Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 884795 (CVE-2022-30122, CVE-2022-30123)

Summary: <dev-ruby/rack-2.2.3.1: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: major CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 885433    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-08 01:43:16 UTC 
CVE-2022-30122 (https://discuss.rubyonrails.org/t/cve-2022-30122-denial-of-service-vulnerability-in-rack-multipart-parsing/80729):

A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack.

CVE-2022-30123 (https://discuss.rubyonrails.org/t/cve-2022-30123-possible-shell-escape-sequence-injection-vulnerability-in-rack/80728):

A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell escape in the Lint and CommonLogger components of Rack.

Please stabilize 2.2.3.1.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-18 16:06:52 UTC 
Please cleanup
Comment 2 Hans de Graaff gentoo-dev 2022-12-21 07:33:33 UTC 
Cleanup done.