This bug is filed adhering to Fedora's non-responsive maintainer policy.[1] Michael Stahnke[1], a Fedora EPEL maintainer for the 'rubygem-activesupport', package, has not been responding to critical security issues in the said package for over an year now. Pending issues are BZ#905374 CVE-2013-0333 epel6 critical Reported: 2013-01-29 BZ#1095129 CVE-2014-0130 epel6 important Reported: 2014-05-07 BZ#731451 CVE-2011-2932 epel6 moderate Reported: 2011-08-17 @Michael: please respond within 7 days, so as to thwart further policy action. Thank you. -- [1] https://fedoraproject.org/wiki/Policy_for_nonresponsive_package_maintainers [2] https://fedoraproject.org/wiki/User:Stahnma
Hey stahnma were you still interested in maintaining the EPEL rails build? If you were and this is a matter of cycles I can start looking into what it'd take to update EPEL to the latest rails release until you had the time to get back to this (so that no further action would be taken on the Fedora front). Feel free to get back to me here or via private communications.
Reminder #1 ----------- Hello Michael, Any updates on #c1 above? Please let us know if you still plan to maintain the 'rubygem-activesupport' package for the EPEL branch. Thank you.
Reminder #2 ----------- Hello Michael, Any updates on #c1 above? Please let us know if you still plan to maintain the 'rubygem-activesupport' package for the EPEL branch. By next week, we'd be forced to start the takeover process.[1] Thank you. -- [1] https://fedoraproject.org/wiki/Policy_for_nonresponsive_package_maintainers
I am not going to have time to fix up these bugs in the near future on EL6. I actually don't use this package on el6 any longer. I welcome any co-maintainers.
(In reply to Michael Stahnke from comment #4) > I am not going to have time to fix up these bugs in the near future on EL6. > I actually don't use this package on el6 any longer. I welcome any > co-maintainers. Okay, thanks so much for the update.
Hello Mo, Would you like to take over the EPEL branch from Michael? Another option is to send a request on the -devel list. Thank you.
Yes I'll start looking into what is needed to update the rails stack in epel in the upcoming weeks.
Hello Mo, (In reply to Mo Morsi from comment #7) > Yes I'll start looking into what is needed to update the rails stack in epel > in the upcoming weeks. Great! Thank you so much Mo. :) I've linked above 3 bugs to this one, will close this once EPEL builds are pushed. Thank you.
Couple of other packages maintained by Michael have these pending issues CVE-2013-1802 -> https://bugzilla.redhat.com/show_bug.cgi?id=917234 CVE-2013-1800 -> https://bugzilla.redhat.com/show_bug.cgi?id=917237 I'd pinged Michael via email last week, but no response from him yet.
@Mo: would it be possible for you to take look at above two issues?
Will add them to the list but can't commit to those atm, the rails update will prolly take some time. It looks like rubygem-crack is a dependency of webmock & inode, it'd be a shame to lose those in epel. http://www.isitfedoraruby.com/fedorarpms/rubygem-crack/full_deps
Hello Mo, (In reply to Mo Morsi from comment #11) > Will add them to the list but can't commit to those atm, Thank you so much! I appreciate it. > the rails update will prolly take some time. It looks like rubygem-crack > is a dependency of webmock & inode, it'd be a shame to lose those in epel. > > http://www.isitfedoraruby.com/fedorarpms/rubygem-crack/full_deps True. Would it be possible for you to co-maintain it for EPEL? If not, maybe we could try -devel list if someone is willing to become a maintainer for them. Thank you.
Hello Mo, (In reply to Mo Morsi from comment #11) > Will add them to the list but can't commit to those atm, the rails update > will prolly take some time. It looks like rubygem-crack is a dependency of > webmock & inode, it'd be a shame to lose those in epel. > > http://www.isitfedoraruby.com/fedorarpms/rubygem-crack/full_deps Did you have chance to process these issues further? (just checking) Also, about the co-maintaining these packages for EPEL, would it be possible for you to maintain them? Thank you.
