Chapter 8. Asynchronous updates

8.1. Installer releases

8.1.1. RHSA-2024:1057 - installer release 2.4-6 - March 01, 2024

RHSA-2024:1057 Automation hub

  • Displays the download count for each collection in automation hub (AAP-18298). Event-Driven Ansible

  • Added a parameter to control the number of running activations per Event-Driven Ansible worker service (AAP-20672).
  • Added EDA_CSRF_TRUSTED_ORIGINS which can be set by user input or defined based on the allowed hostnames that are determined by the installer (AAP-20244).
  • Event-Driven Ansible installation now fails when the pre-existing automation controller version is 4.4.0 or older (AAP-20241).
  • Added the podman_containers_conf_logs_max_size variable for containers.conf to control the max log size for Podman installations. The default value is 10 MiB (AAP-19775).
  • Setting the Event-Driven Ansible debug flag to false now correctly disables Django debug mode (AAP-19577).
  • XDG_RUNTIME_DIR is now defined when applying Event-Driven Ansible linger settings for Podman (AAP-19265).
  • Fixed the Event-Driven Ansible nginx config when using a custom https port (AAP-19137).
  • Some features in this release are classified as Developer Preview, including LDAP authentication functionality for Event-Driven Ansible. For more information about these Event-Driven Ansible Developer Preview features, see Event-Driven Ansible - Developer Preview.

8.1.2. RHSA-2024:0733 - installer release 2.4-5 - February 07, 2024

RHSA-2024:0733 Automation controller

  • Fixed an error that caused rsyslogd to stop sending events to Splunk HTTP Collector (AAP-19069). Automation hub

  • Automation hub now uses system crypto-policies in nginx (AAP-18974). Event-Driven Ansible

  • Fixed an error that caused a manual installation failure when pinning Event-Driven Ansible to an older version (AAP-19399).

8.1.3. RHBA-2024:0104 - installer release 2.4-4 - January 11, 2024

RHBA-2024:0104 General

  • Fixed conditional code statements to align with changes from ansible-core issue #82295 (AAP-19099).
  • Fixed an issue which caused the update-ca-trust handler to be skipped for execution nodes in controller (AAP-18911).
  • Improved the error pages for automation controller (AAP-18840).
  • Implemented libffi fix to avoid uWSGI core dumps on failed import (AAP-18196).
  • Fixed an issue with checking the license type following an upgrade caused by earlier incomplete upgrade (AAP-17615).
  • Postgres certificates are now temporarily copied when checking the Postgres version for SSL mode verify-full (AAP-15374).

8.1.4. RHBA-2023:7460 - installer release 2.4-3 - November 21, 2023

RHBA-2023:7460 General

  • Fixed an error which caused the incorrect target database to be selected when restoring Event-Driven Ansible from a backup (AAP-18151).
  • Postgres tasks which create users in FIPS environments now use scram-sha-256 (AAP-17516).
  • All Event-Driven Ansible services are enabled after installation is complete (AAP-17426).
  • Ensure all backup and restore staged files and directories are cleaned up before running a backup or restore. You must also mark the files for deletion after a backup or restore (AAP-16101).
  • Updated nginx to 1.22 (AAP-15962).
  • Added a task to VMs that will run the awx-manage command to pre-create events table partitions before executing pg_dump and added a variable for the default number of hours to pre-create (AAP-15920). Event-Driven Ansible

  • Fixed the automation controller URL check when installing Event-Driven Ansible without controller (AAP-18169).
  • Added a separate worker queue for Event-Driven Ansible activations to not interfere with application tasks such as project updates (AAP-14743).

8.1.5. RHBA-2023:5347 - installer release 2.4-2 - September 25, 2023

RHBA-2023:5347 General

  • The installer will now properly generate a new SECRET_KEY for controller when running with the -k option (AAP-15565).
  • Added temporary file cleanup for Podman to prevent cannot re-exec process error during job execution (AAP-15248).
  • Added new variables for additional nginx configurations per component (AAP-15124).
  • The installer now correctly enforces only one Event-Driven Ansible host per Ansible Automation Platform installation (AAP-15122).
  • You are now able to sync execution environment images in automation hub to automation controller on upgrade (AAP-15121).
  • awx user configuration now supports rootless Podman (AAP-15072).
  • You can now mount the /var/lib/awx directory as a separate filesystem on execution nodes (AAP-15065).
  • Fixed the linger configuration for an Event-Driven Ansible user (AAP-14745).
  • Fixed the values used for signing installer managed certificates for internal postgres installations (AAP-14236).
  • Subject alt names for component hosts will now only be checked for signing certificates when https is enabled (AAP-14235).
  • Fixed postgres sslmode for verify-full that affected external postgres and postgres signed for for internally managed postgres (AAP-13962).
  • Updated the inventory file to include SSL key and cert parameters for provided SSL web certificates (AAP-13854).
  • Fixed an issue with the awx-rsyslogd process where it starts with the wrong user (AAP-13664).
  • Fixed an issue where the restore process failed to stop pulpcore-worker services on RHEL 9 (AAP-13297).
  • Podman configurations are now correctly aligned to the Event-Driven Ansible home directory (AAP-13289).

