-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2138
     security update - Red Hat Ansible Tower 3.7.1-1 - RHEL7 Container
                               19 June 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat Ansible Tower 3.7.1-1
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux WS/Desktop 7
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-10782  

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:2617

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Red Hat. It is recommended that administrators
         running Red Hat Ansible Tower 3.7.1-1 check for an updated version 
         of the software for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: security update - Red Hat Ansible Tower 3.7.1-1 - RHEL7 Container
Advisory ID:       RHSA-2020:2617-01
Product:           Red Hat Ansible Tower
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:2617
Issue date:        2020-06-18
CVE Names:         CVE-2020-10782 
=====================================================================

1. Summary:

Red Hat Ansible Tower 3.7.1-1 - RHEL7 Container

2. Description:

* Updated rsyslog integration to not write world-readable configuration
files (CVE-2020-10782)
* Updated the included foreman/satellite inventory plugin to add the
host_filters and want_ansible_ssh_host options
* Updated Foreman/Satellite inventory to properly use group_prefix for all
groups
* Updated the Satellite inventory script to disable the reports option 
* Updated bundled installer to properly include all dependencies
* Updated translations
* Fixed the all_parents_must_converge property of workflow nodes to set
properly
* Fixed labels so organization administrators could remove them from a
workflow
* Fixed Mattermost workflow approval notifications
* Fixed the notifications for management jobs so administrators could
enable it
* Fixed event processing for inventories with very large numbers of hosts
to prevent Tower to slow down
* Fixed the VMware inventory to properly detect the Instance UUID to no
longer cause hosts to be removed and re-added
* Fixed (reverted) a change to follow symlinks when discovering playbooks,
as it could lead to an infinite loop
* Fixed analytics gathering to not attempt to gather data if there is not a
valid configuration for sending it
* Fixed Tower to no longer break when virtual environments are created with
incorrect permissions
* Fixed the Sumologic logging integration associated with parsing the URL
path
* Fixed incorrectly configured logging so that it would no longer block
Tower operation
* Fix multiple websocket broadcast issues in OpenShift
* Fixed instance registration in OpenShift
* Fixed an issue where the redis socket in OpenShift deployments was
world-writable

3. Solution:

For information on upgrading Ansible Tower, reference the Ansible Tower
Upgrade and Migration Guide:
https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/
index.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1847843 - CVE-2020-10782 Tower: rsyslog configuration has world readable permissions

5. References:

https://access.redhat.com/security/cve/CVE-2020-10782
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXuwbW9zjgjWX9erEAQg/hQ/+MOiAIlbl+dqYgVLXPr4b0FSaPOKdJgSe
oB4vD+ODM3Yi0k5arGI7Rm8FXjcqwImMK0Ls7bytfiI+4GMJ+v40G1KVOokB3Pk5
tkW0wMQgJNkUyapbg9Gb3MPVfqhl6JJkst8BtkTlLKJCQrBUrAroiiXMB/jqeWUP
0drAKAQbvHwGpWqKlRL91Da+epp5WPQziKd/8IGVI6YfMPq2XH7LvMGnk0Rxtdi6
Us7P1ni/Mam89z4urY+1iczuXXKg6+7Fyk/Sz97JlTdr6gICX07IA/f9nL915lNZ
MhZMszCQ/JCQaD7t3bvMQVyykf+t043PQT+Ev3fFnn8NFjr18tjsadNntHVchgA4
txjwM5AeYk/m7Y+l/KHKfkoGI8tzOqhswM4moolD0a22hc95ltZcXU5kWQ37ynJt
rtl4dpdZ5hczuHjk1OKW4yWYrlwoUvkdhj9/X747kxN3TIcPDfISBGQWzzIaPsZb
2iwmJaj4YmCK4FL4YezrfvdKu3tATkg2AazfQ/2g4PMOp3Ml+psSQQ9cQfNUd66K
4V4MvIChIhZtVF0tKhU+Kl+dRx5z2KZx9KtpYccJMZoAFyj3m+yJY+7FzyU1t+nJ
/+onhc8h7zofCibdebVklktaX2y523DRYm3IX8TaMcrgEkts4tG1IzFDFJoAjyWx
taXBNpj+AAk=
=H5yf
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXuw3PuNLKJtyKPYoAQiaPg//QjVWhiF4k2TGhjJaUJVn9GFKcgaidp8Y
vBuAvgNKHy/ljS0JesfdaQXx7b5wCug2ucfSgMcB1YFuSRNcpLVqvhr8FxXdZYrG
p+HSpoxOgfIV3gEJqenrGCq2TMmP/VLzqDeAN+nvvme+hUYqa1KLBx0e7CKKuuwp
UJKT5lm3s9zFNh0gJN6aJ0S8lcBGMVPd+dRuXtwctMTk1MzfZRpTBdoYyntQh4b6
6OhLUeylc83ctMb+icnKy29wnkYsYQIvCSr6/SLnXYe99tSqSPMiKh9rckUANy9R
1ECNBbARNXoaiD6Jds6BrTQaT26Xk0i++IuF1te2ROIRjHEjRR2hH45Tt4lah31S
Mp7weitiuI4ZcBwwGnY6iXwtOqskr4c4IfhJUHyc99ZitDRS+3x3YJGlK9juSyo8
CqR0Joauz2YGXc5FQr4vd5i3DWGLT4Ad4ET17QYgxRd6eIb+mPgy4FbVE0xBKFdA
/o6fBzbCs3+lkfUgAzMLAMzBPUNaYdiOzwqXUAzeeRjwCoPOfXVeeP6iSccn3BZo
tG/miLx/Ce5mG62Zbu0+0dF3gPcsGHcKYpkov++rdUscoqdBeUjCtHQ67f998JD1
lRwDfmUBgrHIpp+Ti2tySf1/ndhxGyO3IARm/dgxRbUoqB7xU67QaIJ3MISRMg2H
hribAxesbA4=
=2K0O
-----END PGP SIGNATURE-----