Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3412
security update - Red Hat Ansible Tower 3.7.3-1 - RHEL7 Container
1 October 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat Ansible Tower
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 7
Red Hat Enterprise Linux WS/Desktop 7
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-25626 CVE-2020-14365
Reference: ESB-2020.3006
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:4136
https://access.redhat.com/errata/RHSA-2020:4137
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: security update - Red Hat Ansible Tower 3.7.3-1 - RHEL7 Container
Advisory ID: RHSA-2020:4136-01
Product: Red Hat Ansible Tower
Advisory URL: https://access.redhat.com/errata/RHSA-2020:4136
Issue date: 2020-09-30
CVE Names: CVE-2020-14365 CVE-2020-25626
=====================================================================
1. Summary:
Red Hat Ansible Tower 3.7.3-1 - RHEL7 Container
2. Description:
* Updated to the latest version of the git-python library to no longer
cause certain jobs to fail
* Updated to the latest version of the ovirt.ovirt collection to no longer
cause connections to hang when syncing inventory from oVirt/RHV
* Added a number of optimizations to Ansible Tower's callback receiver to
improve the speed of stdout processing for simultaneous playbooks runs
* Added an optional setting to disable the auto-creation of organizations
and teams on successful SAML login
* Fixed an XSS vulnerability (CVE-2020-25626)
* Fixed a slow memory leak in the Daphne process
* Fixed Automation Analytics data gathering to no longer fail for customers
with large datasets
* Fixed scheduled jobs that run every X minute(s) or hour(s) to no longer
fail to run at the proper time
* Fixed delays in Ansible Tower's task manager when large numbers of
simultaneous jobs are scheduled
* Fixed the performance for playbooks that store large amounts of data
using the set_stats module
* Fixed the awx-manage remove_from_queue tool when used with isolated nodes
* Fixed an issue that prevented jobs from being properly marked as canceled
when Tower is backed up and then restored to another environment
3. Solution:
For information on upgrading Ansible Tower, reference the Ansible Tower
Upgrade and Migration Guide:
https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/
index.html
4. Bugs fixed (https://bugzilla.redhat.com/):
1878635 - CVE-2020-25626 django-rest-framework: XSS Vulnerability in API viewer
5. References:
https://access.redhat.com/security/cve/CVE-2020-14365
https://access.redhat.com/security/cve/CVE-2020-25626
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBX3STrNzjgjWX9erEAQjacg//aPaDOirEblGdQwQd+PZEIylBv0mfeaVE
M25xAnTJCWpzeC6C8Vd5BKzIsAihNfMjTBGQi6x7b7PrIubd/d3uKYaLsRpsaQHz
KQL8gbxuNwWid85HJLvcyh2WRjoW7GAKpvdjh3IjyjTp8c3dkERvjT+LcODE5Mt0
zjUon37FzWZdX4d1heDc3seUtTSpAjskoQ4Dy2qDWC0cyJKSFFqZxWmE/rzBt79r
4niDYCcaEfiiy4lCYqr0qObYvf1hS9sHrD5SVZQYzzfxlL3zNPONUaKwwu1yatcY
Sr/o4LdNIUWn04vjxRx6mZNpsJ5+t1Q+YhYGHNtxtE2cy30p+JxpaeJnL50s/VM7
