Bug 1862203

Summary: Satellite tools shipping old version of rubygem-json-1.4.6-2.el6
Product: Red Hat Satellite Reporter: Yadnyawalk Tale <ytale>
Component: SecurityAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED WONTFIX QA Contact: Roman Plevka <rplevka>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.7.0CC: ehelms, kyoshida, lzap, mhulan, tbrisker
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-19 05:39:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yadnyawalk Tale 2020-07-30 17:34:00 UTC 
* Why we should update this gem?

1. To avoid future vulnerabilities (recent example: CVE-2013-0269)
https://bugzilla.redhat.com/show_bug.cgi?id=909029

2. rubygem-json-1.4.6-2.el6 is not supported from upstream now
https://github.com/flori/json/branches


* Satellite server does not ship this gem, Satellite tools repo however has this as a package. All current active and upcoming streams of tools repo ship this: 6.5, 6.6, 6.7 and 6.8.
https://errata.devel.redhat.com/package/show/rubygem-json
Comment 1 Eric Helms 2021-05-11 15:37:46 UTC 
The rubygem-json package we ship is only in the RHEL 6 tools repository. Given that https://access.redhat.com/security/cve/CVE-2013-0269 has been deemed not to affect Satellite and there is no active CVE against the package, my recommendation is that we close wontfix this BZ. RHEL 6 has entered ELS phase ending in June 30, 2024.