Red Hat Bugzilla – Bug 1313832
Upgrade rails to 18.104.22.168
Last modified: 2016-07-27 05:03:49 EDT
22.214.171.124 is a security release fixing two CVEs - http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/
Rails should be upgraded.
Created from redmine issue http://projects.theforeman.org/issues/13977
Failed in satellite-6.2.0-6.2.beta.el7sat.noarch
Version found in this install is rh-ror41-rubygem-rails-4.1.5-3.el7.noarch
I dont find the CVEs (CVE-2016-2097, CVE-2016-2098) mentioned in this bug in the changelog:
# rpm -q --changelog rh-ror41-rubygem-rails | grep CVE
- New version (fixes CVE-2008-4094)
Upstream bug component is Provisioning
Looks like the rails packaging has not been updated to use the correct version that is set in the gemfile. See also my comment on https://bugzilla.redhat.com/show_bug.cgi?id=1325632
Eric - any idea why this happened?
Upstream bug assigned to firstname.lastname@example.org
These CVEs have been applied in a different gem (one of rails' dependencies) - rh-ror41-rubygem-actionview
Verified in satellite-6.2.0-7.0.beta.el7sat.noarch
# rpm -q --changelog rh-ror41-rubygem-actionview | grep CVE
- Resolves: CVE-2016-0752
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.