Bug 1171278

Summary:	Syncing multiple repositories with the same errata reuses the same errata unit without updating package list
Product:	[Retired] Pulp	Reporter:	Justin Sherrill <jsherril>
Component:	rpm-support	Assignee:	Chris Duryee <cduryee>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Preethi Thomas <pthomas>
Severity:	high	Docs Contact:
Priority:	urgent
Version:	2.4.1	CC:	cduryee, chrobert, dkliban, ekin.meroglu, jsherril, kmurugad, pthomas, rbarlow, skarmark, sthirugn, xdmoon
Target Milestone:	---	Keywords:	Triaged
Target Release:	2.5.2
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:
Clones:	1171283 (view as bug list)		Environment:
Last Closed:	2015-02-05 21:47:01 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1171283, 1214355

Description Justin Sherrill 2014-12-05 19:31:38 UTC

Description of problem:

Errata as released by Red Hat rcm releases the same errata for multiple repositories (RHEL 5, RHEL 6, etc..).

Within the repository, only the packages actually contained within the repository actually are listed for the errata.  For example:

https://rhn.redhat.com/errata/RHSA-2014-1652.html

contains packages for both el6 and el7, but the updateinfo for el6 only contains:

<?xml version="1.0" encoding="UTF-8"?>
<pkglist>
   <collection short="rhel-x86_64-server-6">
      <name>Red Hat Enterprise Linux Server (v. 6 for 64-bit x86_64)</name>
      <package name="openssl" version="1.0.1e" release="30.el6_6.2" epoch="0" arch="i686" src="openssl-1.0.1e-30.el6_6.2.src.rpm">
         <filename>openssl-1.0.1e-30.el6_6.2.i686.rpm</filename>
         <sum type="sha256">e85e84237f069e64333603fbed965b4d0b034c2933c9160eaf4b605d8c3ccd16</sum>
      </package>
      <package name="openssl-devel" version="1.0.1e" release="30.el6_6.2" epoch="0" arch="x86_64" src="openssl-1.0.1e-30.el6_6.2.src.rpm">
         <filename>openssl-devel-1.0.1e-30.el6_6.2.x86_64.rpm</filename>
         <sum type="sha256">dcbbbd1b21733e3e3168897120bfc1674c051c4efe7a621d5c5dece211169207</sum>
      </package>
      <package name="openssl-devel" version="1.0.1e" release="30.el6_6.2" epoch="0" arch="i686" src="openssl-1.0.1e-30.el6_6.2.src.rpm">
         <filename>openssl-devel-1.0.1e-30.el6_6.2.i686.rpm</filename>
         <sum type="sha256">32f1611b3c8934fc10ac3ed87e57847bdaa4f4aebb21ed25d3b6c005722d1bda</sum>
      </package>
      <package name="openssl" version="1.0.1e" release="30.el6_6.2" epoch="0" arch="x86_64" src="openssl-1.0.1e-30.el6_6.2.src.rpm">
         <filename>openssl-1.0.1e-30.el6_6.2.x86_64.rpm</filename>
         <sum type="sha256">904b7d8367de9f94c1878720e634a226ea3c1f67067af6a939dd05f68e7ab1ac</sum>
      </package>
   </collection>
</pkglist>


The result is that after pulp syncs an errata once, it will never update the existing errata, but will associate the existing errata with the new repositories.


How reproducible:
Always

Steps to Reproduce:
1.  Sync RHEL 6 Server and wait for it to finish then,
2.  Sync RHEL 7 Server
3.  Check the RHSA-2014-1652 errata in pulp and list its packages

Actual results:
Will only contain the rhel 6 packages, will not contain the rhel 7 packages


Expected results:
The RHSA-2014-1652 errata on rhel 7 contains rhel 7 packages, for rhel 6 contains the rhel 6 packages

Additional info:

Comment 1 Chris Duryee 2014-12-09 21:21:53 UTC

(oops, forgot to mark state as ASSIGNED til just now)

After discussion with rbarlow and jsherrill, the proposed solution is to update existing errata with new packages as they appear. For example if someone synced RHEL6 and RHEL7, the errata stored in Pulp would then contain both RHEL6 and 7 packages.

On publish, the published errata would be altered to only contain packages that exist in the repo.

Comment 2 Chris Duryee 2014-12-16 17:42:02 UTC

I believe the second "on publish" behavior mentioned in comment #1 is no longer needed due to https://bugzilla.redhat.com/show_bug.cgi?id=1171280.

Comment 3 Chris Duryee 2014-12-18 18:19:13 UTC

PR for pulp: https://github.com/pulp/pulp/pull/1445

One more PR for pulp_rpm is needed.

