Description of problem: Errata as released by Red Hat rcm releases the same errata for multiple repositories (RHEL 5, RHEL 6, etc..). Within the repository, only the packages actually contained within the repository actually are listed for the errata. For example: https://rhn.redhat.com/errata/RHSA-2014-1652.html contains packages for both el6 and el7, but the updateinfo for el6 only contains: <?xml version="1.0" encoding="UTF-8"?> <pkglist> <collection short="rhel-x86_64-server-6"> <name>Red Hat Enterprise Linux Server (v. 6 for 64-bit x86_64)</name> <package name="openssl" version="1.0.1e" release="30.el6_6.2" epoch="0" arch="i686" src="openssl-1.0.1e-30.el6_6.2.src.rpm"> <filename>openssl-1.0.1e-30.el6_6.2.i686.rpm</filename> <sum type="sha256">e85e84237f069e64333603fbed965b4d0b034c2933c9160eaf4b605d8c3ccd16</sum> </package> <package name="openssl-devel" version="1.0.1e" release="30.el6_6.2" epoch="0" arch="x86_64" src="openssl-1.0.1e-30.el6_6.2.src.rpm"> <filename>openssl-devel-1.0.1e-30.el6_6.2.x86_64.rpm</filename> <sum type="sha256">dcbbbd1b21733e3e3168897120bfc1674c051c4efe7a621d5c5dece211169207</sum> </package> <package name="openssl-devel" version="1.0.1e" release="30.el6_6.2" epoch="0" arch="i686" src="openssl-1.0.1e-30.el6_6.2.src.rpm"> <filename>openssl-devel-1.0.1e-30.el6_6.2.i686.rpm</filename> <sum type="sha256">32f1611b3c8934fc10ac3ed87e57847bdaa4f4aebb21ed25d3b6c005722d1bda</sum> </package> <package name="openssl" version="1.0.1e" release="30.el6_6.2" epoch="0" arch="x86_64" src="openssl-1.0.1e-30.el6_6.2.src.rpm"> <filename>openssl-1.0.1e-30.el6_6.2.x86_64.rpm</filename> <sum type="sha256">904b7d8367de9f94c1878720e634a226ea3c1f67067af6a939dd05f68e7ab1ac</sum> </package> </collection> </pkglist> The result is that after pulp syncs an errata once, it will never update the existing errata, but will associate the existing errata with the new repositories. How reproducible: Always Steps to Reproduce: 1. Sync RHEL 6 Server and wait for it to finish then, 2. Sync RHEL 7 Server 3. Check the RHSA-2014-1652 errata in pulp and list its packages Actual results: Will only contain the rhel 6 packages, will not contain the rhel 7 packages Expected results: The RHSA-2014-1652 errata on rhel 7 contains rhel 7 packages, for rhel 6 contains the rhel 6 packages Additional info:
(oops, forgot to mark state as ASSIGNED til just now) After discussion with rbarlow and jsherrill, the proposed solution is to update existing errata with new packages as they appear. For example if someone synced RHEL6 and RHEL7, the errata stored in Pulp would then contain both RHEL6 and 7 packages. On publish, the published errata would be altered to only contain packages that exist in the repo.
I believe the second "on publish" behavior mentioned in comment #1 is no longer needed due to https://bugzilla.redhat.com/show_bug.cgi?id=1171280.
PR for pulp: https://github.com/pulp/pulp/pull/1445 One more PR for pulp_rpm is needed.
https://github.com/pulp/pulp_rpm/pull/614
merged to 2.4-dev, will merge to 2.5-testing and forward.
Fails-qa [root@cloud-qe-22 ~]# rpm -qa pulp-server pulp-server-2.5.2-0.2.beta.el6.noarch Looks like pulp-admin still shows up wrong. Synced rhel6 and after that rhel7 After the sync & publish checked in both the ehl6 & rhel7 repos [root@cloud-qe-22 ~]# pulp-admin rpm repo content errata --repo-id rhel6 --erratum-id RHSA-2014:1144 +----------------------------------------------------------------------+ Erratum: RHSA-2014:1144 +----------------------------------------------------------------------+ Id: RHSA-2014:1144 Title: Critical: firefox security update Summary: Updated firefox packages that fix two security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Description: Mozilla Firefox is an open source web browser. XULRunner provides the XULRuntime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A webpage containing malicious content could cause Firefox to crash or,potentially, execute arbitrary code with the privileges of the user runningFirefox. (CVE-2014-1562, CVE-2014-1567) Red Hat would like to thank the Mozilla project for reporting these issues.Upstream acknowledges Jan de Mooij as the original reporter ofCVE-2014-1562, and regenrecht as the original reporter of CVE-2014-1567. For technical details regarding these flaws, refer to the Mozilla securityadvisories for Firefox 24.8.0 ESR. You can find a link to the Mozillaadvisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which containFirefox version 24.8.0 ESR, which corrects these issues. After installingthe update, Firefox must be restarted for the changes to take effect. Severity: Critical Type: security Issued: 2014-09-03 00:00:00 Updated: 2014-09-03 00:00:00 Version: 1 Release: Status: final Reboot Suggested: No Updated Packages: firefox-0:24.8.0-1.el6_5.i686 firefox-0:24.8.0-1.el6_5.x86_64 References: ID: None Type: self Link: https://rhn.redhat.com/errata/RHSA-2014-1144.html ID: 1135862 Type: bugzilla Link: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1135862 ID: 1135869 Type: bugzilla Link: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1135869 ID: CVE-2014-1567 Type: cve Link: https://www.redhat.com/security/data/cve/CVE-2014-1567.html