Bug 1313832 - Upgrade rails to 4.1.14.2
Upgrade rails to 4.1.14.2
Status: CLOSED ERRATA
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Provisioning (Show other bugs)
6.0.4
Unspecified Unspecified
unspecified Severity medium (vote)
: Beta
: --
Assigned To: Tomer Brisker
sthirugn@redhat.com
http://projects.theforeman.org/issues...
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-02 07:23 EST by Tomer Brisker
Modified: 2016-07-27 05:03 EDT (History)
4 users (show)

See Also:
Fixed In Version: x
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-27 05:03:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Foreman Issue Tracker 13977 None None None 2016-04-22 11:13 EDT

  None (edit)
Description Tomer Brisker 2016-03-02 07:23:39 EST
4.1.14.2 is a security release fixing two CVEs - http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/ 
Rails should be upgraded.
Comment 1 Tomer Brisker 2016-03-02 07:23:41 EST
Created from redmine issue http://projects.theforeman.org/issues/13977
Comment 4 sthirugn@redhat.com 2016-04-07 15:55:28 EDT
Failed in satellite-6.2.0-6.2.beta.el7sat.noarch

Version found in this install is rh-ror41-rubygem-rails-4.1.5-3.el7.noarch

I dont find the CVEs (CVE-2016-2097, CVE-2016-2098) mentioned in this bug in the changelog:

# rpm -q --changelog rh-ror41-rubygem-rails | grep CVE
- New version (fixes CVE-2008-4094)
Comment 5 Bryan Kearney 2016-04-07 16:08:32 EDT
Upstream bug component is Provisioning
Comment 6 Tomer Brisker 2016-04-10 03:38:14 EDT
Looks like the rails packaging has not been updated to use the correct version that is set in the gemfile. See also my comment on https://bugzilla.redhat.com/show_bug.cgi?id=1325632
Eric - any idea why this happened?
Comment 7 Bryan Kearney 2016-04-10 04:08:16 EDT
Upstream bug assigned to tbrisker@redhat.com
Comment 8 Bryan Kearney 2016-04-10 04:08:18 EDT
Upstream bug component is Provisioning
Comment 9 Tomer Brisker 2016-04-11 10:47:51 EDT
These CVEs have been applied in a different gem (one of rails' dependencies) - rh-ror41-rubygem-actionview 
Please retest.
Comment 10 sthirugn@redhat.com 2016-04-11 10:55:41 EDT
Verified in satellite-6.2.0-7.0.beta.el7sat.noarch

# rpm -q --changelog rh-ror41-rubygem-actionview | grep CVE
  Resolves: CVE-2016-2097
  Resolves: CVE-2016-2098
  - Resolves: CVE-2016-0752
Comment 12 errata-xmlrpc 2016-07-27 05:03:49 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1500

Note You need to log in before you can comment on or make changes to this bug.