Comment 4 Chris Duryee 2014-12-19 16:21:22 UTC

https://github.com/pulp/pulp_rpm/pull/614

Comment 5 Chris Duryee 2015-01-07 20:56:12 UTC

merged to 2.4-dev, will merge to 2.5-testing and forward.

Comment 6 Preethi Thomas 2015-01-09 21:29:30 UTC

Fails-qa
[root@cloud-qe-22 ~]# rpm -qa pulp-server
pulp-server-2.5.2-0.2.beta.el6.noarch

Looks like pulp-admin still shows up wrong.


Synced rhel6 and after that rhel7

After the sync & publish checked in both the ehl6 & rhel7 repos 

[root@cloud-qe-22 ~]# pulp-admin rpm repo content errata  --repo-id rhel6 --erratum-id RHSA-2014:1144
+----------------------------------------------------------------------+
                        Erratum: RHSA-2014:1144
+----------------------------------------------------------------------+

Id:                RHSA-2014:1144
Title:             Critical: firefox security update
Summary:           Updated firefox packages that fix two security issues are now available for
Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Description:
  Mozilla Firefox is an open source web browser. XULRunner provides the
  XULRuntime environment for Mozilla Firefox.

  Several flaws were found in the processing of malformed web content. A webpage
  containing malicious content could cause Firefox to crash or,potentially,
  execute arbitrary code with the privileges of the user runningFirefox.
  (CVE-2014-1562, CVE-2014-1567)

  Red Hat would like to thank the Mozilla project for reporting these
  issues.Upstream acknowledges Jan de Mooij as the original reporter
  ofCVE-2014-1562, and regenrecht as the original reporter of CVE-2014-1567.

  For technical details regarding these flaws, refer to the Mozilla
  securityadvisories for Firefox 24.8.0 ESR. You can find a link to the
  Mozillaadvisories in the References section of this erratum.

  All Firefox users should upgrade to these updated packages, which
  containFirefox version 24.8.0 ESR, which corrects these issues. After
  installingthe update, Firefox must be restarted for the changes to take
  effect.

Severity:          Critical
Type:              security
Issued:            2014-09-03 00:00:00
Updated:           2014-09-03 00:00:00
Version:           1
Release:           
Status:            final
Reboot Suggested:  No

Updated Packages:
  firefox-0:24.8.0-1.el6_5.i686
  firefox-0:24.8.0-1.el6_5.x86_64

References:
  ID:   None
  Type: self
  Link: https://rhn.redhat.com/errata/RHSA-2014-1144.html

  ID:   1135862
  Type: bugzilla
  Link: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1135862

  ID:   1135869
  Type: bugzilla
  Link: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1135869

  ID:   CVE-2014-1567
  Type: cve
  Link: https://www.redhat.com/security/data/cve/CVE-2014-1567.html

  ID:   CVE-2014-1562
  Type: cve
  Link: https://www.redhat.com/security/data/cve/CVE-2014-1562.html

  ID:   None
  Type: other
  Link: https://access.redhat.com/security/updates/classification/#critical

  ID:   None
  Type: other
  Link: https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#firefox24.8



[root@cloud-qe-22 ~]# 
[root@cloud-qe-22 ~]# 
[root@cloud-qe-22 ~]# pulp-admin rpm repo content errata  --repo-id rhel7 --erratum-id RHSA-2014:1144
+----------------------------------------------------------------------+
                        Erratum: RHSA-2014:1144
+----------------------------------------------------------------------+

Id:                RHSA-2014:1144
Title:             Critical: firefox security update
Summary:           Updated firefox packages that fix two security issues are now available for
Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Description:
  Mozilla Firefox is an open source web browser. XULRunner provides the
  XULRuntime environment for Mozilla Firefox.

  Several flaws were found in the processing of malformed web content. A webpage
  containing malicious content could cause Firefox to crash or,potentially,
  execute arbitrary code with the privileges of the user runningFirefox.
  (CVE-2014-1562, CVE-2014-1567)

  Red Hat would like to thank the Mozilla project for reporting these
  issues.Upstream acknowledges Jan de Mooij as the original reporter
  ofCVE-2014-1562, and regenrecht as the original reporter of CVE-2014-1567.

  For technical details regarding these flaws, refer to the Mozilla
  securityadvisories for Firefox 24.8.0 ESR. You can find a link to the
  Mozillaadvisories in the References section of this erratum.

  All Firefox users should upgrade to these updated packages, which
  containFirefox version 24.8.0 ESR, which corrects these issues. After
  installingthe update, Firefox must be restarted for the changes to take
  effect.