Hello Mo, Did you have chance to work on these issues, any update please? Thank you.
pjp, eric sorry for belated response. I wrote a small script to compare upstream gem versions & dependencies w/ those in Fedora and display them in a hierarchical tree manner: https://github.com/ManageIQ/polisher/blob/master/bin/gem_mapper.rb For the latest upstream rails release (4.2.1) the following would need to be updated / included in epel7: rails 4.2.1 actionmailer 4.2.1 actionpack 4.2.1 activesupport 4.2.1 tzinfo 1.2.2 rack-test 0.6.3 rails-html-sanitizer 1.0.2 loofah 2.0.2 rails-dom-testing 1.0.6 rails-deprecated_sanitizer 1.0.3 actionview 4.2.1 activejob 4.2.1 globalid 0.3.5 mail 2.6.3 activemodel 4.2.1 activerecord 4.2.1 railties 4.2.1 sprockets-rails 3.0.0.beta1 sprockets 2.12.3 Note these do not include devel deps. These will most likely entail additional updates. Using the gem_dependency_checker, I extracted the following builds from other fedora branches: https://github.com/ManageIQ/polisher/blob/master/bin/gem_dependency_checker.rb $ ruby -Ilib ./bin/gem_dependency_checker.rb --gem rails -k rails koji: 4.1.5, 4.1.4, 4.1.1, 4.0.0, 3.2.13, 3.2.8 actionmailer koji: 4.1.5, 4.1.4, 4.1.1, 4.0.0, 3.2.13, 3.2.8 actionpack koji: 4.1.5, 4.1.4, 4.1.1, 4.0.0, 3.2.13, 3.2.8 actionview koji: 4.1.5, 4.1.4, 4.1.1 activesupport koji: 4.1.5, 4.1.4, 4.1.1, 4.0.0, 3.2.13, 3.2.8 i18n koji: 0.6.11, 0.6.9, 0.6.4, 0.6.1, 0.6.0 json koji: 1.7.7, 1.6.8, 1.6.5 minitest koji: 5.3.1, 4.7.0, 2.10.1 thread_safe koji: 0.3.3, 0.1.3, 0.1.2 tzinfo koji: 1.2.2, 1.1.0, 0.3.37, 0.3.35, 0.3.30 builder koji: 3.2.2, 3.1.4, 3.0.0 erubis koji: 2.7.0 rails-dom-testing koji nokogiri koji: 1.6.4.1, 1.6.3.1, 1.6.6.2, 1.6.5, 1.6.2.1, 1.6.1, 1.6.0, 1.5.9, 1.5.11, 1.5.6, 1.5.5 mini_portile koji: 0.6.1, 0.6.0, 0.6.2, 0.5.3, 0.5.2, 0.5.1 rails-deprecated_sanitizer koji rails-html-sanitizer koji loofah koji: 2.0.0, 1.2.1 rack koji: 1.5.2, 1.4.5, 1.4.0 rack-test koji: 0.6.2, 0.6.1 activejob koji globalid koji mail koji: 2.5.4, 2.5.3, 2.4.4 mime-types koji: 1.25.1, 1.19, 1.16 activemodel koji: 4.1.5, 4.1.4, 4.1.1, 4.0.0, 3.2.13, 3.2.8 activerecord koji: 4.1.5, 4.1.4, 4.1.1, 4.0.0, 3.2.13, 3.2.8 arel koji: 5.0.0, 4.0.0, 3.0.2 bundler koji: 1.7.3, 1.5.2, 1.7.6, 1.3.5, 1.3.1, 1.1.4 railties koji: 4.1.5, 4.1.4, 4.1.1, 4.0.0, 3.2.13, 3.2.8 rake koji: 10.0.4, 0.9.6, 0.9.2.2 thor koji: 0.18.1, 0.17.0, 0.14.6 sprockets-rails koji: 2.1.3, 2.0.1, 2.0.0 sprockets koji: 2.12.1, 2.8.2, 2.4.5 I can start looking into updating some of the more simpler deps in the near future. Obviously the entire list will take some time but it should go quicker with some assistance...
Hello Mo, (In reply to Mo Morsi from comment #15) > I wrote a small script to compare > upstream gem versions & dependencies w/ those in Fedora and display them in > a hierarchical tree manner: > > https://github.com/ManageIQ/polisher/blob/master/bin/gem_mapper.rb > > For the latest upstream rails release (4.2.1) the following would need to be > updated / included in epel7: > ... > > Note these do not include devel deps. These will most likely entail > additional updates. > > Using the gem_dependency_checker, I extracted the following builds from > other fedora branches: > > https://github.com/ManageIQ/polisher/blob/master/bin/gem_dependency_checker. > rb > That is an extensive list of packages to be updated. But it does not seem to include rubygem-extlib and rubygem-crack packages, which have the long standing bugs(linked here) open. OR Is it that to update extlib & rubygem-crack packages, we have to update the aforementioned list first? > I can start looking into updating some of the more simpler deps in the near > future. Obviously the entire list will take some time but it should go > quicker with some assistance... IMO it's preferable to close the long standing security updates first, and then move to the bug fix and feature updates. Surely you'll need help with updating so many packages. Is there a fedora-ruby list or SIG wherein we could look for help? Let's see if we could find some help there. Thank you.
