Project

General

Custom queries

Profile

Actions

Bug #36405

closed

ruby-foreman-templates DEB package includes old versions of git and diffy GEMs

Added by Konstantin Orekhov almost 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Category:
Debian/Ubuntu
Target version:
-

Description

During my attempt to migrate our Foreman to 3.6.1 on Ubuntu 20.04, our security scanners reported the following GEM packages:

stop vulnerabilities package CRITICAL Vulnerability found in non-os package type (gem) - /usr/share/foreman/vendor/ruby/2.7.0/specifications/git-1.7.0.gemspec (fixed in: 1.11.0)(GHSA-69p6-wvmq-27gg - https://github.com/advisories/GHSA-69p6-wvmq-27gg)

stop vulnerabilities package CRITICAL Vulnerability found in non-os package type (gem) - /usr/share/foreman/vendor/ruby/2.7.0/specifications/diffy-3.3.0.gemspec (fixed in: 3.4.1)(GHSA-5ww9-9qp2-x524 - https://github.com/advisories/GHSA-5ww9-9qp2-x524)

Based on content of the DEB packages I'm installing, the above gems come from ruby-foreman-templates package:
$ dpkg x ./ruby-foreman-templates_9.3.0-2_all.deb ttt
$ ls -l ~/ttt/usr/share/foreman/vendor/cache
total 260
drwxr-xr-x 2 korekhov korekhov 4096 Jul 19 2022 ./
drwxr-xr-x 3 korekhov korekhov 4096 Jul 19 2022 ../
-rw-r--r-
1 korekhov korekhov 17920 Dec 29 2018 diffy-3.3.0.gem
rw-r--r- 1 korekhov korekhov 49152 May 16 2022 foreman_templates-9.3.0.gem
rw-r--r- 1 korekhov korekhov 31232 Apr 25 2020 git-1.7.0.gem
rw-r--r- 1 korekhov korekhov 153600 Jun 1 2018 rchardet-1.8.0.gem

I had a similar issue with 3.3.1 (which also had activerecord gem flagged). I know that 3.3 is not supported anymore, just pointing out here is that this appears to be pretty old issue to me.

Can this package be re-built with patched versions (git-1.11.0 and diff-3.4.1 gems), please?

#1

Updated by Ewoud Kohl van Wijngaarden almost 2 years ago

  • Category set to Debian/Ubuntu
#7

Updated by Evgeni Golov almost 2 years ago

  • Pull request https://github.com/theforeman/foreman-packaging/pull/9400 added
#8

Updated by Anonymous almost 2 years ago

  • Status changed from New to Closed
#11

Updated by The Foreman Bot almost 2 years ago

  • Pull request https://github.com/theforeman/foreman-packaging/pull/9405 added
#13

Updated by Evgeni Golov almost 2 years ago

  • Category deleted (Debian/Ubuntu)
  • Fixed in Releases 3.6.2, 3.7.0 added
#14

Updated by Evgeni Golov almost 2 years ago

  • Category set to Debian/Ubuntu
  • Assignee set to Konstantin Orekhov
#15

Updated by Ewoud Kohl van Wijngaarden almost 2 years ago

  • Triaged changed from No to Yes
Actions

Also available in: Atom PDF