Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 833150 (CVE-2022-23633)

Summary: <dev-ruby/rails-{5.2.6.2,6.0.4.6,6.1.4.6,7.0.2.2}: information leak between requests
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: trivial CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=833155
Whiteboard: ~4 [cleanup]
Package list:
Runtime testing required: ---
Bug Depends on: 833784    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-12 03:33:14 UTC 
CVE-2022-23633 (https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9):
https://www.openwall.com/lists/oss-security/2022/02/11/5

Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.

Patch: https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da

Please bump.
Comment 1 Hans de Graaff gentoo-dev 2022-02-22 07:30:16 UTC 
Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2 are now in the tree.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-23 01:52:43 UTC 
Thanks, please cleanup!