(In reply to pjp from comment #16) > That is an extensive list of packages to be updated. But it does not seem > to include rubygem-extlib and rubygem-crack packages, which have the long > standing bugs(linked here) open. OR Is it that to update extlib & > rubygem-crack packages, we have to update the aforementioned list first? Yes the list is extensive. The complete list with dev deps can be found here: https://mmorsi.fedorapeople.org/missing_deps_output Granted many deps on the list (particularily dev & testing ones) are duplicates / not necessary. I'll start looking at consolidating this list in the near future. > > > I can start looking into updating some of the more simpler deps in the near > > future. Obviously the entire list will take some time but it should go > > quicker with some assistance... > > IMO it's preferable to close the long standing security updates first, > and then move to the bug fix and feature updates. Surely you'll need help > with updating so many packages. Is there a fedora-ruby list or SIG wherein > we could look for help? Let's see if we could find some help there. > > Thank you. I've just requested access for rubygem-crack and extlib, will update to the latest upstream version on the requested branches when I have access. Sent the info pertaining to the rails update to the ruby-sig, and will keep that updated on progress. https://lists.fedoraproject.org/pipermail/ruby-sig/2015-June/001787.html
Hello Mo, (In reply to Mo Morsi from comment #17) > I've just requested access for rubygem-crack and extlib, will update to the > latest upstream version on the requested branches when I have access. Sent an email to Michael about the same, let's hope it grants access soon. > Sent the info pertaining to the rails update to the ruby-sig, and will keep > that updated on progress. > > https://lists.fedoraproject.org/pipermail/ruby-sig/2015-June/001787.html That's great! Thank you so much for an update, I appreciate it. Let me know if I could help with anything. Thank you.
(In reply to pjp from comment #18) > Sent an email to Michael about the same, let's hope it grants access soon. Sorry, he(not it) grants access soon. ;)
Hello Mo, I sent your ruby-sig message to a student's list that I'm part of. One of the student from there is interested to work with you on updating Rails packages in EPEL. I've sent you an email about the same; Hope it works out well. Thank you.
Awesome, thanks. Will continue via email
Hello Mo, Of the dependent bugs linked here, couple are closed and updates have been pushed for the rubygem-extlib issue. #731451 rubygem-activesupport: XSS vulnerability in escaping function #917237 Ruby Gem crack: YAML parameter parsing vulnerability Did you have chance to see the these two? (just checking) Thank you. :)
The rubygem-crack update is in progress, am having difficulties building against the 3 epel platforms. EL7 / EL6 are currently working so may just update those & retire EL5. activesupport will be taken care of w/ the larger epel rails update which still has a ways togo.
(In reply to Mo Morsi from comment #23) > The rubygem-crack update is in progress, am having difficulties building > against the 3 epel platforms. EL7 / EL6 are currently working so may just > update those & retire EL5. Yes, that will be good. > activesupport will be taken care of w/ the larger epel rails update which > still has a ways togo. I see, okay. Thanks so much for an update.
Updated rubygem-crack on epel6, requested admin access so as to retire on epel5. Will look more into the rails update this week.
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle. Changing version to '23'. (As we did not run this process for some time, it could affect also pre-Fedora 23 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23
(In reply to Mo Morsi from comment #25) > Updated rubygem-crack on epel6, requested admin access so as to retire on > epel5. > > Will look more into the rails update this week. Cool! Thank you for an update.
Hello MO, Are you working on this one ? It's been long, it needs a closure. Thank you.
Hi pjp, I hadn't worked on this in a while, and will be sidelining work on rails / epel for the foreseeable future due to other priorities. rubygem-crack has been retired on EL 5/6, though both rubygem-crack and rubygem-rails have been updated on EL7.
This message is a reminder that Fedora 23 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 23. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '23'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 23 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.