Bug 236542 - Missing rhn.redhat.com/errata entries
Missing rhn.redhat.com/errata entries
Status: CLOSED CURRENTRELEASE
Product: Red Hat Network
Classification: Red Hat
Component: RHN/Backend (Show other bugs)
RHN Stable
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Grant Gainey
joseph canton
:
: 238703 (view as bug list)
Depends On:
Blocks: 239809
  Show dependency treegraph
 
Reported: 2007-04-16 06:31 EDT by Mark J. Cox (Product Security)
Modified: 2007-07-25 11:15 EDT (History)
2 users (show)

See Also:
Fixed In Version: 5.0.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-07-25 11:15:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2007-04-16 06:31:14 EDT
There is a regression with the /errata/ page handling on RHN Hosted: we are
missing many non-RHEL errata on RHN.

Two advisories for the old "Red Hat Application Server" product are not showing
on /errata/.  The second one used to be there but has vanished at some point.

http://rhn.redhat.com/errata/RHSA-2007-0164.html
http://rhn.redhat.com/errata/RHSA-2006-0157.html

We're also missing RHSA-2006-0592, RHSA-2006-0161, RHSA-2006-0281

And RHSA-2006-0270 (directory server one) is missing but RHSA-2005-030 (also
directory server) is there.

Interestingly they appear on the CVE page; so 

https://rhn.redhat.com/cve/CVE-2006-1546.html links to
http://rhn.redhat.com/errata/RHSA-2006-0281.html which is missing. 

My suspicion is that some code designed to hide things for shadow updates is
catching these issues.

This is very serious as these errata are not available elsewhere from Red Hat.
Comment 1 Grant Gainey 2007-04-30 11:10:46 EDT
So the bug is due to over-zealous hiding of shadow-channels.  The assumption
made in the code is that, if a channel isn't associated with a Product, it must
be shadow - which is incorrect.

Recent discussion with the security team resulted in this:

=====
Looking at the errata tool, all the shadow channels have -shadow appended to
their name.  So I'd say that your test ought to look for the presence
of "-shadow" to make the determination if it's a shadow errata.

example:
    rhel-x86_64-es-3
    rhel-x86_64-es-3-shadow

    rhel-s390-as-4-extras
    rhel-s390-as-4-extras-shadow 
=====

Assuming we can make sure the shadow-channel-creation tools enforce this (as
opposed to having some human interaction making it happen), then the
Errata.pm::is_public() code can be taught to rely on
"rhnChannel.name.upperCase.endsWith("SHADOW") == NOT PUBLIC

Comment 2 Mark J. Cox (Product Security) 2007-04-30 11:28:19 EDT
We need a short-term fix as soon as possible: RHN is the only source of many of
these errata which have vanished.  When can this change be made on RHN hosted live?
Comment 3 Grant Gainey 2007-04-30 11:56:55 EDT
Not until after it's been tested to make sure we're not breaking more than we're
fixing.  Right now we're trying to set up a testcase in WEBDEV for "errata
exists in a shadow channel" - until I can see errata being -hidden- in that
case, I can't ship a fix.

If you search for the errata by advisory-number, you can find them.  The problem
is specifically a UI issue on the Perl rhn./errata/foo.html pages only.  For
example:

https://rhn.redhat.com/rhn/errata/details/Details.do?eid=3638

shows us RHSA-2006:157

Obviosuly only useful if you're a registered user, but at least we know the data
is there and available, it's just a matter of easing the UI restriction while
not allowing for embargoed errata to be exposed.
Comment 4 Mark J. Cox (Product Security) 2007-04-30 13:31:05 EDT
Understood, I'm after an idea of how long it'll be before a fix is available so
I can work out if we need to do any mitigation.
Comment 5 Bret McMillan 2007-05-11 11:51:02 EDT
Aligning to rhn502, think end of June.

Grant:  why not just make the appropriate rhnProduct & rhnProductLine rows,
instead of weaker string checks?
Comment 6 Mark J. Cox (Product Security) 2007-05-24 09:00:54 EDT
Just to make sure I underline how serious this issue is to us; we released a
security update today for example for Red Hat Developer Suite which isn't
accessible via Red Hat Network /errata/ page even though we listed the URL in
the advisory we've sent out.

https://rhn.redhat.com/errata/RHSA-2007-0328.html --> missing
Comment 7 Grant Gainey 2007-06-06 11:34:59 EDT
*** Bug 238703 has been marked as a duplicate of this bug. ***
Comment 8 Grant Gainey 2007-06-06 14:19:41 EDT
The only things that need to be done now, is to run the data-changes against
prod, and then get the new product-list page into prod so that one can see the
RHX Product
Comment 9 Grant Gainey 2007-06-07 13:29:44 EDT
The data changes are already active in PRODUCTION.  The rhn.redhat.com/errata
page will not show an "RHX" product-line until 502 (and this bug) is released to
production.
Comment 10 Grant Gainey 2007-06-15 08:49:00 EDT
We made it into DEV - woot
Comment 11 Grant Gainey 2007-06-18 17:50:51 EDT
ON_QA, ready for verification
Comment 12 joseph canton 2007-06-27 14:14:51 EDT
QA Test Cases and comments:

RHSA-2007:0164   
Following 3 test cases show data changes on live are verified.
found on live w/ Erratum Search
found on rhn.redhat.com/errata/rhel4-aps-2-errata.html 
(Application Server v2)


RSHA-2006:0592 and RSHA-2006:157
found on live w/ Erratum Search
found on rhn.redhat.com/errata/rhel3-apps-2-errata.html
(Application Server v1 EL3)


On Webqa, verify RHX added to product-list page shows:
Verified,  rhn.webqa.redhat.com/errata shows Red Hat eXchange as latt item.


Changing status to verified. J.




Comment 13 James Bowes 2007-07-25 11:15:25 EDT
rhn502 released.

Note You need to log in before you can comment on or make changes to this bug.