Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 833150 (CVE-2022-23633) - <dev-ruby/rails-{,,,}: information leak between requests
Summary: <dev-ruby/rails-{,,,}: information leak between r...
Alias: CVE-2022-23633
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~4 [cleanup]
Depends on: 833784
  Show dependency tree
Reported: 2022-02-12 03:33 UTC by John Helmert III
Modified: 2022-02-25 11:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-12 03:33:14 UTC
CVE-2022-23633 (

Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails,,, and Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.


Please bump.
Comment 1 Hans de Graaff gentoo-dev Security 2022-02-22 07:30:16 UTC
Rails,,, and are now in the tree.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-23 01:52:43 UTC
Thanks, please cleanup!