jdQF1/NqcA9F1RKpaquwm3HMPWMvdlzynP5TN+9PdEeT6iCqIXd0Q+scMxGLlhVw
zyGU+zlACa9rrSe8DBeS0x3KayydyU7e45mKEJtUHeUYwfPw5rlV/kK05qf7CfMg
X7VU6087uU4SAnH5E6Uw8xVibjgAzuSu0GQ/clWdpfiMK85dhdIUGyqYbCOVpFKj
/fi0I9N8NAWLItO0OvuWZwjWcOGFQFYw2n+uPo/+Z3XV/oeps4A/KuBrWDnYhvg4
CVzWCpKX//iVaJNWyFwmtitzYRw4couZexR5DdIEABJ2bvydo4gWVQrXNrICLTz3
2v4EqCCyi3U=
=O51G
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: security update - Red Hat Ansible Tower 3.6.6-1 - RHEL7 Container
Advisory ID: RHSA-2020:4137-01
Product: Red Hat Ansible Tower
Advisory URL: https://access.redhat.com/errata/RHSA-2020:4137
Issue date: 2020-09-30
CVE Names: CVE-2020-14365 CVE-2020-25626
=====================================================================
1. Summary:
Red Hat Ansible Tower 3.6.6-1 - RHEL7 Container
2. Description:
* Fixed an XSS vulnerability (CVE-2020-25626)
* Fixed the Red Hat sosreport tool to no longer include the Ansible Tower
SECRET_KEY value
* Fixed the Ansible Tower installer so that it is now compatible with the
latest supported Red Hat OpenShift Container Platforms 3.x and 4.x
3. Solution:
For information on upgrading Ansible Tower, reference the Ansible Tower
Upgrade and Migration Guide:
https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/
index.html
4. Bugs fixed (https://bugzilla.redhat.com/):
1878635 - CVE-2020-25626 django-rest-framework: XSS Vulnerability in API viewer
5. References:
https://access.redhat.com/security/cve/CVE-2020-14365
https://access.redhat.com/security/cve/CVE-2020-25626
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBX3STxNzjgjWX9erEAQgzbQ//ekglctyL7PFDT5maarBz05nzh9A02u8a
UVrXaEKNnlSAsqGm9M5CP3H1No8IUChq7oqh7NID+jBVN3U8ZqhZcviL9uzD7AFG
0zqkmxaAiZUKCGcEfg0GHxllIXKaRtWFfYFq/OUcDBmVP6pdYgE3fZabFKtuoNdh
0CSPkOE0QzZBz3qST5BLPTVZxa00DocxP1MYgrrRC/uE7qfN5N8Ll1R9rzdhXL19
PHJQkUlgqpl7PJD6Ylh2Om/M36nwf3OOjOLt0YKAdyDjywnUFDObwIEDgp046IvU
vnofU8VOShtT4MBCudJn245Dxj1oaN/ZU+RiDcGYcJ1yPixNO7lgfHinxs0XSbfj
Z1CvuL7hOOKfu7YWfS7UZZzFXGZzefPrw7rdaTQDL+BOXQmRYh3G7UsgyUOdgIMm
yXcJuFPc/j7+8f77lp1qEm1vqQyjfZxLlcnhldLi73KidEjTR1oAMPHm4kYMYG/t
FazbOO/2kHNNAGBNcUZS22i0xMRXIPHRSIARsBa36+tVTQflpsYm9TCiMCS8QNFF
BqIBBqbUorTyUNJ9dhLoMNlp//+W2MfqCtCW3R/uLgQg31AI8RpOP7sATYRPNO40
FHhsk2V926Quk0JQA1J8AISIelruoBZbwwu+yhUc1NecbPc3Ge856wy4/7XQH0ny
PkT1TsyBhYI=
=Ma/a
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX3Uqq+NLKJtyKPYoAQjKqg/+IsYvQ52WGhWY4GsQ3Rzgf3UTkzKgBbA5
9CciQL5JpM94R6ZeIBd+QVcXT5N7Lgx/xAKnhi0ak0hLLdMk1jPpYocf665RBSkr
38k5VnbEdg/AdRjW7dWKV3rt8vX6/1U6FFyZb26j9Yri2Uk6EE0QcCuXo4yjBoAh
oEHHx6B4c6dn8dpRTvbGmM6DgxeiHOrYho61kCcYApU5jHR3JNov9rSCy8xBjXa2
lp+DVCMcoIadR9/pMupHgbNoif1Xh3WWQbEmj2B6u3RxaGivfhqkm9SmiKAlTI3C
sBwEYfye3l8z5eAQcfIRKnDhQ+g7OAZhmLpu/6O9dRfJSW/nHi23yrwfYmTGTsc5
z/2137uv4UgOSzUQR/76rkTCcTzSAmd6nRNnjodi+fn/4/xtobQLgkb/I6oplFTC
y9smwZZ9gqy+PWTqZh52bW+LWGoT4DNH0rUzfQk8B+etYC0mGzNZa/gAzqWY0eui
HdzoqEsvcmAoy03dpibD/rFa7FyM2oWbJtryxdt0SzOG9DYAZ/FjX7g/Cvn11TPK
tRfnnfz4x5tU1RY3IAZf/nR9XAkmYLT1Vsu/pRPSgY/Zv8R4V4xohvHnTI12RGwj
h/l1/V8Ycvi76hBNa+fjqgpekjjexueMAcpff+QKn2ooj8scU41MNS9xvG3R5yrS
tLBGEwrcNJU=
=8FYw
-----END PGP SIGNATURE-----