833150 – (CVE-2022-23633) <dev-ruby/rails-{5.2.6.2,6.0.4.6,6.1.4.6,7.0.2.2}: information leak between requests

Bug 833150 (CVE-2022-23633) - <dev-ruby/rails-{5.2.6.2,6.0.4.6,6.1.4.6,7.0.2.2}: information leak between requests

Summary: <dev-ruby/rails-{5.2.6.2,6.0.4.6,6.1.4.6,7.0.2.2}: information leak between r...

Status:	IN_PROGRESS

Alias:	CVE-2022-23633

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~4 [cleanup]
Keywords:

Depends on:	833784
Blocks:
	Show dependency tree

Reported:	2022-02-12 03:33 UTC by John Helmert III
Modified:	2022-02-25 11:37 UTC (History)
CC List:	1 user (show)

See Also:	CVE-2022-23634
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-02-12 03:33:14 UTC

CVE-2022-23633 (https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9):
https://www.openwall.com/lists/oss-security/2022/02/11/5

Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.

Patch: https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da

Please bump.

Comment 1 Hans de Graaff gentoo-dev

2022-02-22 07:30:16 UTC

Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2 are now in the tree.

Comment 2 John Helmert III archtester

2022-02-23 01:52:43 UTC

Thanks, please cleanup!