Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 833150 (CVE-2022-23633)

Summary: <dev-ruby/rails-{,,,}: information leak between requests
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: trivial CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Whiteboard: ~4 [cleanup]
Package list:
Runtime testing required: ---
Bug Depends on: 833784    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-12 03:33:14 UTC
CVE-2022-23633 (

Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails,,, and Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.


Please bump.
Comment 1 Hans de Graaff gentoo-dev Security 2022-02-22 07:30:16 UTC
Rails,,, and are now in the tree.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-23 01:52:43 UTC
Thanks, please cleanup!