[Bug] Errata for modules does not specify module name and version

[nazunalika]

Describe The Bug

Current errata implementation does not properly specify module name and version in the API.

Reproduction Steps

N/A

Expected Behavior

Module name and stream is specified in the errata and API.

Version and Build Information

Current

Additional context

No response

[mstg]

This is something we can definitely do. I think we can include it in the next batch of Apollo updates.

[NeilHanlon]

@nazunalika where were you thinking we add the information? We could add it to the 'affectedProducts' field, maybe?

[nazunalika]

I'm not sure. What I can tell is in Red Hat's metadata, there is a <module ...> tag that is used. Our updateinfo metadata doesn't provide this and I think it's important information. I'm not sure how Red Hat's API provides this information either, but I just know the metadata will show that tag. For example:

        <module context="cdc1202b" version="8010020190711095715" arch="x86_64" name="ruby" stream="2.6" />
        <module context="55190bc5" version="8000020190524123348" arch="x86_64" name="ruby" stream="2.5" />
        <module context="522a0ee4" version="8040020210728141159" arch="x86_64" name="ruby" stream="2.7" />
        <module context="30b713e6" version="8030020200624105530" arch="x86_64" name="ruby" stream="2.5" />
        <module context="522a0ee4" version="8040020200923213910" arch="x86_64" name="ruby" stream="2.5" />
        <module context="30b713e6" version="8030020200626154145" arch="x86_64" name="ruby" stream="2.7" />
        <module context="522a0ee4" version="8040020210430142949" arch="x86_64" name="ruby" stream="2.6" />
        <module context="522a0ee4" version="8040020210421133318" arch="x86_64" name="ruby" stream="2.7" />
        <module context="c5368500" version="8050020211215144356" arch="x86_64" name="ruby" stream="2.6" />
        <module context="c5368500" version="8050020220112131355" arch="x86_64" name="ruby" stream="2.5" />
        <module context="c5368500" version="8050020220216195847" arch="x86_64" name="ruby" stream="2.5" />
        <module context="b4937e53" version="8050020211006085658" arch="x86_64" name="ruby" stream="3.0" />
        <module context="ad008a3a" version="8060020220715152618" arch="x86_64" name="ruby" stream="2.5" />
        <module context="ad008a3a" version="8060020220527104428" arch="x86_64" name="ruby" stream="2.6" />
        <module context="ad008a3a" version="8060020220810162001" arch="x86_64" name="ruby" stream="3.0" />
        <module context="ad008a3a" version="8060020220728151401" arch="x86_64" name="ruby" stream="2.7" />
        <module context="3b9f49c4" version="8070020220503104335" arch="x86_64" name="ruby" stream="3.1" />

[nazunalika]

To add onto this, here's an example of our errata not providing that <module ...> tag information.

  <update from="releng@rockylinux.org" status="final" type="security" version="2">
    <id>RLSA-2022:6450</id>
    <title>Moderate: ruby:3.0 security, bug fix, and enhancement update</title>
    <issued date="2022-09-23 19:43:52"></issued>
    <updated date="2022-09-13 00:00:00"></updated>
    <rights>Copyright (C) 2022 Rocky Enterprise Software Foundation</rights>
    <release>Rocky Linux 8</release>
    <pushcount>1</pushcount>
    <severity>SEVERITY_MODERATE</severity>
    <summary>An update for the ruby:3.0 module is now available for Rocky Linux 8.&#xA;Rocky Enterprise Software Foundation Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.</summary>
    <description>Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.&#xA;The following packages have been upgraded to a later upstream version: ruby (3.0.4). (BZ#2109431)&#xA;For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.</description>
    <references>
      <reference href="https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-28738.json" id="CVE-2022-28738" type="cve" title="Update information for CVE-2022-28738 is retrieved from Red Hat"></reference>    </references>
    <pkglist>
      <collection short="RL8">
        <name>Rocky Linux 8</name>
        <package name="ruby" version="3.0.4" release="141.module+el8.6.0+1002+a7dba0ac" epoch="0" arch="i686" src="ruby-3.0.4-141.module+el8.6.0+1002+a7dba0ac.src.rpm">
          <filename>ruby-3.0.4-141.module+el8.6.0+1002+a7dba0ac.i686.rpm</filename>
          <reboot_suggested></reboot_suggested>
          <sum type="sha256">859c104f5b2cc9fb9980ba7286dbf0c75930bbc5115cedc2df3591543471de31</sum>
        </package>
. . .
        </package>
      </collection>
    </pkglist>
  </update>

But our upstream has it.

