-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: security update - Red Hat Ansible Tower 3.7.4-1 - RHEL7 Container Advisory ID: RHSA-2020:5249-01 Product: Red Hat Ansible Tower Advisory URL: https://access.redhat.com/errata/RHSA-2020:5249 Issue date: 2020-11-30 CVE Names: CVE-2019-18874 CVE-2020-7676 CVE-2020-7720 CVE-2020-7743 CVE-2020-11022 CVE-2020-11023 ==================================================================== 1. Summary: Red Hat Ansible Tower 3.7.4-1 - RHEL7 Container 2. Description: * Fixed two jQuery vulnerabilities (CVE-2020-11022, CVE-2020-11023) * Improved Ansible Tower's web service configuration to allow for processing more simultaneous HTTP(s) requests by default * Updated several dependencies of Ansible Tower's User Interface to address (CVE-2020-7720, CVE-2020-7743, CVE-2020-7676) * Updated to the latest version of python-psutil to address CVE-2019-18874 * Added several optimizations to improve performance for a variety of high-load simultaneous job launch use cases * Fixed workflows to no longer prevent certain users from being able to edit approval nodes * Fixed confusing behavior for social auth logins across distinct browser tabs * Fixed launching of Job Templates that use prompt-at-launch Ansible Vault credentials 3. Solution: For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/ index.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method 1850004 - CVE-2020-11023 jquery: Passing HTML containing