package installed from rhel-7-server-satellite-capsule-6.2-rpms: rubygem-rake.noarch-0.9.2.2-41.el7sat But the following errata are available from rhel-7-server-optional-rpms: # yum list-sec --enablerepo=rhel-7-server-optional-rpms | grep rubygem-rake RHSA-2014:1912 Moderate/Sec. rubygem-rake-0.9.6-22.el7_0.noarch RHBA-2015:0594 bugfix rubygem-rake-0.9.6-24.el7.noarch RHBA-2015:1158 bugfix rubygem-rake-0.9.6-25.el7_1.noarch RHEA-2016:2422 enhancement rubygem-rake-0.9.6-29.el7.noarch we are currently shipping rubygem-rake-0.9.2.2-41.el7sat which is outdated and vulnerable to the above CVE. We need to get an updated version of this rubygem into Satellite 6.2
*** HOTFIX PACKAGE AVAILABLE *** For users who need to update rubygem-rake to remove warnings around RHSA-2014:1912 you can utilize the attached hotfix package in this bug. Instructions: 1) download rubygem-rake-0.9.6-30.el7.noarch.rpm from this bug and copy to Satellite server 2) yum upgrade ./rubygem-rake-0.9.6-30.el7.noarch.rpm 3) katello-service restart
Created attachment 1389116 [details] hotfix RPM for RHEL 7
The above hotfix in comment #12 can be applied to Satellite 6.3+ as well.
yes, feel free to get the updated rubygem-rake-0.9.6-33 from https://access.redhat.com/errata/RHSA-2018:0378
VERIFIED. @Satellite 6.8.0 Snap16 foreman-proxy-2.1.2-2.el7sat.noarch REPRO: # rpm -qR foreman-proxy | grep rake rubygem(rake) >= 0.8.3 # rpm -qa *rubygem-rake rh-ruby25-rubygem-rake-12.3.0-7.el7.noarch rubygem-rake-0.9.6-36.el7.noarch vs. FIX: # rpm -qR foreman-proxy | grep rake rh-ruby25-rubygem(rake) >= 0.8.3 # rpm -qa *rubygem-rake rh-ruby25-rubygem-rake-12.3.0-7.el7.noarch >>> Satellite and Capsule now depend only on ruby-rake out of SCL
But I still see rubygem-rake-0.9.2.2-41.el7sat in Satellite devel compose while Capsule devel compose is OK. Can you please remove there?
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Satellite 6.8 release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:4366
**NOTICE** This was issue supposed to have been resolved in 6.8 with our adoption of the Puma webserver and our move away from Passenger. Passenger was our component in Satellite that was still requiring the older version of rubygem-rake and we VERIFIED this bug early on in the 6.8 test cycle. Unfortunately, late in the 6.8 test cycle we identified a few critical issues with our switch to Puma that necessitated us reverting back to Passenger. This caused us to have to continue shipping the older version of rubygem-rake in 6.8. We will be moving to Puma in 6.9 and no longer shipping the outdated rubygem-rake package when 6.9 is released. I'm re-opening this bug and aligning it to 6.9. The workaround outlined here: https://bugzilla.redhat.com/show_bug.cgi?id=1469267#c12 is still valid and can be utilized for customers who need this resolved.
VERIFIED. @Satellite 6.9.0 Snap16 foreman-proxy-2.3.1-1.el7sat.noarch by the following steps: # rpm -qR foreman-proxy | grep rake rh-ruby25-rubygem(rake) >= 0.8.3 # rpm -qa *rubygem-rake rh-ruby25-rubygem-rake-12.3.0-8.el7.noarch >>> Satellite and Capsule now depend only on ruby-rake out of SCL and no other version of ruby-rake is installed
As long as we are carrying the passenger packages, this RPM will persist to exist in the Satellite repository. We switched to Puma as the application service for Foreman, but given Satellite 6.9 will be the first release with Puma we had been choosing to keep Passenger as a fallback. I would expect that for Satellite 6.10 we can remove Passenger and thus remove this dependency of it. Mike -- we can choose to drop this for 6.9 but will lose the ability to switch to Passenger. Thoughts?
*** Bug 1998864 has been marked as a duplicate of this bug. ***
VERIFIED. @Satellite 6.10.0 Snap15 foreman-proxy-2.5.2-1.el7sat.noarch by the following steps: # rpm -qR foreman-proxy | grep rake rh-ruby27-rubygem(rake) >= 0.8.3 # rpm -qa *rubygem-rake rh-ruby27-rubygem-rake-13.0.1-129.el7.noarch >>> Satellite and Capsule now depend only on ruby-rake out of SCL and no other version of ruby-rake is installed >>> and finally there is no rubygem-rake-*.el7sat in Satellite 6.10.0 devel compose (passenger dropped)
This bugzilla was included with Satellite 6.10, which was just released. Based upon this, closing as CURRENTRELEASE.