Bug 1313832 - Upgrade rails to 4.1.14.2
Summary: Upgrade rails to 4.1.14.2
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Provisioning
Version: 6.0.4
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: Unspecified
Assignee: Tomer Brisker
QA Contact: sthirugn@redhat.com
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-02 12:23 UTC by Tomer Brisker
Modified: 2019-09-26 18:05 UTC (History)
4 users (show)

Fixed In Version: x
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-27 09:03:49 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 13977 0 None None None 2016-04-22 15:13:30 UTC
Red Hat Product Errata RHBA-2016:1500 0 normal SHIPPED_LIVE Red Hat Satellite 6.2 Base Libraries 2016-07-27 12:24:38 UTC

Description Tomer Brisker 2016-03-02 12:23:39 UTC
4.1.14.2 is a security release fixing two CVEs - http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/ 
Rails should be upgraded.

Comment 1 Tomer Brisker 2016-03-02 12:23:41 UTC
Created from redmine issue http://projects.theforeman.org/issues/13977

Comment 4 sthirugn@redhat.com 2016-04-07 19:55:28 UTC
Failed in satellite-6.2.0-6.2.beta.el7sat.noarch

Version found in this install is rh-ror41-rubygem-rails-4.1.5-3.el7.noarch

I dont find the CVEs (CVE-2016-2097, CVE-2016-2098) mentioned in this bug in the changelog:

# rpm -q --changelog rh-ror41-rubygem-rails | grep CVE
- New version (fixes CVE-2008-4094)

Comment 5 Bryan Kearney 2016-04-07 20:08:32 UTC
Upstream bug component is Provisioning

Comment 6 Tomer Brisker 2016-04-10 07:38:14 UTC
Looks like the rails packaging has not been updated to use the correct version that is set in the gemfile. See also my comment on https://bugzilla.redhat.com/show_bug.cgi?id=1325632
Eric - any idea why this happened?

Comment 7 Bryan Kearney 2016-04-10 08:08:16 UTC
Upstream bug assigned to tbrisker

Comment 8 Bryan Kearney 2016-04-10 08:08:18 UTC
Upstream bug component is Provisioning

Comment 9 Tomer Brisker 2016-04-11 14:47:51 UTC
These CVEs have been applied in a different gem (one of rails' dependencies) - rh-ror41-rubygem-actionview 
Please retest.

Comment 10 sthirugn@redhat.com 2016-04-11 14:55:41 UTC
Verified in satellite-6.2.0-7.0.beta.el7sat.noarch

# rpm -q --changelog rh-ror41-rubygem-actionview | grep CVE
  Resolves: CVE-2016-2097
  Resolves: CVE-2016-2098
  - Resolves: CVE-2016-0752

Comment 12 errata-xmlrpc 2016-07-27 09:03:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1500


Note You need to log in before you can comment on or make changes to this bug.