1759233 – CVE-2019-16892 requires rubyzip >= 1.3

Bug 1759233 - CVE-2019-16892 requires rubyzip >= 1.3

Summary: CVE-2019-16892 requires rubyzip >= 1.3

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat CloudForms Management Engine
Classification:	Red Hat
Component:	Security
Sub Component:
Version:	5.10.11
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	GA
Target Release:	5.12.0
Assignee:	Jason Frey
QA Contact:	Sudhir Mallamprabhakara
Docs Contact:	Red Hat CloudForms Documentation
URL:
Whiteboard:
Depends On:
Blocks:	1759252 1767898
TreeView+	depends on / blocked

Reported:	2019-10-07 16:39 UTC by drew uhlmann
Modified:	2020-10-26 15:53 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1759252 1767898 (view as bug list)
Environment:
Last Closed:	2020-10-26 15:53:03 UTC
Category:	---
Cloudforms Team:	CFME Core
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description drew uhlmann 2019-10-07 16:39:42 UTC

Description of problem:
Rubyzip 1.3.0 contains a flag we need for protection against zipbombs.
see CVE-2019-16892 -- https://hakiri.io/github/ManageIQ/manageiq-automation_engine/master/01ca1fe4d416d4f374e3bd7912af6281d7e72fd6/warnings?name=Denial+of+Service

We need https://github.com/rubyzip/rubyzip/pull/403


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 drew uhlmann 2019-10-07 16:41:12 UTC

https://github.com/ManageIQ/manageiq/pull/19348
https://github.com/ManageIQ/manageiq-automation_engine/pull/375
https://github.com/ManageIQ/manageiq/pull/19360
https://github.com/ManageIQ/manageiq-automation_engine/pull/377

Note You need to log in before you can comment on or make changes to this bug.