Severity:          Critical
Type:              security
Issued:            2014-09-03 00:00:00
Updated:           2014-09-03 00:00:00
Version:           1
Release:           
Status:            final
Reboot Suggested:  No

Updated Packages:
  firefox-0:24.8.0-1.el6_5.i686
  firefox-0:24.8.0-1.el6_5.x86_64

References:
  ID:   None
  Type: self
  Link: https://rhn.redhat.com/errata/RHSA-2014-1144.html

  ID:   1135862
  Type: bugzilla
  Link: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1135862

  ID:   1135869
  Type: bugzilla
  Link: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1135869

  ID:   CVE-2014-1567
  Type: cve
  Link: https://www.redhat.com/security/data/cve/CVE-2014-1567.html

  ID:   CVE-2014-1562
  Type: cve
  Link: https://www.redhat.com/security/data/cve/CVE-2014-1562.html

  ID:   None
  Type: other
  Link: https://access.redhat.com/security/updates/classification/#critical

  ID:   None
  Type: other
  Link: https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#firefox24.8



[root@cloud-qe-22 ~]#

Comment 7 Chris Duryee 2015-01-12 19:19:50 UTC

https://github.com/pulp/pulp_rpm/pull/631

Comment 8 Chris Duryee 2015-01-12 23:09:55 UTC

merged to 2.5-testing/2.5-dev, 2.6-testing and forward

Comment 9 Preethi Thomas 2015-01-15 16:03:08 UTC

verified


[root@rhsm-jenkins ~]# rpm -qa pulp-server
pulp-server-2.5.2-0.3.beta.el6.noarch
[root@rhsm-jenkins ~]# 



[root@rhsm-jenkins ~]# pulp-admin rpm repo content errata  --repo-id rhel6 --erratum-id RHSA-2014:1144
+----------------------------------------------------------------------+
                        Erratum: RHSA-2014:1144
+----------------------------------------------------------------------+

Id:                RHSA-2014:1144
Title:             Critical: firefox security update
Summary:           Updated firefox packages that fix two security issues are now available for
Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Description:
  Mozilla Firefox is an open source web browser. XULRunner provides the
  XULRuntime environment for Mozilla Firefox.

  Several flaws were found in the processing of malformed web content. A webpage
  containing malicious content could cause Firefox to crash or,potentially,
  execute arbitrary code with the privileges of the user runningFirefox.
  (CVE-2014-1562, CVE-2014-1567)

  Red Hat would like to thank the Mozilla project for reporting these
  issues.Upstream acknowledges Jan de Mooij as the original reporter
  ofCVE-2014-1562, and regenrecht as the original reporter of CVE-2014-1567.

  For technical details regarding these flaws, refer to the Mozilla
  securityadvisories for Firefox 24.8.0 ESR. You can find a link to the
  Mozillaadvisories in the References section of this erratum.

  All Firefox users should upgrade to these updated packages, which
  containFirefox version 24.8.0 ESR, which corrects these issues. After
  installingthe update, Firefox must be restarted for the changes to take
  effect.

Severity:          Critical
Type:              security
Issued:            2014-09-03 00:00:00
Updated:           2014-09-03 00:00:00
Version:           1
Release:           
Status:            final
Reboot Suggested:  No

Updated Packages:
  firefox-0:24.8.0-1.el6_5.i686
  firefox-0:24.8.0-1.el6_5.x86_64
  xulrunner-0:24.8.0-1.el7_0.i686
  firefox-0:24.8.0-1.el7_0.x86_64
  xulrunner-0:24.8.0-1.el7_0.x86_64

References:
  ID:   None
  Type: self
  Link: https://rhn.redhat.com/errata/RHSA-2014-1144.html

  ID:   1135862
  Type: bugzilla
  Link: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1135862

  ID:   1135869
  Type: bugzilla
  Link: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1135869

  ID:   CVE-2014-1567
  Type: cve
  Link: https://www.redhat.com/security/data/cve/CVE-2014-1567.html

  ID:   CVE-2014-1562
  Type: cve
  Link: https://www.redhat.com/security/data/cve/CVE-2014-1562.html

  ID:   None
  Type: other
  Link: https://access.redhat.com/security/updates/classification/#critical

  ID:   None
  Type: other
  Link: https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#firefox24.8

Comment 10 Randy Barlow 2015-02-05 21:47:01 UTC

Pulp 2.5.2 has been released.

Comment 13 Justin Sherrill 2015-12-11 05:30:41 UTC

*** Bug 1201476 has been marked as a duplicate of this bug. ***