8.2. Bundle installer releases

8.2.1. RHBA-2024:2074 - bundle installer release 2.4-6.2 - April 25, 2024

RHBA-2024:2074 General

  • Resolved a race condition that occurred when there were many nearly simultaneous uploads of the same collection. (AAH-2699) Automation controller

  • Fixed a database connection leak that occurred when the wsrelay main asyncio loop crashes. (AAP-22938)

8.2.2. RHBA-2024:1672 - bundle installer release 2.4-6.1 - April 4, 2024

RHBA-2024:1672 General

  • Fixed an issue where worker nodes became unavailable and stuck in a running state (AAP-21828).
  • automation-controller: axios: Exposure of confidential data stored in cookies (CVE-2023-45857)
  • python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words() (CVE-2024-27351)
  • receptor: golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)
  • automation-controller: python-aiohttp: HTTP request smuggling (CVE-2024-23829)
  • automation-controller: aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)
  • python3x-aiohttp: aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)
  • python-aiohttp: aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)
  • automation-controller: Django: denial of service in intcomma template filter (CVE-2024-24680)
  • automation-controller: jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)
  • automation-controller: python-cryptography: NULL-dereference when loading PKCS7 certificates (CVE-2023-49083)
  • receptor: golang: net/http/internal: Denial of service by resource consumption through HTTP requests (CVE-2023-39326)
  • automation-controller: python-aiohttp: Issues in HTTP parser with header parsing (CVE-2023-47627)
  • automation-controller: GitPython: Blind local file inclusion (CVE-2023-41040)
  • automation-controller: python-twisted: Disordered HTTP pipeline response in twisted.web (CVE-2023-46137) Automation controller

  • The update execution environment image no longer fails with jobs that use the previous image (AAP-21733).
  • Replaced string validation of English literals with error codes to allow for universal validation and comparison (AAP-21721).
  • The dispatcher now appropriately ends child processes when the dispatcher terminates (AAP-21049).
  • Fixed a bug where schedule prompted variables and survey answers were reset in edit mode when changing one of the basic form fields (AAP-20967).
  • The upgrade from Ansible Tower 3.8.6 to Ansible Automation Platform 2.4 no longer fails after a database schema migration (AAP-19738).
  • Fixed a bug in OpenShift Container Platform deployments that caused the controller task container to restart (AAP-21308).

8.2.3. RHBA-2024:1158 - bundle installer release 2.4-6 - March 6, 2024

RHBA-2024:1158 General

  • python-django: Django: denial-of-service in intcomma template filter (CVE-2024-24680)
  • pycryptodomex: pycryptodome: Side-channel leakage for OAEP decryption in PyCryptodome and pycryptodomex (CVE-2023-52323)
  • python3x-jinja2: jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)
  • python-jinja2: jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)
  • python3x-aiohttp: CRLF injection if user controls the HTTP method using aiohttp client (CVE-2023-49082)
  • python-aiohttp: aiohttp: CRLF injection if user controls the HTTP method using aiohttp client (CVE-2023-49082)
  • python3x-aiohttp: aiohttp: HTTP request modification (CVE-2023-49081)
  • python3x-aiohttp: python-aiohttp: Issues in HTTP parser with header parsing (CVE-2023-47627)
  • python-aiohttp: Issues in HTTP parser with header parsing (CVE-2023-47627)
  • python3x-pillow: python-pillow: Uncontrolled resource consumption when text length in an ImageDraw instance operates on a long text argument (CVE-2023-44271)
  • python-pillow: Uncontrolled resource consumption when text length in an ImageDraw instance operates on a long text argument (CVE-2023-44271) Event-Driven Ansible

  • event_driven: Ansible Automation Platform: Insecure WebSocket used when interacting with Event-Driven Ansible server (CVE-2024-1657).

8.2.4. RHBA-2023:6831 - bundle installer release 2.4-2.4 - November 08, 2023

RHBA-2023:6831 General

  • python3-urllib3/python39-urllib3: Cookie request header is not stripped during cross-origin redirects (CVE-2023-43804) Automation controller

  • automation-controller: Django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)
  • Customers using the infra.controller_configuration collection (which uses ansible.controller collection) to update their Ansible Automation Platform environment no longer receive an HTTP 499 response (AAP-17422).

8.2.5. RHBA-2023:5886 - bundle installer release 2.4-2.3 - October 19, 2023

RHBA-2023:5886 General

  • receptor: golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)
  • receptor: golang: crypto/tls: slow verification of certificate chains containing large RSA keys (CVE-2023-29409) Automation controller

  • receptor: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

8.2.6. RHBA-2023:5812 - bundle installer release 2.4-2.2 - October 17, 2023

RHBA-2023:5812 General

  • ansible-core: malicious role archive can cause ansible-galaxy to overwrite arbitrary files (CVE-2023-5115)
  • python3-django/python39-django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665) Automation controller

  • Added a new Subscription Usage page to the controller UI to view historical usage of licenses (AAP-16983).
  • automation-controller: Django: Potential denial of service vulnerability in django.utils.encoding.uri_to_iri() (CVE-2023-41164)

8.2.7. RHBA-2023:5653 - bundle installer release 2.4-2.1 - October 10, 2023

RHBA-2023:5653 General

  • Updated ansible-lint to include an offline mode, which is enabled by default, to prevent outbound network calls (AAH-2606). Automation controller

  • Fixed settings lookup to no longer leave some services in a supervisord FATAL unresponsive state (AAP-16460).
  • Replaced the SQL commands for creating a partition with the use of ATTACH PARTITION to avoid exclusive table lock on event tables (AAP-16350).
  • Fixed settings to allow simultaneous use of SOCIAL_AUTH_SAML_ORGANIZATION_ATTR and SOCIAL_AUTH_SAML_ORGANIZATION_MAP for a given organization (AAP-16183).
  • Fixed Content Security Policy (CSP) to enable Pendo retrieval (AAP-16057).
  • Updated the Thycotic DevOps Secrets Vault credential plugin to allow for filtering based on secret_field (AAP-15695).

8.2.8. RHBA-2023:5140 - bundle installer release 2.4-1.4 - September 12, 2023

RHBA-2023:5140 Automation controller

  • Fixed a bug that caused a deadlock on shutdown when Redis was unavailable (AAP-14203).
  • The login form no longer supports autocomplete on the password field due to security concerns (AAP-15545).
  • automation-controller: cryptography: memory corruption via immutable objects (CVE-2023-23931)
  • automation-controller: GitPython: Insecure non-multi options in clone and clone_from is not blocked (CVE-2023-40267)
  • python3-gitpython/python39-gitpython: Insecure non-multi options in clone and clone_from is not blocked (CVE-2023-40267)

8.2.9. RHBA-2023:4782 - bundle installer release 2.4-1.3 - August 28, 2023

RHBA-2023:4782 Automation controller

  • automation-controller: python-django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator (CVE-2023-36053)
  • automation-controller: python-django: Potential denial-of-service vulnerability in file uploads (CVE-2023-24580)
  • Changing credential types by using the drop-down list in the Launch prompt window no longer causes the screen to disappear (AAP-11444).
  • Upgraded python dependencies which include upgrades from Django 3.2 to 4.2.3, psycopg2 to psycopg3, and additional libraries as needed. Also added a new setting in the UI exposing the CSRF_TRUSTED_ORIGIN settings (AAP-12345).
  • Fixed slow database UPDATE statements on the job events table which could cause a task manager timeout (AAP-12586).
  • Fixed an issue where adding a new label to a job through the Prompt On Launch option would not add the label to the job details (AAP-14204).
  • Added noopener and noreferrer attributes to controller UI links that were missing these attributes (AAP-14345).
  • Fixed the broken User Guide link in the Edit Subscription Details page (AAP-14375).
  • Turned off auto-complete on the remaining controller UI forms that were missing that attribute (AAP-14442).
  • The Add button on the credentials page is now accessible for users with the correct permissions (AAP-14525).
  • Fixed an unexpected error that occurred when adding a new host while using a manifest with size 10 (AAP-14675).
  • Applied environment variables from the AWX_TASK_ENV setting when running credential lookup plugins (AAP-14683).
  • Interrupted jobs (such as canceled jobs) no longer clear facts from hosts if the job ran on an execution node (AAP-14878).
  • Using a license that is missing a usage attribute no longer returns a 400 error (AAP-14880).
  • Fixed sub-keys under data from HashiCorp Vault Secret Lookup responses to check for secrets, if found (AAP-14946).
  • Fixed Ansible facts to retry saving to hosts if there is a database deadlock (AAP-15021). Event-Driven Ansible

  • automation-eda-controller: token exposed at importing project (CVE-2023-4380)
  • python3-cryptography/python39-cryptography: memory corruption via immutable objects (CVE-2023-23931)
  • python3-requests/python39-requests: Unintended leak of Proxy-Authorization header (CVE-2023-32681)
  • Contributor and editor roles now have permissions to access users and set the AWX token (AAP-11573).
  • The onboarding wizard now requests controller token creation (AAP-11907).
  • Corrected the filtering capability of the Rule Audit screens so that a search yields results with the starts with function (AAP-11987).
  • Enabling or disabling rulebook activation no longer increases the restarts counter by 1 (AAP-12042).
  • Filtering by a text string now displays all applicable items in the UI, including those that are not visible in the list at that time (AAP-12446).
  • Audit records are no longer missing when running activations with multiple jobs (AAP-12522).
  • The event payload is no longer missing key attributes when a job template fails (AAP-12529).
  • Fixed the Git token leak that occurs when importing a project fails (AAP-12767).
  • The restart policy in Kubernetes (k8s) now restarts a successful activation that is incorrectly marked as failed (AAP-12862).
  • Activation statuses are now reported correctly, whether you are disabling or enabling them (AAP-12896).
  • When the run_job_template action fails, ansible-rulebook prints an error log in the activation output and creates an entry in rule audit so the user is alerted that the rule has failed (AAP-12909).
  • When a user tries to bulk delete rulebook activations from the list, the request now completes successfully and consistently (AAP-13093).
  • The Rulebook Activation link now functions correctly in the Rule Audit Detail UI (AAP-13182).
  • The ansible-rulebook now only connects to the controller if the rulebook being processed has a run_job_template action (AAP-13209).
  • Fixed a bug where some audit rule records had the wrong rulebook link (AAP-13844).
  • Fixed a bug where only the first 10 audit rules had the right link (AAP-13845).
  • Before this update, project credentials could not be updated if there was a change to the credential used in the project. With this update, credentials can be updated in a project with a new or different credential (AAP-13983).
  • The User Access section of the navigation panel no longer disappears after creating a decision environment (AAP-14273).
  • Fixed a bug where filtering for audit rules did not work properly on OpenShift Container Platform (AAP-14512).

8.2.10. RHBA-2023:4621 - bundle installer release 2.4-1.2 - August 10, 2023

RHBA-2023:4621 Automation controller

  • automation controller: Html injection in custom login info (CVE-2023-3971)
  • Organization admin users are no longer shown an error on the Instances list (AAP-11195).
  • Fixed the workflow job within the workflow approval to display the correct details (AAP-11433).
  • Credential name search in the ad hoc commands prompt no longer requires case-sensitive input (AAP-11442).
  • The Back to list button in the controller UI now maintains previous search filters (AAP-11527).
  • Topology view and Instances are only available as sidebar menu options to System Administrators and System Auditors (AAP-11585).
  • Fixed the frequency of the scheduler to run on the correct day of the week as specified by the user (AAP-11776).
  • Fixed an issue with slow database UPDATE statements when using nested tasks (include_tasks) causing task manager timeout (AAP-12586).
  • Added the ability to add execution and hop nodes to VM-based controller installations from the UI (AAP-12849).
  • Added the awx-manage command for creating future events table partitions (AAP-12907).
  • Re-enabled Pendo support by providing the correct Pendo API key (AAP-13415).
  • Added the ability to filter teams by using partial names in the dialog for granting teams access to a resource (AAP-13557).
  • Fixed a bug where a weekly rrule string without a BYDAY value would result in the UI throwing a TypeError (AAP-13670).
  • Fixed a server error that happened when deleting workflow jobs ran before event partitioning migration (AAP-13806).
  • Added API reference documentation for the new bulk API endpoint (AAP-13980).
  • Fixed an issue where related items were not visible in some cases. For example, job template instance groups, organization galaxy credentials, and organization instance groups (AAP-14057).

8.2.11. RHBA-2023:4288 - bundle installer release 2.4-1.1 - July 26, 2023

RHBA-2023:4288 Automation hub

  • Fixed issue by using gpg key with passphrase for signing services (AAH-2445).