  <update status="final" from="release-engineering@redhat.com" version="3" type="security">
    <id>RHSA-2022:6450</id>
    <issued date="2022-09-13 07:36:53 UTC" />
    <title>Moderate: ruby:3.0 security, bug fix, and enhancement update</title>
    <release>0</release>
    <rights>Copyright 2022 Red Hat Inc</rights>
    <solution>For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258</solution>
    <severity>Moderate</severity>
    <summary>An update for the ruby:3.0 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.</summary>
    <pushcount>3</pushcount>
    <description>Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.

The following packages have been upgraded to a later upstream version: ruby (3.0.4). (BZ#2109431)

Security Fix(es):

* ruby: Regular expression denial of service vulnerability of Date parsing methods (CVE-2021-41817)

* ruby: Cookie prefix spoofing in CGI::Cookie.parse (CVE-2021-41819)

* Ruby: Double free in Regexp compilation (CVE-2022-28738)

* Ruby: Buffer overrun in String-to-Float conversion (CVE-2022-28739)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* ruby 3.0: User-installed rubygems plugins are not being loaded [RHEL8] (BZ#2110981)</description>
    <updated date="2022-09-13 07:36:52 UTC" />
    <references>
      <reference href="https://access.redhat.com/errata/RHSA-2022:6450" type="self" id="RHSA-2022:6450" title="RHSA-2022:6450" />
      <reference href="https://bugzilla.redhat.com/show_bug.cgi?id=2025104" type="bugzilla" id="2025104" title="CVE-2021-41817 ruby: Regular expression denial of service vulnerability of Date parsing methods" />
      <reference href="https://bugzilla.redhat.com/show_bug.cgi?id=2026757" type="bugzilla" id="2026757" title="CVE-2021-41819 ruby: Cookie prefix spoofing in CGI::Cookie.parse" />
      <reference href="https://bugzilla.redhat.com/show_bug.cgi?id=2075685" type="bugzilla" id="2075685" title="CVE-2022-28738 Ruby: Double free in Regexp compilation" />
      <reference href="https://bugzilla.redhat.com/show_bug.cgi?id=2075687" type="bugzilla" id="2075687" title="CVE-2022-28739 Ruby: Buffer overrun in String-to-Float conversion" />
      <reference href="https://bugzilla.redhat.com/show_bug.cgi?id=2109431" type="bugzilla" id="2109431" title="ruby:3.0/ruby: Rebase to the latest Ruby 3.0 release [rhel-8] [rhel-8.6.0.z]" />
      <reference href="https://bugzilla.redhat.com/show_bug.cgi?id=2110981" type="bugzilla" id="2110981" title="ruby 3.0: User-installed rubygems plugins are not being loaded [RHEL8] [rhel-8.6.0.z]" />
      <reference href="https://access.redhat.com/security/cve/CVE-2021-41817" type="cve" id="CVE-2021-41817" title="CVE-2021-41817" />
      <reference href="https://access.redhat.com/security/cve/CVE-2021-41819" type="cve" id="CVE-2021-41819" title="CVE-2021-41819" />
      <reference href="https://access.redhat.com/security/cve/CVE-2022-28738" type="cve" id="CVE-2022-28738" title="CVE-2022-28738" />
      <reference href="https://access.redhat.com/security/cve/CVE-2022-28739" type="cve" id="CVE-2022-28739" title="CVE-2022-28739" />
      <reference href="https://access.redhat.com/security/updates/classification/#moderate" type="other" id="classification" title="moderate" />
    </references>
    <pkglist>
      <collection short="rhel-8-for-x86_64-appstream-rpms__8_1_ruby">
        <name>rhel-8-for-x86_64-appstream-rpms__8_1_ruby</name>
        <module context="ad008a3a" version="8060020220810162001" arch="x86_64" name="ruby" stream="3.0" />
        <package src="rubygem-mysql2-0.5.3-1.module+el8.5.0+11580+845038eb.src.rpm" name="rubygem-power_assert" epoch="0" version="1.2.0" release="141.module+el8.6.0+16311+3e5e17e9" arch="noarch">
          <filename>rubygem-power_assert-1.2.0-141.module+el8.6.0+16311+3e5e17e9.noarch.rpm</filename>
          <sum type="sha256">4914da7300318813829600bfc14c205d0fe8c89bd319acff6380b60d57654b6d</sum>
        </package>
        . . .
        </package>
      </collection>
    </pkglist>
  </update>

We should probably get that part addressed and follow up with the fixes to the API.

[NeilHanlon]

TY for that info. That will help immensely. should be able to merge this before/with #82

[mstg]

That is something we can accomplish. We'll probably be able to bring it to 9 errata first together with #82. We then need to add support for the module field to the legacy publisher for 8.

[NeilHanlon]

@mstg I think this is fixed, yes?

[mstg]

This is fixed