Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1469267 - need updated rubygem-rake
Summary: need updated rubygem-rake
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Packaging
Version: 6.2.10
Hardware: All
OS: Linux
high
medium
Target Milestone: 6.10.0
Assignee: Eric Helms
QA Contact: Lukas Pramuk
URL:
Whiteboard:
: 1998864 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-07-10 19:00 UTC by Nithin Thomas
Modified: 2024-12-20 18:43 UTC (History)
21 users (show)

Fixed In Version: foreman-installer-2.1.0-0, foreman-proxy-2.1.0-0
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1949186 (view as bug list)
Environment:
Last Closed: 2021-11-17 20:16:20 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
hotfix RPM for RHEL 7 (91.16 KB, application/x-rpm)
2018-01-31 17:47 UTC, Mike McCune 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3974721 0 Secure None Red Hat Satellite 6 missing latest rubygem-rake package 2019-03-10 10:53:33 UTC

Description Nithin Thomas 2017-07-10 19:00:56 UTC 
package installed from rhel-7-server-satellite-capsule-6.2-rpms:

   rubygem-rake.noarch-0.9.2.2-41.el7sat 

But the following errata are available from rhel-7-server-optional-rpms:

# yum list-sec --enablerepo=rhel-7-server-optional-rpms | grep rubygem-rake

RHSA-2014:1912 Moderate/Sec.  rubygem-rake-0.9.6-22.el7_0.noarch
RHBA-2015:0594 bugfix         rubygem-rake-0.9.6-24.el7.noarch
RHBA-2015:1158 bugfix         rubygem-rake-0.9.6-25.el7_1.noarch
RHEA-2016:2422 enhancement    rubygem-rake-0.9.6-29.el7.noarch

we are currently shipping rubygem-rake-0.9.2.2-41.el7sat which is outdated and vulnerable to the above CVE.

We need to get an updated version of this rubygem into Satellite 6.2
Comment 12 Mike McCune 2018-01-31 17:46:40 UTC 
*** HOTFIX PACKAGE AVAILABLE ***

For users who need to update rubygem-rake to remove warnings around RHSA-2014:1912 you can utilize the attached hotfix package in this bug.

Instructions:

1) download rubygem-rake-0.9.6-30.el7.noarch.rpm from this bug and copy to Satellite server

2) yum upgrade ./rubygem-rake-0.9.6-30.el7.noarch.rpm

3) katello-service restart
Comment 13 Mike McCune 2018-01-31 17:47:06 UTC 
Created attachment 1389116 [details]
hotfix RPM for RHEL 7
Comment 16 Mike McCune 2018-03-08 15:05:09 UTC 
The above hotfix in comment #12 can be applied to Satellite 6.3+ as well.
Comment 18 Mike McCune 2018-04-27 17:48:54 UTC 
yes, feel free to get the updated rubygem-rake-0.9.6-33 from 

https://access.redhat.com/errata/RHSA-2018:0378
Comment 38 Lukas Pramuk 2020-09-21 15:35:03 UTC 
VERIFIED.

@Satellite 6.8.0 Snap16
foreman-proxy-2.1.2-2.el7sat.noarch


REPRO:

# rpm -qR foreman-proxy | grep rake
rubygem(rake) >= 0.8.3

# rpm -qa *rubygem-rake
rh-ruby25-rubygem-rake-12.3.0-7.el7.noarch
rubygem-rake-0.9.6-36.el7.noarch

vs. 

FIX:

# rpm -qR foreman-proxy | grep rake
rh-ruby25-rubygem(rake) >= 0.8.3

# rpm -qa *rubygem-rake
rh-ruby25-rubygem-rake-12.3.0-7.el7.noarch

>>> Satellite and Capsule now depend only on ruby-rake out of SCL
Comment 39 Lukas Pramuk 2020-09-21 15:39:18 UTC 
But I still see rubygem-rake-0.9.2.2-41.el7sat in Satellite devel compose while Capsule devel compose is OK.

Can you please remove there?
Comment 42 errata-xmlrpc 2020-10-27 12:57:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.8 release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4366
Comment 43 Mike McCune 2020-12-03 18:14:40 UTC 
**NOTICE**

This was issue supposed to have been resolved in 6.8 with our adoption of the Puma webserver and our move away from Passenger. Passenger was our component in Satellite that was still requiring the older version of rubygem-rake and we VERIFIED this bug early on in the 6.8 test cycle. Unfortunately, late in the 6.8 test cycle we identified a few critical issues with our switch to Puma that necessitated us reverting back to Passenger. This caused us to have to continue shipping the older version of rubygem-rake in 6.8. 

We will be moving to Puma in 6.9 and no longer shipping the outdated rubygem-rake package when 6.9 is released. I'm re-opening this bug and aligning it to 6.9.

The workaround outlined here:

https://bugzilla.redhat.com/show_bug.cgi?id=1469267#c12

is still valid and can be utilized for customers who need this resolved.
Comment 44 Lukas Pramuk 2021-03-08 22:08:13 UTC 
VERIFIED.

@Satellite 6.9.0 Snap16
foreman-proxy-2.3.1-1.el7sat.noarch

by the following steps:

# rpm -qR foreman-proxy | grep rake
rh-ruby25-rubygem(rake) >= 0.8.3

# rpm -qa *rubygem-rake
rh-ruby25-rubygem-rake-12.3.0-8.el7.noarch

>>> Satellite and Capsule now depend only on ruby-rake out of SCL and no other version of ruby-rake is installed
Comment 46 Eric Helms 2021-03-10 19:23:27 UTC 
As long as we are carrying the passenger packages, this RPM will persist to exist in the Satellite repository. We switched to Puma as the application service for Foreman, but given Satellite 6.9 will be the first release with Puma we had been choosing to keep Passenger as a fallback. I would expect that for Satellite 6.10 we can remove Passenger and thus remove this dependency of it.

Mike -- we can choose to drop this for 6.9 but will lose the ability to switch to Passenger. Thoughts?
Comment 57 Taft Sanders 2021-08-29 15:07:14 UTC 
*** Bug 1998864 has been marked as a duplicate of this bug. ***
Comment 58 Lukas Pramuk 2021-09-02 08:58:39 UTC 
VERIFIED.

@Satellite 6.10.0 Snap15
foreman-proxy-2.5.2-1.el7sat.noarch

by the following steps:

# rpm -qR foreman-proxy | grep rake
rh-ruby27-rubygem(rake) >= 0.8.3

# rpm -qa *rubygem-rake
rh-ruby27-rubygem-rake-13.0.1-129.el7.noarch

>>> Satellite and Capsule now depend only on ruby-rake out of SCL and no other version of ruby-rake is installed


>>> and finally there is no rubygem-rake-*.el7sat in Satellite 6.10.0 devel compose (passenger dropped)
Comment 59 Brad Buckingham 2021-11-17 20:16:20 UTC 
This bugzilla was included with Satellite 6.10, which was just released.  Based upon this, closing as CURRENTRELEASE.
Note You need to log in before you can comment on or make changes to this bug.