what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2020-5249-01

Red Hat Security Advisory 2020-5249-01
Posted Nov 30, 2020
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2020-5249-01 - Fixed two jQuery vulnerabilities Improved Ansible Tower's web service configuration to allow for processing more simultaneous HTTP requests by default Updated several dependencies of Ansible Tower's User Interface to address Updated to the latest version of python-psutil to address CVE-2019-18874 Added several optimizations to improve performance for a variety of high-load simultaneous job launch use cases Fixed workflows to no longer prevent certain users from being able to edit approval nodes Fixed confusing behavior for social auth logins across distinct browser tabs Fixed launching of Job Templates that use prompt-at-launch Ansible Vault credentials. Issues addressed include code execution and cross site scripting vulnerabilities.

tags | advisory, web, vulnerability, code execution, xss, python
systems | linux, redhat
advisories | CVE-2019-18874, CVE-2020-11022, CVE-2020-11023, CVE-2020-7676, CVE-2020-7720, CVE-2020-7743
SHA-256 | 110dd18b4efb16ae0c10f48cfdb06ff0615e9ae0e93f088c11b253e73a4fd781

Red Hat Security Advisory 2020-5249-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Moderate: security update - Red Hat Ansible Tower 3.7.4-1 - RHEL7 Container
Advisory ID: RHSA-2020:5249-01
Product: Red Hat Ansible Tower
Advisory URL: https://access.redhat.com/errata/RHSA-2020:5249
Issue date: 2020-11-30
CVE Names: CVE-2019-18874 CVE-2020-7676 CVE-2020-7720
CVE-2020-7743 CVE-2020-11022 CVE-2020-11023
====================================================================
1. Summary:

Red Hat Ansible Tower 3.7.4-1 - RHEL7 Container

2. Description:

* Fixed two jQuery vulnerabilities (CVE-2020-11022, CVE-2020-11023)
* Improved Ansible Tower's web service configuration to allow for
processing more simultaneous HTTP(s) requests by default
* Updated several dependencies of Ansible Tower's User Interface to address
(CVE-2020-7720, CVE-2020-7743, CVE-2020-7676)
* Updated to the latest version of python-psutil to address CVE-2019-18874
* Added several optimizations to improve performance for a variety of
high-load simultaneous job launch use cases
* Fixed workflows to no longer prevent certain users from being able to
edit approval nodes
* Fixed confusing behavior for social auth logins across distinct browser
tabs
* Fixed launching of Job Templates that use prompt-at-launch Ansible Vault
credentials

3. Solution:

For information on upgrading Ansible Tower, reference the Ansible Tower
Upgrade and Migration Guide:
https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/
index.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
1850004 - CVE-2020-11023 jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution

5. References:

https://access.redhat.com/security/cve/CVE-2019-18874
https://access.redhat.com/security/cve/CVE-2020-7676
https://access.redhat.com/security/cve/CVE-2020-7720
https://access.redhat.com/security/cve/CVE-2020-7743
https://access.redhat.com/security/cve/CVE-2020-11022
https://access.redhat.com/security/cve/CVE-2020-11023
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX8T+OtzjgjWX9erEAQhfUA//as832FB6CfzebHnoVBMz8gro1sZQhTgH
uzYWdgYkDI4kMqO8u4bD3k9YXaYwub32d5xcpkOZ9ZtTl263EmpA807E5qATCuli
Tn5PmIJ80y9HbHfK0xmjd+bm7FJZZsFO0JEKkXbYeTxljgZRgIXN42fCZjn22j5m
QzhA2YCU3v7y+CRplqftvXP7LpBZtoSvCHr/hWHXuAirvtO3epV8+YLoAtnzT0Xl
kRJbsSC9INuYpCoMBR2owKUX5aklB6q9zWyzGpkbxMrqBEnAi9xm/Pmey/u9Lmzn
h8kXzthVkolKw9RIp5Qnp95h9110gvVxwgIpU2a+n+JipONBgrOCARlj9ttOuxfZ
erCOaDgAwHHHfK+qXOZtZJ36uX9DiWZCOaBkgFzSOLNqtoGO5YBloMQx3Ivt7IsE
WQZ3rVttEklI06Vlm2q6Tyz6E78WUjr12Eh1S6QwN6Gjp9SVgYip1RCkBErulgt3
edIQfIewynXOP3rrmLbLy68IGnNz2xJgVzW84WtEY7mygISv7/O9u0a2Ar+2Jm++
rXlXeK5+Shl4h4MeY+4fvH2k5TaSCliMLK+lCl5H65H+DPLHg90mlkP8wu8XoGCI
AKoU9hrPRxdCHijX2zH6NFZ75Kmzk//7SiCNIvgZAwDbiu/GK5/+xxcfpukE5Tld
+uNGueVnork=BM3i
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close