Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3535 security update - Red Hat Ansible Tower 3.7 runner release (CVE-2019-18874) 15 October 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat Ansible Tower Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Access Privileged Data -- Existing Account Modify Permissions -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-14365 CVE-2020-12403 CVE-2020-12402 CVE-2020-12401 CVE-2020-12400 CVE-2020-12243 CVE-2020-7595 CVE-2020-6829 CVE-2020-5313 CVE-2019-20388 CVE-2019-20386 CVE-2019-19956 CVE-2019-19126 CVE-2019-18874 CVE-2019-17546 CVE-2019-17498 CVE-2019-17023 CVE-2019-17006 CVE-2019-16935 CVE-2019-15903 CVE-2019-14973 CVE-2019-14866 CVE-2019-14822 CVE-2019-12749 CVE-2019-12450 CVE-2019-11756 CVE-2019-11727 CVE-2019-11719 CVE-2019-5482 CVE-2019-5188 CVE-2019-5094 CVE-2018-20843 CVE-2017-12652 Reference: ESB-2020.3461 ESB-2020.3364 ESB-2020.3355 ESB-2020.3352 ESB-2020.2650 ESB-2020.2162 ESB-2020.0471 ESB-2019.4645 ESB-2019.3441 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:4254 https://access.redhat.com/errata/RHSA-2020:4255 Comment: This bulletin contains two (2) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: security update - Red Hat Ansible Tower 3.7 runner release (CVE-2019-18874) Advisory ID: RHSA-2020:4254-01 Product: Red Hat Ansible Tower Advisory URL: https://access.redhat.com/errata/RHSA-2020:4254 Issue date: 2020-10-14 CVE Names: CVE-2017-12652 CVE-2018-20843 CVE-2019-5094 CVE-2019-5188 CVE-2019-5482 CVE-2019-11719 CVE-2019-11727 CVE-2019-11756 CVE-2019-12450 CVE-2019-12749 CVE-2019-14822 CVE-2019-14866 CVE-2019-14973 CVE-2019-15903 CVE-2019-16935 CVE-2019-17006 CVE-2019-17023 CVE-2019-17498 CVE-2019-17546 CVE-2019-18874 CVE-2019-19126 CVE-2019-19956 CVE-2019-20386 CVE-2019-20388 CVE-2020-5313 CVE-2020-6829 CVE-2020-7595 CVE-2020-12243 CVE-2020-12400 CVE-2020-12401 CVE-2020-12402 CVE-2020-12403 CVE-2020-14365 ===================================================================== 1. Summary: Red Hat Ansible Tower 3.7 runner release (CVE-2019-18874) 2. Description: * Updated python-psutil version to 5.6.6 inside ansible-runner container (CVE-2019-18874) 3. Solution: For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/ index.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1772014 - CVE-2019-18874 python-psutil: double free because of refcount mishandling 5. References: https://access.redhat.com/security/cve/CVE-2017-12652 https://access.redhat.com/security/cve/CVE-2018-20843 https://access.redhat.com/security/cve/CVE-2019-5094 https://access.redhat.com/security/cve/CVE-2019-5188 https://access.redhat.com/security/cve/CVE-2019-5482 https://access.redhat.com/security/cve/CVE-2019-11719 https://access.redhat.com/security/cve/CVE-2019-11727 https://access.redhat.com/security/cve/CVE-2019-11756 https://access.redhat.com/security/cve/CVE-2019-12450 https://access.redhat.com/security/cve/CVE-2019-12749 https://access.redhat.com/security/cve/CVE-2019-14822 https://access.redhat.com/security/cve/CVE-2019-14866 https://access.redhat.com/security/cve/CVE-2019-14973 https://access.redhat.com/security/cve/CVE-2019-15903 https://access.redhat.com/security/cve/CVE-2019-16935 https://access.redhat.com/security/cve/CVE-2019-17006 https://access.redhat.com/security/cve/CVE-2019-17023 https://access.redhat.com/security/cve/CVE-2019-17498 https://access.redhat.com/security/cve/CVE-2019-17546 https://access.redhat.com/security/cve/CVE-2019-18874 https://access.redhat.com/security/cve/CVE-2019-19126 https://access.redhat.com/security/cve/CVE-2019-19956 https://access.redhat.com/security/cve/CVE-2019-20386 https://access.redhat.com/security/cve/CVE-2019-20388 https://access.redhat.com/security/cve/CVE-2020-5313 https://access.redhat.com/security/cve/CVE-2020-6829 https://access.redhat.com/security/cve/CVE-2020-7595 https://access.redhat.com/security/cve/CVE-2020-12243 https://access.redhat.com/security/cve/CVE-2020-12400 https://access.redhat.com/security/cve/CVE-2020-12401 https://access.redhat.com/security/cve/CVE-2020-12402 https://access.redhat.com/security/cve/CVE-2020-12403 https://access.redhat.com/security/cve/CVE-2020-14365 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX4b3jtzjgjWX9erEAQjRtA/+NuWhg8wJyyX3K9r+pNveW/nQ5035IIJ0 T9qelqFlkxoGgUQE2bL+a58naneN4iyfnadC/eFL/39AJRF5jfiuctGZngY5Tyva 2aboBMg6P+zHW30YPBJrXiPAVyD46+N5/xGqaiY6G1w2NseBGrCmojfi4towIy+6 HOlaQE6vrb3DGnT4Yda14qqjvZm0mrZKii7+wQWYLkQYYbbEiTQ9LlNl9u4Gor9K SO4C1l1Y+H1DUMYOlr7liImnIVhIB7jMrZYAbQCSyOTYRw62S2Zu1LJ+6IVzyOlx 6SU2xNT0d22iW0cMpcdzAAdwBhZqshxSp39MBdoVkvQyIemUsxfIp1V93u4n8mPB qHnEV27f1D1UeTIxiyMvDIaJPAdt2ptYMmR9QT31fxNZBwjGoNNqF2CtqlHQ2zpU CnMsxTZAGnGyINE80Gye/kXixIoMilVQ9UPuMEX4UgIh+hY36HwmwkbqeRciB3L7 UoZt++XFPFStHrv7VI/69tjwkQ660Y81CQC8j3ny/AL1U4Fkgn8x2FoaqaRBlr+C OLn1IWZTvcwvJhHV6N1CIsK3kkwNmpIvTbxFY16jB9JPHkvJd8PA/JjG9ODgPzHq jh+M6jbrYBw4d43eiBIwAVR8gLG0Fa57eX5uEGHUtTiVeF26xE+QvHhH58nYuCce k2HRS+OVADU= =MG4c - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: security update - Red Hat Ansible Tower 3.6 runner release (CVE-2019-18874) Advisory ID: RHSA-2020:4255-01 Product: Red Hat Ansible Tower Advisory URL: https://access.redhat.com/errata/RHSA-2020:4255 Issue date: 2020-10-14 CVE Names: CVE-2017-12652 CVE-2018-20843 CVE-2019-5094 CVE-2019-5188 CVE-2019-5482 CVE-2019-11719 CVE-2019-11727 CVE-2019-11756 CVE-2019-12450 CVE-2019-12749 CVE-2019-14822 CVE-2019-14866 CVE-2019-14973 CVE-2019-15903 CVE-2019-16935 CVE-2019-17006 CVE-2019-17023 CVE-2019-17498 CVE-2019-17546 CVE-2019-18874 CVE-2019-19126 CVE-2019-19956 CVE-2019-20386 CVE-2019-20388 CVE-2020-5313 CVE-2020-6829 CVE-2020-7595 CVE-2020-12243 CVE-2020-12400 CVE-2020-12401 CVE-2020-12402 CVE-2020-12403 CVE-2020-14365 ===================================================================== 1. Summary: Red Hat Ansible Tower 3.6 runner release (CVE-2019-18874) 2. Description: * Updated python-psutil version to 5.6.6 inside ansible-runner container (CVE-2019-18874) 3. Solution: For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/ index.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1772014 - CVE-2019-18874 python-psutil: double free because of refcount mishandling 5. References: https://access.redhat.com/security/cve/CVE-2017-12652 https://access.redhat.com/security/cve/CVE-2018-20843 https://access.redhat.com/security/cve/CVE-2019-5094 https://access.redhat.com/security/cve/CVE-2019-5188 https://access.redhat.com/security/cve/CVE-2019-5482 https://access.redhat.com/security/cve/CVE-2019-11719 https://access.redhat.com/security/cve/CVE-2019-11727 https://access.redhat.com/security/cve/CVE-2019-11756 https://access.redhat.com/security/cve/CVE-2019-12450 https://access.redhat.com/security/cve/CVE-2019-12749 https://access.redhat.com/security/cve/CVE-2019-14822 https://access.redhat.com/security/cve/CVE-2019-14866 https://access.redhat.com/security/cve/CVE-2019-14973 https://access.redhat.com/security/cve/CVE-2019-15903 https://access.redhat.com/security/cve/CVE-2019-16935 https://access.redhat.com/security/cve/CVE-2019-17006 https://access.redhat.com/security/cve/CVE-2019-17023 https://access.redhat.com/security/cve/CVE-2019-17498 https://access.redhat.com/security/cve/CVE-2019-17546 https://access.redhat.com/security/cve/CVE-2019-18874 https://access.redhat.com/security/cve/CVE-2019-19126 https://access.redhat.com/security/cve/CVE-2019-19956 https://access.redhat.com/security/cve/CVE-2019-20386 https://access.redhat.com/security/cve/CVE-2019-20388 https://access.redhat.com/security/cve/CVE-2020-5313 https://access.redhat.com/security/cve/CVE-2020-6829 https://access.redhat.com/security/cve/CVE-2020-7595 https://access.redhat.com/security/cve/CVE-2020-12243 https://access.redhat.com/security/cve/CVE-2020-12400 https://access.redhat.com/security/cve/CVE-2020-12401 https://access.redhat.com/security/cve/CVE-2020-12402 https://access.redhat.com/security/cve/CVE-2020-12403 https://access.redhat.com/security/cve/CVE-2020-14365 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX4b4vdzjgjWX9erEAQjk/hAApmlcS3Idp8diNh7ru3+06bEjVkPtOyrZ dc6N3l7kQCYemU1Pkl6i17nNdDjojh2wHku3s7WFXfOmvpkfLlgTKykqmKTZ2pGd InriBhIYXxxq/XKOHr+9BwshJ+PaXqEaoLea1wvJw7WmbY2zJfUCzu6DAugjg+DO OvkOcA1hDbTkrFFH+SzhPpvsjB/xrfJecJxhj7LCZnmRvr3+fpdoMkEgfbEzjkXP WeQVpAidrUhgt4+N9UuVqLYzbrV2sQHgda/A4W/XYJPD5uC+hSGWmhyiETdxPCAo GbXV/11vySFaMxD912cxMUU35V0AW9LCOn1goA2bZt9WFW2poL3u6RmY/lRArtKH 53i3jU4PPevSaqjUSlIhkojWc9Ce1LaIRGlN8xXJuX6wX7d+Hs5VNuNMObhM0LO/ cBwSRDlEYj7YNXtTj7SiZC/a1OT+Nn96a23mxzfcl+2eXOKf0hPwCDU3nxSIVUKP PR7ic/T/f46fi/v+ILMocuMAF/7j9eABnQf7f3uoB7lLUwML9mXvLpqXbNtAOmlN aevFw43HBY3E8uHCb3Zw18SDzNXun40HQ0YQ3jjVumCWfpFh6dbtxm3S55YrpK/U 3cAm9qD+mS+u8GcJzc52o+kaI1wu5uuCMXQDb50kj+kyqPdC6+Upehasxscm12UB fQ+WwvltUZg= =C1/t - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX4eIDuNLKJtyKPYoAQhi7w/+LKSTBS0hcVH2ViTR07ZQb1Wuc12+j0HW K4v5rbJL/KDlcBj52athxTQRHPjBZFyvqfNWWXO/bRMU3fUeJLTEczPK8CJZSktQ NfdgkcB0Ch+YW7DQZXux1Ix/4RLuptpALrt60x312iICtu5zQ/cF0PUgFRgJ+7LN GeXHnv2WvXa3Hxei/yM3xm6FRv935DMR6HPRSNVtJ62Gvm4zZdsX2a0N8dIDKpgy MrEH8lWWa2yq1FFFZ92uqj3G9938SFGIL7UiLJ2Sx6dNuC61W4B3uzNLJluGBJ2j vYuaBVYgHMfFdXm2jzhajo4JLK6tgFhAKM3Nm/Vp7Tdd3VUUUDI+e6gbpHjUp2sa 83uVj4rwFVe5HAecTomjJv7JbCg47zNlyepEVLJiVEe+A13TiiQ+0NTijnF4Tzud NZ41wNK3pJVZ7oRtaNupYMXLddfBxNwjiafWY1HRw83JRCKk5PCMFGWnwE8cwiNe Kg3SGHkEn9F0beGYgrIf9oM6IIAQFMRO4mkymK4dLsyFeIcLF+G/A6PvPI/mUR2F ELuide3wrjqUqzpA6h8e+RbxAFgk7x1RUVEBhNO0JorpOpGNIHKOhEbMR7cVqayA kDJ2yO5D1hjGkuqwdrBR85gz8SVo+yVPqRxHHvjpjLJsZwvyjhQ/9iyHnngrbdBb Ij8pOoNHnZ4= =cHsx -----END PGP SIGNATURE-----