-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Ansible Tower 3.8.2-1 - Container security and bug fix update Advisory ID: RHSA-2021:0780-01 Product: Red Hat Ansible Automation Platform Advisory URL: https://access.redhat.com/errata/RHSA-2021:0780 Issue date: 2021-03-09 CVE Names: CVE-2020-10543 CVE-2020-10878 CVE-2020-12723 CVE-2020-35678 CVE-2021-3281 CVE-2021-20178 CVE-2021-20180 CVE-2021-20191 CVE-2021-20228 CVE-2021-20253 ==================================================================== 1. Summary: Red Hat Ansible Tower 3.8.2-1 - Container Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Security Fix(es): * Addressed a security issue which can allow a malicious playbook author to elevate to the awx user from outside the isolated environment: CVE-2021-20253 * Upgraded to a more recent version of Django to address CVE-2021-3281. * Upgraded to a more recent version of autobahn to address CVE-2020-35678. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Upgraded to the latest oVirt inventory plugin to resolve a number of inventory syncing issues that can occur on RHEL7. * Upgraded to the latest theforeman.foreman inventory plugin to resolve a few bugs and performance regressions. * Fixed several issues related to how Tower rotates its log files. * Fixed a bug which can prevent Tower from installing on RHEL8 with certain non-en_US.UTF-8 locales. * Fixed a bug which can cause unanticipated delays in certain playbook output. * Fixed a bug which can cause job runs to fail for playbooks that print certain types of raw binary data. * Fixed a bug which can cause unnecessary records in the Activity Stream when Automation Analytics data is collected. * Fixed a bug which can cause Tower PostgreSQL backups to fail when a non-default PostgreSQL username is specified. * Fixed a bug which can intermittently cause access to encrypted Tower settings to fail, resulting in failed job launches. * Fixed a bug which can cause certain long-running jobs running on isolated nodes to unexpectedly fail. 3. Solution: For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/ index.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1911314 - CVE-2020-35678 python-autobahn: allows redirect header injection 1919969 - CVE-2021-3281 django: Potential directory-traversal via archive.extract() 1928847 - CVE-2021-20253 ansible-tower: Privilege escalation via job isolation escape 5. References: https://access.redhat.com/security/cve/CVE-2020-10543 https://access.redhat.com/security/cve/CVE-2020-10878 https://access.redhat.com/security/cve/CVE-2020-12723 https://access.redhat.com/security/cve/CVE-2020-35678 https://access.redhat.com/security/cve/CVE-2021-3281 https://access.redhat.com/security/cve/CVE-2021-20178 https://access.redhat.com/security/cve/CVE-2021-20180 https://access.redhat.com/security/cve/CVE-2021-20191 https://access.redhat.com/security/cve/CVE-2021-20228 https://access.redhat.com/security/cve/CVE-2021-20253 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYEecRtzjgjWX9erEAQhhqxAAnuxQGRWFCXb0gFDqL4w/xu5Z6GKKJkgx 5zppkQCrVhOZC0gte6fbX0Gc93a8zHzy2KVWWbQzWPBAf31HQUKK26PdkV1Dt2fl 5v6YAikritULYF9YHYUKZyymyFVxTEizntBk1S4t9jHj8Jgt5YBRB3oypgH+HkjA UTil2i45u0XLEbBdx3pWE54WlvoYEUgLjptT9j8l8rQVNot/GcMuVp+2tXJ0JeF4 2U7mor77CSDGO3oY5SNDcfJyYyyMsBTxjm4N2iU6P065vdWD4pOe6VuZGrj+2y+o oOhzMMyUMHNnYYyr+yg9oy5IT+cWP+bwhOGektdDgoPvmlfnDYrNxc25lc1AMht2 oDB/pI+7+Et+mJ+7iN1/a8fccK9/opNABU5EGqXIw0QbO8iG+EucMPKhd9Grm4mA MPmTYPO1TfVSSbozBr8ZJl5N12E+ndpX6YcQfmV0DZumbaz22b2JQrPjkHH4u42t IiA8Li81cZiM3wpueKsNojY4lPRQuoKKxIDXRjjMaicBGIh2lZduJuxet/rCpe+w zeU5h3TBdMvcE1La4O4wmtrG232p+eVKJRNbwFXPkWBRJd6V2hfVHHefEYPkSv9R uRr9bag1HC5G1oy6X5xlQbFJIa6SkqF96ygEr1x1Hbm3s5gUfIhppniUUPGPXN9Q XIFq5Vk5T4U=R7ey -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce