Red Hat Security Advisory 2020-4136-01 - Updated to the latest version of the git-python library to no longer cause certain jobs to fail Updated to the latest version of the ovirt.ovirt collection to no longer cause connections to hang when syncing inventory from oVirt/RHV Added a number of optimizations to Ansible Tower's callback receiver to improve the speed of stdout processing for simultaneous playbooks runs Added an optional setting to disable the auto-creation of organizations and teams on successful SAML login Fixed an XSS vulnerability Fixed a slow memory leak in the Daphne process Fixed Automation Analytics data gathering to no longer fail for customers with large datasets Fixed scheduled jobs that run every X minute or hour to no longer fail to run at the proper time Fixed delays in Ansible Tower's task manager when large numbers of simultaneous jobs are scheduled Fixed the performance for playbooks that store large amounts of data using the set_stats module Fixed the awx-manage remove_from_queue tool when used with isolated nodes Fixed an issue that prevented jobs from being properly marked as canceled when Tower is backed up and then restored to another environment. Issues addressed include cross site scripting and memory leak vulnerabilities.
d35bdae114c99ede1a241ed0ae74cb3f31fecb568f0fd7025cd59c44c369df33
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: security update - Red Hat Ansible Tower 3.7.3-1 - RHEL7 Container
Advisory ID: RHSA-2020:4136-01
Product: Red Hat Ansible Tower
Advisory URL: https://access.redhat.com/errata/RHSA-2020:4136
Issue date: 2020-09-30
CVE Names: CVE-2020-14365 CVE-2020-25626
====================================================================
1. Summary:
Red Hat Ansible Tower 3.7.3-1 - RHEL7 Container
2. Description:
* Updated to the latest version of the git-python library to no longer
cause certain jobs to fail
* Updated to the latest version of the ovirt.ovirt collection to no longer
cause connections to hang when syncing inventory from oVirt/RHV
* Added a number of optimizations to Ansible Tower's callback receiver to
improve the speed of stdout processing for simultaneous playbooks runs
* Added an optional setting to disable the auto-creation of organizations
and teams on successful SAML login
* Fixed an XSS vulnerability (CVE-2020-25626)
* Fixed a slow memory leak in the Daphne process
* Fixed Automation Analytics data gathering to no longer fail for customers
with large datasets
* Fixed scheduled jobs that run every X minute(s) or hour(s) to no longer
fail to run at the proper time
* Fixed delays in Ansible Tower's task manager when large numbers of
simultaneous jobs are scheduled
* Fixed the performance for playbooks that store large amounts of data
using the set_stats module
* Fixed the awx-manage remove_from_queue tool when used with isolated nodes
* Fixed an issue that prevented jobs from being properly marked as canceled
when Tower is backed up and then restored to another environment
3. Solution:
For information on upgrading Ansible Tower, reference the Ansible Tower
Upgrade and Migration Guide:
https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/
index.html
4. Bugs fixed (https://bugzilla.redhat.com/):
1878635 - CVE-2020-25626 django-rest-framework: XSS Vulnerability in API viewer
5. References:
https://access.redhat.com/security/cve/CVE-2020-14365
https://access.redhat.com/security/cve/CVE-2020-25626
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBX3STrNzjgjWX9erEAQjacg//aPaDOirEblGdQwQd+PZEIylBv0mfeaVE
M25xAnTJCWpzeC6C8Vd5BKzIsAihNfMjTBGQi6x7b7PrIubd/d3uKYaLsRpsaQHz
KQL8gbxuNwWid85HJLvcyh2WRjoW7GAKpvdjh3IjyjTp8c3dkERvjT+LcODE5Mt0
zjUon37FzWZdX4d1heDc3seUtTSpAjskoQ4Dy2qDWC0cyJKSFFqZxWmE/rzBt79r
4niDYCcaEfiiy4lCYqr0qObYvf1hS9sHrD5SVZQYzzfxlL3zNPONUaKwwu1yatcY
Sr/o4LdNIUWn04vjxRx6mZNpsJ5+t1Q+YhYGHNtxtE2cy30p+JxpaeJnL50s/VM7
jdQF1/NqcA9F1RKpaquwm3HMPWMvdlzynP5TN+9PdEeT6iCqIXd0Q+scMxGLlhVw
zyGU+zlACa9rrSe8DBeS0x3KayydyU7e45mKEJtUHeUYwfPw5rlV/kK05qf7CfMg
X7VU6087uU4SAnH5E6Uw8xVibjgAzuSu0GQ/clWdpfiMK85dhdIUGyqYbCOVpFKj
/fi0I9N8NAWLItO0OvuWZwjWcOGFQFYw2n+uPo/+Z3XV/oeps4A/KuBrWDnYhvg4
CVzWCpKX//iVaJNWyFwmtitzYRw4couZexR5DdIEABJ2bvydo4gWVQrXNrICLTz3
2v4EqCCyi3U=O51G
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce