Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3412 security update - Red Hat Ansible Tower 3.7.3-1 - RHEL7 Container 1 October 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat Ansible Tower Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux WS/Desktop 7 Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Cross-site Scripting -- Remote with User Interaction Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-25626 CVE-2020-14365 Reference: ESB-2020.3006 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:4136 https://access.redhat.com/errata/RHSA-2020:4137 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: security update - Red Hat Ansible Tower 3.7.3-1 - RHEL7 Container Advisory ID: RHSA-2020:4136-01 Product: Red Hat Ansible Tower Advisory URL: https://access.redhat.com/errata/RHSA-2020:4136 Issue date: 2020-09-30 CVE Names: CVE-2020-14365 CVE-2020-25626 ===================================================================== 1. Summary: Red Hat Ansible Tower 3.7.3-1 - RHEL7 Container 2. Description: * Updated to the latest version of the git-python library to no longer cause certain jobs to fail * Updated to the latest version of the ovirt.ovirt collection to no longer cause connections to hang when syncing inventory from oVirt/RHV * Added a number of optimizations to Ansible Tower's callback receiver to improve the speed of stdout processing for simultaneous playbooks runs * Added an optional setting to disable the auto-creation of organizations and teams on successful SAML login * Fixed an XSS vulnerability (CVE-2020-25626) * Fixed a slow memory leak in the Daphne process * Fixed Automation Analytics data gathering to no longer fail for customers with large datasets * Fixed scheduled jobs that run every X minute(s) or hour(s) to no longer fail to run at the proper time * Fixed delays in Ansible Tower's task manager when large numbers of simultaneous jobs are scheduled * Fixed the performance for playbooks that store large amounts of data using the set_stats module * Fixed the awx-manage remove_from_queue tool when used with isolated nodes * Fixed an issue that prevented jobs from being properly marked as canceled when Tower is backed up and then restored to another environment 3. Solution: For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/ index.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1878635 - CVE-2020-25626 django-rest-framework: XSS Vulnerability in API viewer 5. References: https://access.redhat.com/security/cve/CVE-2020-14365 https://access.redhat.com/security/cve/CVE-2020-25626 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3STrNzjgjWX9erEAQjacg//aPaDOirEblGdQwQd+PZEIylBv0mfeaVE M25xAnTJCWpzeC6C8Vd5BKzIsAihNfMjTBGQi6x7b7PrIubd/d3uKYaLsRpsaQHz KQL8gbxuNwWid85HJLvcyh2WRjoW7GAKpvdjh3IjyjTp8c3dkERvjT+LcODE5Mt0 zjUon37FzWZdX4d1heDc3seUtTSpAjskoQ4Dy2qDWC0cyJKSFFqZxWmE/rzBt79r 4niDYCcaEfiiy4lCYqr0qObYvf1hS9sHrD5SVZQYzzfxlL3zNPONUaKwwu1yatcY Sr/o4LdNIUWn04vjxRx6mZNpsJ5+t1Q+YhYGHNtxtE2cy30p+JxpaeJnL50s/VM7 jdQF1/NqcA9F1RKpaquwm3HMPWMvdlzynP5TN+9PdEeT6iCqIXd0Q+scMxGLlhVw zyGU+zlACa9rrSe8DBeS0x3KayydyU7e45mKEJtUHeUYwfPw5rlV/kK05qf7CfMg X7VU6087uU4SAnH5E6Uw8xVibjgAzuSu0GQ/clWdpfiMK85dhdIUGyqYbCOVpFKj /fi0I9N8NAWLItO0OvuWZwjWcOGFQFYw2n+uPo/+Z3XV/oeps4A/KuBrWDnYhvg4 CVzWCpKX//iVaJNWyFwmtitzYRw4couZexR5DdIEABJ2bvydo4gWVQrXNrICLTz3 2v4EqCCyi3U= =O51G - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: security update - Red Hat Ansible Tower 3.6.6-1 - RHEL7 Container Advisory ID: RHSA-2020:4137-01 Product: Red Hat Ansible Tower Advisory URL: https://access.redhat.com/errata/RHSA-2020:4137 Issue date: 2020-09-30 CVE Names: CVE-2020-14365 CVE-2020-25626 ===================================================================== 1. Summary: Red Hat Ansible Tower 3.6.6-1 - RHEL7 Container 2. Description: * Fixed an XSS vulnerability (CVE-2020-25626) * Fixed the Red Hat sosreport tool to no longer include the Ansible Tower SECRET_KEY value * Fixed the Ansible Tower installer so that it is now compatible with the latest supported Red Hat OpenShift Container Platforms 3.x and 4.x 3. Solution: For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/ index.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1878635 - CVE-2020-25626 django-rest-framework: XSS Vulnerability in API viewer 5. References: https://access.redhat.com/security/cve/CVE-2020-14365 https://access.redhat.com/security/cve/CVE-2020-25626 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3STxNzjgjWX9erEAQgzbQ//ekglctyL7PFDT5maarBz05nzh9A02u8a UVrXaEKNnlSAsqGm9M5CP3H1No8IUChq7oqh7NID+jBVN3U8ZqhZcviL9uzD7AFG 0zqkmxaAiZUKCGcEfg0GHxllIXKaRtWFfYFq/OUcDBmVP6pdYgE3fZabFKtuoNdh 0CSPkOE0QzZBz3qST5BLPTVZxa00DocxP1MYgrrRC/uE7qfN5N8Ll1R9rzdhXL19 PHJQkUlgqpl7PJD6Ylh2Om/M36nwf3OOjOLt0YKAdyDjywnUFDObwIEDgp046IvU vnofU8VOShtT4MBCudJn245Dxj1oaN/ZU+RiDcGYcJ1yPixNO7lgfHinxs0XSbfj Z1CvuL7hOOKfu7YWfS7UZZzFXGZzefPrw7rdaTQDL+BOXQmRYh3G7UsgyUOdgIMm yXcJuFPc/j7+8f77lp1qEm1vqQyjfZxLlcnhldLi73KidEjTR1oAMPHm4kYMYG/t FazbOO/2kHNNAGBNcUZS22i0xMRXIPHRSIARsBa36+tVTQflpsYm9TCiMCS8QNFF BqIBBqbUorTyUNJ9dhLoMNlp//+W2MfqCtCW3R/uLgQg31AI8RpOP7sATYRPNO40 FHhsk2V926Quk0JQA1J8AISIelruoBZbwwu+yhUc1NecbPc3Ge856wy4/7XQH0ny PkT1TsyBhYI= =Ma/a - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX3Uqq+NLKJtyKPYoAQjKqg/+IsYvQ52WGhWY4GsQ3Rzgf3UTkzKgBbA5 9CciQL5JpM94R6ZeIBd+QVcXT5N7Lgx/xAKnhi0ak0hLLdMk1jPpYocf665RBSkr 38k5VnbEdg/AdRjW7dWKV3rt8vX6/1U6FFyZb26j9Yri2Uk6EE0QcCuXo4yjBoAh oEHHx6B4c6dn8dpRTvbGmM6DgxeiHOrYho61kCcYApU5jHR3JNov9rSCy8xBjXa2 lp+DVCMcoIadR9/pMupHgbNoif1Xh3WWQbEmj2B6u3RxaGivfhqkm9SmiKAlTI3C sBwEYfye3l8z5eAQcfIRKnDhQ+g7OAZhmLpu/6O9dRfJSW/nHi23yrwfYmTGTsc5 z/2137uv4UgOSzUQR/76rkTCcTzSAmd6nRNnjodi+fn/4/xtobQLgkb/I6oplFTC y9smwZZ9gqy+PWTqZh52bW+LWGoT4DNH0rUzfQk8B+etYC0mGzNZa/gAzqWY0eui HdzoqEsvcmAoy03dpibD/rFa7FyM2oWbJtryxdt0SzOG9DYAZ/FjX7g/Cvn11TPK tRfnnfz4x5tU1RY3IAZf/nR9XAkmYLT1Vsu/pRPSgY/Zv8R4V4xohvHnTI12RGwj h/l1/V8Ycvi76hBNa+fjqgpekjjexueMAcpff+QKn2ooj8scU41MNS9xvG3R5yrS tLBGEwrcNJU= =8FYw -----END PGP SIGNATURE-----