[CVE-2022-23633] Possible exposure of information vulnerability in Action Pack

[Aaron Patterson <aaron.patterson () gmail com>]

## Impact

Under certain circumstances response bodies will not be closed, for example
a bug in a webserver[1] or a bug in a Rack middleware. In the event a
response is not notified of a close, ActionDispatch::Executor will not know
to reset thread local state for the next request. This can lead to data
being leaked to subsequent requests, especially when interacting with
ActiveSupport::CurrentAttributes.

Upgrading to the FIXED versions of Rails will ensure mitigation if this
issue even in the context of a buggy webserver or middleware implementation.

## Patches

To aid users who aren't able to upgrade immediately we have provided
patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 5.2-information-leak.patch
* 6.0-information-leak.patch
* 6.1-information-leak.patch
* 7.0-information-leak.patch

## Workarounds

Upgrading is highly recommended, but to work around this problem the
following middleware can be used:

```
class GuardedExecutor < ActionDispatch::Executor
  def call(env)
    ensure_completed!
    super
  end

  private

    def ensure_completed!
      @executor.new.complete! if @executor.active?
    end
end

# Ensure the guard is inserted before ActionDispatch::Executor
Rails.application.configure do
  config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor
end
```

## Credits

Thanks to Jean Boussier for fixing this!

1. https://github.com/puma/puma/pull/2812

Attachment: 6.1-information-leak.patch
Description:

Attachment: 6.0-information-leak.patch
Description:

Attachment: 7.0-information-leak.patch
Description:

Attachment: 5.2-information-leak.patch
Description: