what you don't know can hurt you

Red Hat Security Advisory 2020-5249-01

Red Hat Security Advisory 2020-5249-01
Posted Nov 30, 2020
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2020-5249-01 - Fixed two jQuery vulnerabilities Improved Ansible Tower's web service configuration to allow for processing more simultaneous HTTP requests by default Updated several dependencies of Ansible Tower's User Interface to address Updated to the latest version of python-psutil to address CVE-2019-18874 Added several optimizations to improve performance for a variety of high-load simultaneous job launch use cases Fixed workflows to no longer prevent certain users from being able to edit approval nodes Fixed confusing behavior for social auth logins across distinct browser tabs Fixed launching of Job Templates that use prompt-at-launch Ansible Vault credentials. Issues addressed include code execution and cross site scripting vulnerabilities.

tags | advisory, web, vulnerability, code execution, xss, python
systems | linux, redhat
advisories | CVE-2019-18874, CVE-2020-11022, CVE-2020-11023, CVE-2020-7676, CVE-2020-7720, CVE-2020-7743
MD5 | 4eefeaf6b7e349b286bcd7fc4ba67327

Red Hat Security Advisory 2020-5249-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Moderate: security update - Red Hat Ansible Tower 3.7.4-1 - RHEL7 Container
Advisory ID: RHSA-2020:5249-01
Product: Red Hat Ansible Tower
Advisory URL: https://access.redhat.com/errata/RHSA-2020:5249
Issue date: 2020-11-30
CVE Names: CVE-2019-18874 CVE-2020-7676 CVE-2020-7720
CVE-2020-7743 CVE-2020-11022 CVE-2020-11023
====================================================================
1. Summary:

Red Hat Ansible Tower 3.7.4-1 - RHEL7 Container

2. Description:

* Fixed two jQuery vulnerabilities (CVE-2020-11022, CVE-2020-11023)
* Improved Ansible Tower's web service configuration to allow for
processing more simultaneous HTTP(s) requests by default
* Updated several dependencies of Ansible Tower's User Interface to address
(CVE-2020-7720, CVE-2020-7743, CVE-2020-7676)
* Updated to the latest version of python-psutil to address CVE-2019-18874
* Added several optimizations to improve performance for a variety of
high-load simultaneous job launch use cases
* Fixed workflows to no longer prevent certain users from being able to
edit approval nodes
* Fixed confusing behavior for social auth logins across distinct browser
tabs
* Fixed launching of Job Templates that use prompt-at-launch Ansible Vault
credentials

3. Solution:

For information on upgrading Ansible Tower, reference the Ansible Tower
Upgrade and Migration Guide:
https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/
index.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
1850004 - CVE-2020-11023 jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution

5. References:

https://access.redhat.com/security/cve/CVE-2019-18874
https://access.redhat.com/security/cve/CVE-2020-7676
https://access.redhat.com/security/cve/CVE-2020-7720
https://access.redhat.com/security/cve/CVE-2020-7743
https://access.redhat.com/security/cve/CVE-2020-11022
https://access.redhat.com/security/cve/CVE-2020-11023
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX8T+OtzjgjWX9erEAQhfUA//as832FB6CfzebHnoVBMz8gro1sZQhTgH
uzYWdgYkDI4kMqO8u4bD3k9YXaYwub32d5xcpkOZ9ZtTl263EmpA807E5qATCuli
Tn5PmIJ80y9HbHfK0xmjd+bm7FJZZsFO0JEKkXbYeTxljgZRgIXN42fCZjn22j5m
QzhA2YCU3v7y+CRplqftvXP7LpBZtoSvCHr/hWHXuAirvtO3epV8+YLoAtnzT0Xl
kRJbsSC9INuYpCoMBR2owKUX5aklB6q9zWyzGpkbxMrqBEnAi9xm/Pmey/u9Lmzn
h8kXzthVkolKw9RIp5Qnp95h9110gvVxwgIpU2a+n+JipONBgrOCARlj9ttOuxfZ
erCOaDgAwHHHfK+qXOZtZJ36uX9DiWZCOaBkgFzSOLNqtoGO5YBloMQx3Ivt7IsE
WQZ3rVttEklI06Vlm2q6Tyz6E78WUjr12Eh1S6QwN6Gjp9SVgYip1RCkBErulgt3
edIQfIewynXOP3rrmLbLy68IGnNz2xJgVzW84WtEY7mygISv7/O9u0a2Ar+2Jm++
rXlXeK5+Shl4h4MeY+4fvH2k5TaSCliMLK+lCl5H65H+DPLHg90mlkP8wu8XoGCI
AKoU9hrPRxdCHijX2zH6NFZ75Kmzk//7SiCNIvgZAwDbiu/GK5/+xxcfpukE5Tld
+uNGueVnork=BM3i
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    0 Files
  • 17
    Jan 17th
    0 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close