RHBA-2020:1540 - Bug Fix Advisory

Topic

Red Hat Ansible Tower 3.6.4-1 - RHEL7 Container

Description

• Added additional metrics to the Prometheus /api/v2/metrics/ endpoint for reporting remaining instance capacity
• Fixed Tower to allow users to subscribe to playbook output in organizations they do not have RBAC access to via Towers websocket interface (CVE-2020-10698)
• Fixed OAuth2 refresh tokens to properly respect custom expiration settings (CVE-2020-10709)
• Fixed event hostnames to be recorded for playbooks run on isolated nodes
• Fixed a PostgreSQL issue that caused upgrade failures in certain situations
• Fixed the search for Source Control credentials in the Tower user interface
• Fixed a performance issue to no longer delay the output of project updates for certain users
• Fixed the installations to no longer fail with admin passwords that contain certain special characters
• Fixed the start time to correctly set for approval notifications
• Fixed an inconsistency in gathered inventory analytics
• Improved memcached in OpenShift deployments to listen on a more secure domain socket (CVE-2020-10697)
• Updated single sign-on integration to address several upcoming GitHub API deprecations
• Updated the Twisted library to address CVE-2020-10108 and CVE-2020-10109
• Updated translations

Solution

For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/index.html

Affected Products

• Red Hat Ansible Automation Platform Text-Only Advisories for RHEL 7 x86_64

Fixes

CVEs

• CVE-2015-2716
• CVE-2015-8035
• CVE-2016-5131
• CVE-2017-15412
• CVE-2017-18258
• CVE-2018-10360
• CVE-2018-14404
• CVE-2018-14567
• CVE-2018-18074
• CVE-2018-20060
• CVE-2018-20852
• CVE-2019-3820
• CVE-2019-5436
• CVE-2019-9924
• CVE-2019-11236
• CVE-2019-16056
• CVE-2019-17041
• CVE-2019-17042
• CVE-2020-10691
• CVE-2020-10729

References

(none)