Bug 1097205

Summary: rubygem-rack version in EPEL has many CVEs, please update
Product: [Fedora] Fedora EPEL Reporter: sean.edge
Component: rubygem-rackAssignee: Jeroen van Meeuwen <vanmeeuwen+fedora>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: el6CC: vanmeeuwen+fedora
Target Milestone: ---Keywords: SecurityTracking
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-30 15:41:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description sean.edge 2014-05-13 11:33:37 UTC 
Description of problem:
rubygem-rack version in EPEL 6 is out of date.  There are outstanding, exploitable CVEs:
CVE-2013-0262
CVE-2013-0263

There may be more.  These are particularly bad.


Version-Release number of selected component (if applicable):
1.1.0-2

How reproducible:
Very


Steps to Reproduce:
1. Install RPM
2. Exploit using steps outlined in CVE


Actual results:
Fail security scans.


Expected results:
Pass security scans with a newer version of Rack.


Additional info:
http://dl.fedoraproject.org/pub/epel/6/x86_64/repoview/rubygem-rack.html
Comment 1 sean.edge 2014-05-13 11:41:16 UTC 
Where to obtain the version that has the fix (1.1.6):

http://rack.github.io/
https://groups.google.com/forum/#!msg/rack-devel/xKrHVWeNvDM/4ZGA576CnK4J
Comment 2 Murray McAllister 2014-05-14 05:55:58 UTC 
Hi Sean,

The whiteboard field of https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0262 has marked the epel versions as being not affected, possibly due to the "Versions affected: All versions after 1.4.0" text in the original report.

If you believe it is affected I can make a tracking bug (although probably not really needed, since you have filed this one).

Cheers,

--
Murray McAllister / Red Hat Security Response Team
Comment 3 sean.edge 2014-05-14 13:42:47 UTC 
(In reply to Murray McAllister from comment #2)

> The whiteboard field of
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0262 has marked the
> epel versions as being not affected, possibly due to the "Versions affected:
> All versions after 1.4.0" text in the original report.

What about CVE-2013-0263?  The rack webpage (look under the News headline) and google group post seem to indicate the 1.1.x series is affected by that one.

"Some notes on CVE-2013-0263 that affects all prior versions:"

Thanks,
Sean
Comment 4 Murray McAllister 2014-05-15 04:21:28 UTC 
(In reply to sean.edge from comment #3)
> (In reply to Murray McAllister from comment #2)
> 
> > The whiteboard field of
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0262 has marked the
> > epel versions as being not affected, possibly due to the "Versions affected:
> > All versions after 1.4.0" text in the original report.
> 
> What about CVE-2013-0263?  The rack webpage (look under the News headline)
> and google group post seem to indicate the 1.1.x series is affected by that
> one.
> 
> "Some notes on CVE-2013-0263 that affects all prior versions:"
> 
> Thanks,
> Sean

It is affected by that one. The top level bug is https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0263

The EPEL specific one is https://bugzilla.redhat.com/show_bug.cgi?id=909088 (no movement on it yet)
Comment 5 Ben Cotton 2020-11-05 16:53:45 UTC 
This message is a reminder that EPEL 6 is nearing its end of life. Fedora will stop maintaining and issuing updates for EPEL 6 on 2020-11-30. It is our policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of 'el6'.

Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later EPEL version.

Thank you for reporting this issue and we are sorry that we were not able to fix it before EPEL 6 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged  change the 'version' to a later Fedora version prior this bug is closed as described in the policy above.
Comment 6 Ben Cotton 2020-11-05 16:56:21 UTC 
This message is a reminder that EPEL 6 is nearing its end of life. Fedora will stop maintaining and issuing updates for EPEL 6 on 2020-11-30. It is policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of 'el6'.

Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later EPEL version.

Thank you for reporting this issue and we are sorry that we were not able to fix it before EPEL 6 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version, you are encouraged to change the 'version' to a later version prior this bug is closed as described in the policy above.
Comment 7 Ben Cotton 2020-11-30 15:41:41 UTC 
EPEL el6 changed to end-of-life (EOL) status on 2020-11-30. EPEL el6 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
EPEL please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.