- Issued:
- 2020-11-30
- Updated:
- 2020-11-30
RHSA-2020:5249 - Security Advisory
Synopsis
Moderate: security update - Red Hat Ansible Tower 3.7.4-1 - RHEL7 Container
Type/Severity
Security Advisory: Moderate
Topic
Red Hat Ansible Tower 3.7.4-1 - RHEL7 Container
Description
- Fixed two jQuery vulnerabilities (CVE-2020-11022, CVE-2020-11023)
- Improved Ansible Tower's web service configuration to allow for processing more simultaneous HTTP(s) requests by default
- Updated several dependencies of Ansible Tower's User Interface to address (CVE-2020-7720, CVE-2020-7743, CVE-2020-7676)
- Updated to the latest version of python-psutil to address CVE-2019-18874
- Added several optimizations to improve performance for a variety of high-load simultaneous job launch use cases
- Fixed workflows to no longer prevent certain users from being able to edit approval nodes
- Fixed confusing behavior for social auth logins across distinct browser tabs
- Fixed launching of Job Templates that use prompt-at-launch Ansible Vault credentials
Solution
For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/index.html
Affected Products
- Red Hat Ansible Automation Platform Text-Only Advisories for RHEL 7 x86_64
Fixes
- BZ - 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
- BZ - 1850004 - CVE-2020-11023 jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
