not-affected> (Only affects Windows)
        NOTE: 
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#dll-hijacking-on-windows-high-cve-2022-32223



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dde9d0f4f6aa005a4fdd4aa09689314b2d25c74b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dde9d0f4f6aa005a4fdd4aa09689314b2d25c74b
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to