Bug 1743940 (CVE-2019-15224)

Summary: CVE-2019-15224 rubygem-rest-client: code-execution backdoor insterted by third party
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ahardin, aos-bugs, bbuckingham, bcourt, bkearney, bleanhar, bmidwood, bmontgom, btotty, ccoleman, dajohnso, dedgar, dmetzger, eparis, gblomqui, gmccullo, gtanzill, hhudgeon, jburrell, jcantril, jfrey, jgoulding, jhardy, jokerman, jprause, kdixon, lavenel, lzap, mchappel, mhulan, mmccune, nstielau, obarenbo, rchan, rjerrido, roliveri, ruby-packagers-sig, simaishi, sponnaga, tdawson, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-rest-client 1.6.14 Doc Type: If docs needed, set a value
Doc Text:
The rest-client rubygem, hosted on rubygems.org, was compromised and released containing malware in versions 1.6.10 to 1.6.13. Applications using these versions of the rest-client rubygem should be considered compromised.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-22 08:47:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1743942    
Bug Blocks: 1743943    

Description Dhananjay Arunesh 2019-08-21 03:46:39 UTC 
A vulnerability was found in rest-client gem 1.6.13 for Ruby, as distributed on RubyGems.org, included a
code-execution backdoor inserted by a third party.

Reference:
https://rubygems.org/gems/rest-client/versions/
https://github.com/rest-client/rest-client/issues/713
Comment 1 Dhananjay Arunesh 2019-08-21 03:47:50 UTC 
Created rubygem-rest-client tracking bugs for this issue:

Affects: epel-7 [bug 1743942]
Comment 3 Sam Fowler 2019-08-22 03:08:30 UTC 
Statement:

OpenShift Container Platform is not vulnerable to this issue as it does not use the affected versions.
Comment 4 Product Security DevOps Team 2019-08-22 08:47:06 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-15224