ID: CVE-2014-1562 Type: cve Link: https://www.redhat.com/security/data/cve/CVE-2014-1562.html ID: None Type: other Link: https://access.redhat.com/security/updates/classification/#critical ID: None Type: other Link: https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#firefox24.8 [root@cloud-qe-22 ~]# [root@cloud-qe-22 ~]# [root@cloud-qe-22 ~]# pulp-admin rpm repo content errata --repo-id rhel7 --erratum-id RHSA-2014:1144 +----------------------------------------------------------------------+ Erratum: RHSA-2014:1144 +----------------------------------------------------------------------+ Id: RHSA-2014:1144 Title: Critical: firefox security update Summary: Updated firefox packages that fix two security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Description: Mozilla Firefox is an open source web browser. XULRunner provides the XULRuntime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A webpage containing malicious content could cause Firefox to crash or,potentially, execute arbitrary code with the privileges of the user runningFirefox. (CVE-2014-1562, CVE-2014-1567) Red Hat would like to thank the Mozilla project for reporting these issues.Upstream acknowledges Jan de Mooij as the original reporter ofCVE-2014-1562, and regenrecht as the original reporter of CVE-2014-1567. For technical details regarding these flaws, refer to the Mozilla securityadvisories for Firefox 24.8.0 ESR. You can find a link to the Mozillaadvisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which containFirefox version 24.8.0 ESR, which corrects these issues. After installingthe update, Firefox must be restarted for the changes to take effect. Severity: Critical Type: security Issued: 2014-09-03 00:00:00 Updated: 2014-09-03 00:00:00 Version: 1 Release: Status: final Reboot Suggested: No Updated Packages: firefox-0:24.8.0-1.el6_5.i686 firefox-0:24.8.0-1.el6_5.x86_64 References: ID: None Type: self Link: https://rhn.redhat.com/errata/RHSA-2014-1144.html ID: 1135862 Type: bugzilla Link: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1135862 ID: 1135869 Type: bugzilla Link: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1135869 ID: CVE-2014-1567 Type: cve Link: https://www.redhat.com/security/data/cve/CVE-2014-1567.html ID: CVE-2014-1562 Type: cve Link: https://www.redhat.com/security/data/cve/CVE-2014-1562.html ID: None Type: other Link: https://access.redhat.com/security/updates/classification/#critical ID: None Type: other Link: https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#firefox24.8 [root@cloud-qe-22 ~]#
https://github.com/pulp/pulp_rpm/pull/631
merged to 2.5-testing/2.5-dev, 2.6-testing and forward
verified [root@rhsm-jenkins ~]# rpm -qa pulp-server pulp-server-2.5.2-0.3.beta.el6.noarch [root@rhsm-jenkins ~]# [root@rhsm-jenkins ~]# pulp-admin rpm repo content errata --repo-id rhel6 --erratum-id RHSA-2014:1144 +----------------------------------------------------------------------+ Erratum: RHSA-2014:1144 +----------------------------------------------------------------------+ Id: RHSA-2014:1144 Title: Critical: firefox security update Summary: Updated firefox packages that fix two security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Description: Mozilla Firefox is an open source web browser. XULRunner provides the XULRuntime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A webpage containing malicious content could cause Firefox to crash or,potentially, execute arbitrary code with the privileges of the user runningFirefox. (CVE-2014-1562, CVE-2014-1567) Red Hat would like to thank the Mozilla project for reporting these issues.Upstream acknowledges Jan de Mooij as the original reporter ofCVE-2014-1562, and regenrecht as the original reporter of CVE-2014-1567. For technical details regarding these flaws, refer to the Mozilla securityadvisories for Firefox 24.8.0 ESR. You can find a link to the Mozillaadvisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which containFirefox version 24.8.0 ESR, which corrects these issues. After installingthe update, Firefox must be restarted for the changes to take effect. Severity: Critical Type: security Issued: 2014-09-03 00:00:00 Updated: 2014-09-03 00:00:00 Version: 1 Release: Status: final Reboot Suggested: No Updated Packages: firefox-0:24.8.0-1.el6_5.i686 firefox-0:24.8.0-1.el6_5.x86_64 xulrunner-0:24.8.0-1.el7_0.i686 firefox-0:24.8.0-1.el7_0.x86_64 xulrunner-0:24.8.0-1.el7_0.x86_64 References: ID: None Type: self Link: https://rhn.redhat.com/errata/RHSA-2014-1144.html ID: 1135862 Type: bugzilla Link: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1135862 ID: 1135869 Type: bugzilla Link: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1135869 ID: CVE-2014-1567 Type: cve Link: https://www.redhat.com/security/data/cve/CVE-2014-1567.html ID: CVE-2014-1562 Type: cve Link: https://www.redhat.com/security/data/cve/CVE-2014-1562.html ID: None Type: other Link: https://access.redhat.com/security/updates/classification/#critical ID: None Type: other Link: https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#firefox24.8
Pulp 2.5.2 has been released.
*** Bug 1201476 has been marked as a duplicate of this bug. ***