[RHSA-2020:3329-01] Moderate: Red Hat Ansible Tower 3.6.5-1 - RHEL7 Container

Security announcements for all Red Hat products and services. rhsa-announce at redhat.com
Wed Aug 5 14:49:19 UTC 2020 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Ansible Tower 3.6.5-1 - RHEL7 Container
Advisory ID:       RHSA-2020:3329-01
Product:           Red Hat Ansible Tower
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:3329
Issue date:        2020-08-05
CVE Names:         CVE-2020-14327 
=====================================================================

1. Summary:

Red Hat Ansible Tower 3.6.5-1 - RHEL7 Container

2. Description:

* Removed reports option for Satellite inventory script
* Fixed Tower Server Side Request Forgery on Credentials (CVE-2020-14327)
* Fixed the ``Job Type`` field to render properly when editing a Job
Template
* Fixed a notable delay running large project update clones
* Fixed Tower to properly sync host facts for Red Hat Satellite 6.7
inventories
* Fixed installations on Red Hat OpenShift 4.3 to no longer fail
* Fixed the usage of certain SSH keys on RHEL8 when FIPS is enabled to work
properly
* Fixed upgrades from 3.5 to 3.6 on RHEL8 in order for PostgreSQL client
libraries to be upgraded on Tower nodes, which fixes the backup/restore
function
* Fixed credential lookups from CyberArk AIM to no longer fail unexpectedly
* Fixed the ability to add a user to an organization when they already had
roles in the organization
* Fixed manually added host variables to no longer be removed on VMWare
vCenter inventory syncs
* Fixed a number of issues related to Tower’s reporting of metrics to Red
Hat Automation Analytics

3. Solution:

For information on upgrading Ansible Tower, reference the Ansible Tower
Upgrade and Migration Guide:
https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/
index.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1856785 - CVE-2020-14327 Tower: SSRF: Server Side Request Forgery on Credential

5. References:

https://access.redhat.com/security/cve/CVE-2020-14327
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXyrG7tzjgjWX9erEAQjTpA/9EkZENU9KqxjLw4K1CynuMe4NmCMsphgJ
K8PPdrQNcGbZyAdFPoX0c1zzHWsEFJ8pcwGN4zO+qh3lpm2AuxJ3xiz8JRNMy62o
87qoVUbuP1RSWlkdkldK49j3XQcYs2LzWaokM9Y5H/wRGfaRDhg3Og4pOH4Lnkqi
GK8UGLcxFkS0MCkIad7Uh0MrcvQ/5h3ijD9xWdg4/R2AxvOqn2RoW26clPJOZLVB
QCP04WyUascWjBQBZHNBfdPqvJ1CfGrHnXcnRpNF7GdSPjCWtRBS9OyMjFVDz2a/
9TA5WflLRhtVxB2FEFxeStewSsv9zOwSbu44Lf/6SDr1HlpKDR8PcViIlM+X6+N0
H1AevHi3H/uXTpGTLlTBlXG1BcJ8VGgP4FTu5N4y1gCoO7dAKyD1uMrDNAE3U5o0
bnNDo6nG2zJ9OuVgBEzyGUzxsX41mfRYs6dV/0hiKfzX7ZBu2tckLRUmGX0itLhT
iiDUuDdffjBkUXRqYifBsW3cUttwR/nvFFLGyZMXLDJasd1YV2p4hXfto1rsUui/
XMVSJ+UrmqsLgmzlSnzM7w/HfheUy8+3xBJyVUUB7vHPM8Ajo29yLauCkGXl70T3
Dqv0lC4dD76a4d8KcVZPghW2benk5cIeYVSD94EnzllEje4pesS9p0eSqmQC7Amd
F44f3+Z1Q9Y=
=1XgD
-----END PGP SIGNATURE-----

More information about the RHSA-announce mailing list