1862203 – Satellite tools shipping old version of rubygem-json-1.4.6-2.el6

Bug 1862203 - Satellite tools shipping old version of rubygem-json-1.4.6-2.el6

Summary: Satellite tools shipping old version of rubygem-json-1.4.6-2.el6

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Security
Sub Component:
Version:	6.7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Roman Plevka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-07-30 17:34 UTC by Yadnyawalk Tale
Modified:	2023-10-06 21:18 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-19 05:39:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Yadnyawalk Tale 2020-07-30 17:34:00 UTC

* Why we should update this gem?

1. To avoid future vulnerabilities (recent example: CVE-2013-0269)
https://bugzilla.redhat.com/show_bug.cgi?id=909029

2. rubygem-json-1.4.6-2.el6 is not supported from upstream now
https://github.com/flori/json/branches


* Satellite server does not ship this gem, Satellite tools repo however has this as a package. All current active and upcoming streams of tools repo ship this: 6.5, 6.6, 6.7 and 6.8.
https://errata.devel.redhat.com/package/show/rubygem-json

Comment 1 Eric Helms 2021-05-11 15:37:46 UTC

The rubygem-json package we ship is only in the RHEL 6 tools repository. Given that https://access.redhat.com/security/cve/CVE-2013-0269 has been deemed not to affect Satellite and there is no active CVE against the package, my recommendation is that we close wontfix this BZ. RHEL 6 has entered ELS phase ending in June 30, 2024.

Note You need to log in before you can comment on or make changes to this bug.