4.1.14.2 is a security release fixing two CVEs - http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/ Rails should be upgraded.
Created from redmine issue http://projects.theforeman.org/issues/13977
Failed in satellite-6.2.0-6.2.beta.el7sat.noarch Version found in this install is rh-ror41-rubygem-rails-4.1.5-3.el7.noarch I dont find the CVEs (CVE-2016-2097, CVE-2016-2098) mentioned in this bug in the changelog: # rpm -q --changelog rh-ror41-rubygem-rails | grep CVE - New version (fixes CVE-2008-4094)
Upstream bug component is Provisioning
Looks like the rails packaging has not been updated to use the correct version that is set in the gemfile. See also my comment on https://bugzilla.redhat.com/show_bug.cgi?id=1325632 Eric - any idea why this happened?
Upstream bug assigned to tbrisker
These CVEs have been applied in a different gem (one of rails' dependencies) - rh-ror41-rubygem-actionview Please retest.
Verified in satellite-6.2.0-7.0.beta.el7sat.noarch # rpm -q --changelog rh-ror41-rubygem-actionview | grep CVE Resolves: CVE-2016-2097 Resolves: CVE-2016-2098 - Resolves: CVE-2016-0752
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1500