Bug 1759252

Summary: CVE-2019-16892 requires rubyzip >= 1.3
Product: Red Hat CloudForms Management Engine Reporter: Satoe Imaishi <simaishi>
Component: SecurityAssignee: Jason Frey <jfrey>
Status: CLOSED ERRATA QA Contact: Mike Shriver <mshriver>
Severity: unspecified Docs Contact: Red Hat CloudForms Documentation <cloudforms-docs>
Priority: unspecified    
Version: 5.10.11CC: bmidwood, dmetzger, grocha, jfrey, jrafanie, obarenbo, simaishi
Target Milestone: GAKeywords: ZStream
Target Release: 5.10.12Flags: simaishi: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 5.10.12.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1759233 Environment:
Last Closed: 2019-11-06 08:58:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:
Bug Depends On: 1759233    
Bug Blocks:    

Comment 2 CFME Bot 2019-10-07 17:22:04 UTC 
New commits detected on ManageIQ/manageiq-automation_engine/hammer:

https://github.com/ManageIQ/manageiq-automation_engine/commit/78fb6729fa110b4444f0e3551a679b54c6b478d4
commit 78fb6729fa110b4444f0e3551a679b54c6b478d4
Author:     Greg McCullough <gmccullo>
AuthorDate: Tue Oct  1 13:47:47 2019 -0400
Commit:     Greg McCullough <gmccullo>
CommitDate: Tue Oct  1 13:47:47 2019 -0400

    Merge pull request #375 from d-m-u/bumping_rubyzip

    Bump version to 1.3.0 for CVE-2019-16892

    (cherry picked from commit 7c9d05215aed2c31eeae2838553f2737634b7dc6)

    https://bugzilla.redhat.com/show_bug.cgi?id=1759252

 manageiq-automation_engine.gemspec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


https://github.com/ManageIQ/manageiq-automation_engine/commit/cb67990cbf6bf1fe6b0b929c938c2cbbbc4bc48c
commit cb67990cbf6bf1fe6b0b929c938c2cbbbc4bc48c
Author:     Greg McCullough <gmccullo>
AuthorDate: Thu Oct  3 16:49:00 2019 -0400
Commit:     Greg McCullough <gmccullo>
CommitDate: Thu Oct  3 16:49:00 2019 -0400

    Merge pull request #377 from d-m-u/setting_validate_size_zip_flag

    Set validate_entry_sizes flag to true for rubyzip 1.3.0

    (cherry picked from commit 54efd75e0be453c2f0d1af739bd163ae30f43736)

    https://bugzilla.redhat.com/show_bug.cgi?id=1759252

 app/models/miq_ae_yaml_export_zipfs.rb | 3 +
 app/models/miq_ae_yaml_import_zipfs.rb | 3 +
 spec/models/miq_ae_yaml_import_export_spec.rb | 4 +
 3 files changed, 10 insertions(+)
Comment 3 CFME Bot 2019-10-07 17:25:43 UTC 
New commits detected on ManageIQ/manageiq/hammer:

https://github.com/ManageIQ/manageiq/commit/ba2d4e86ed6b44e614d28514994cc9ffc98c97a6
commit ba2d4e86ed6b44e614d28514994cc9ffc98c97a6
Author:     Joe Rafaniello <jrafanie.github.com>
AuthorDate: Tue Oct  1 14:17:54 2019 -0400
Commit:     Joe Rafaniello <jrafanie.github.com>
CommitDate: Tue Oct  1 14:17:54 2019 -0400

    Merge pull request #19348 from d-m-u/updating_rubyzip

    Bump rubyzip to 1.3.0 for CVE-2019-16892

    (cherry picked from commit ffb3308f1062fc62c365273755da75d92842972d)

    https://bugzilla.redhat.com/show_bug.cgi?id=1759252

 Gemfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


https://github.com/ManageIQ/manageiq/commit/0d55c841b818462eb7e438b259b435fc01e36eae
commit 0d55c841b818462eb7e438b259b435fc01e36eae
Author:     Keenan Brock <keenan>
AuthorDate: Thu Oct  3 11:36:49 2019 -0400
Commit:     Keenan Brock <keenan>
CommitDate: Thu Oct  3 11:36:49 2019 -0400

    Merge pull request #19360 from d-m-u/fixing_rubyzip_size_flag

    Set zip validate_entry_sizes to true for rubyzip 1.3.0

    (cherry picked from commit 9f46eabfe73e71ad5f84d14eb11fca1b228bd5c6)

    https://bugzilla.redhat.com/show_bug.cgi?id=1759252

 lib/vmdb/util.rb | 3 +
 spec/lib/vmdb/util_spec.rb | 4 +
 2 files changed, 7 insertions(+)
Comment 4 Mike Shriver 2019-10-10 13:58:30 UTC 
Gem rubyzip is at version 1.3.0 on CFME 5.10.12.0.20191007204014_0d55c84

No specific testing of the gem performed.
Comment 6 errata-xmlrpc 2019-11-06 08:58:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3268