Project

General

Profile

Bug #23312

angular-rails-templates uses MD5 causing problems FIPS-enabled envrionments

Added by Peter Ondrejka 8 months ago. Updated 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
RPMs
Target version:
-
Difficulty:
Triaged:
Yes
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

The angular-rails-templates gem is probably not FIPS compatible. This came out after enabling FIPS mode on the underlying rhel 7 (using a workaround that overrides Digest::MD5 class and logs which gem used it), after restarting services I'm seeing:

2018-04-18T08:57:36 [W|app|] FIPS issue: calling 'hexdigest' from
 | /opt/theforeman/tfm/root/usr/share/gems/gems/angular-rails-templates-1.0.2/lib/angular-rails-templates/engine.rb:43:in `block in <class:Engine>'
 | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.4/lib/rails/initializable.rb:30:in `instance_exec'
 | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.4/lib/rails/initializable.rb:30:in `run'
 | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.4/lib/rails/initializable.rb:59:in `block in run_initializers'
 | /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:228:in `block in tsort_each'
 | /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:350:in `block (2 levels) in each_strongly_connected_component'
 | /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:431:in `each_strongly_connected_component_from'
 | /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:349:in `block in each_strongly_connected_component'
 | /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:347:in `each'
 | /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:347:in `call'
 | /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:347:in `each_strongly_connected_component'
 | /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:226:in `tsort_each'
 | /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:205:in `tsort_each'
 | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.4/lib/rails/initializable.rb:58:in `run_initializers'
 | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.4/lib/rails/application.rb:353:in `initialize!'
 | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.4/lib/rails/railtie.rb:185:in `public_send'
 | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.4/lib/rails/railtie.rb:185:in `method_missing'
 | /usr/share/foreman/config/environment.rb:5:in `<top (required)>'
 | /opt/rh/rh-ruby24/root/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'
 | /opt/rh/rh-ruby24/root/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/polyglot-0.3.5/lib/polyglot.rb:65:in `require'
 | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activesupport-5.1.4/lib/active_support/dependencies.rb:292:in `block in require'
 | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activesupport-5.1.4/lib/active_support/dependencies.rb:258:in `load_dependency'
 | /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activesupport-5.1.4/lib/active_support/dependencies.rb:292:in `require'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/dynflow-1.0.0/lib/dynflow/rails/daemon.rb:46:in `run'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/dynflow-1.0.0/lib/dynflow/rails/daemon.rb:81:in `block (2 levels) in run_background'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons/application.rb:265:in `block in start_proc'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons/daemonize.rb:84:in `call_as_daemon'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons/application.rb:269:in `start_proc'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons/application.rb:295:in `start'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons/monitor.rb:49:in `block (3 levels) in watch'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons/monitor.rb:49:in `fork'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons/monitor.rb:49:in `block (2 levels) in watch'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons/monitor.rb:43:in `each'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons/monitor.rb:43:in `block in watch'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons/monitor.rb:42:in `loop'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons/monitor.rb:42:in `watch'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons/monitor.rb:66:in `block in start_with_pidfile'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons/monitor.rb:61:in `fork'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons/monitor.rb:61:in `start_with_pidfile'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons/monitor.rb:92:in `start'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons/application_group.rb:141:in `create_monitor'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons/application.rb:283:in `start'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons/controller.rb:56:in `run'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons.rb:193:in `block in run_proc'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons/cmdline.rb:88:in `catch_exceptions'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons.rb:192:in `run_proc'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/dynflow-1.0.0/lib/dynflow/rails/daemon.rb:75:in `block in run_background'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/dynflow-1.0.0/lib/dynflow/rails/daemon.rb:74:in `times'
 | /opt/theforeman/tfm/root/usr/share/gems/gems/dynflow-1.0.0/lib/dynflow/rails/daemon.rb:74:in `run_background'
 | /usr/sbin/dynflowd:71:in `block in <main>'
 | /usr/sbin/dynflowd:67:in `chdir'
 | /usr/sbin/dynflowd:67:in `<main>'

Related issues

Blocks Foreman - Feature #3511: As a security person, I would like Foreman to run in FIPS modeResolved

History

#1 Updated by Peter Ondrejka 8 months ago

  • Subject changed from angular-rails-templates uses MD5 causing problems FIPS-enable envrionment added to angular-rails-templates uses MD5 causing problems FIPS-enabled envrionments

#2 Updated by Peter Ondrejka 8 months ago

  • Blocks Feature #3511: As a security person, I would like Foreman to run in FIPS mode added

#3 Updated by Justin Sherrill 8 months ago

  • Legacy Backlogs Release (now unused) set to 114

#5 Updated by Ivan Necas 3 months ago

  • Triaged set to No
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman-packaging/pull/3046 added

Since the upstream is not responsive, proposing puling the change in during the rpm packaging in https://github.com/theforeman/foreman-packaging/pull/3046

#6 Updated by Jonathon Turel 2 months ago

  • Triaged changed from No to Yes
  • Target version deleted (Katello Backlog)
  • Category set to RPMs
  • Project changed from Katello to Packaging
  • Fixed in Releases 1.20.0 added

#7 Updated by Michael Moll 2 months ago

  • Status changed from Ready For Testing to Closed

Also available in: Atom PDF