Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 9. Patch releases
Security, bug fixes, and enhancements for Ansible Automation Platform 2.5 are released as asynchronous erratas. All Ansible Automation Platform erratas are available on the Download Red Hat Ansible Automation Platform page.
As a Red Hat Customer Portal user, you can enable errata notifications in the account settings for Red Hat Subscription Management (RHSM). When errata notifications are enabled, you receive notifications through email whenever new erratas relevant to your registered systems are released.
Red Hat Customer Portal user accounts must have systems registered and consuming Ansible Automation Platform entitlements for Ansible Automation Platform errata notification emails to generate.
The patch releases section of the release notes will be updated over time to give notes on enhancements and bug fixes for patch releases of Ansible Automation Platform 2.5.
Additional resources
- For more information about asynchronous errata support in Ansible Automation Platform, see Red Hat Ansible Automation Platform Life Cycle.
- For information about Common Vulnerabilities and Exposures (CVEs), see What is a CVE? and Red Hat CVE Database.
9.1. Ansible Automation Platform patch release November 18, 2024
The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.
9.1.1. Enhancements
-
With this release, a redirect page has now been implemented that will be exhibited when you navigate to the root
/
for each component’s stand-alone URL. The API endpoint remains functional. This affects Event-Driven Ansible, automation controller, Ansible Automation Platform Operator, and OpenShift Container Platform.
9.1.2. Bug fixes
9.1.2.1. General
With this update, the following CVEs have been addressed:
CVE-2024-9902 ansible-core: Ansible-core user may read/write unauthorized content.
CVE-2024-8775 ansible-core: Exposure of sensitive information in Ansible vault files due to improper logging.
9.1.2.2. Ansible Automation Platform
- Fixed an issue where the user was unable to filter out hosts on inventory groups where it returned a Failed to load options on Ansible Automation Platform UI.
9.1.2.3. Execution Environment
- Update pywinrm to 0.4.3 in ee-minimal and ee-supported container images to fix Python 3.11 compatibility.
9.1.2.4. Ansible Automation Platform Operator
-
Fixed a syntax error when
bundle_cacert_secret
was defined due to incorrect indentation. - Fixed an issue where the default operator catalog for Ansible Automation Platform aligned to cluster-scoped versus namespace-scoped.
-
Added the ability to set tolerations and
node_selector
for the Redis statefulset and the gateway deployment. - Ensure the platform URL status is set when Ingress is used to resolve an issue with Microsoft Azure on Cloud managed deployments. This is due to the Ansible Automation Platform operator failing to finish because it is looking for OpenShift Container Platform routes that are not available on Azure Kubernetes Service.
- Fixed an issue where the Ansible Automation Platform Operator description did not render code block correctly.
-
It is necessary to specify the
CONTROLLER_SSO_URL
andAUTOMATION_HUB_SSO_URL
settings in Gateway to fix the OIDC auth redirect flow. -
It is necessary to set the
SERVICE_BACKED_SSO_AUTH_CODE_REDIRECT_URL
setting to fix the OIDC auth redirect flow.
9.1.2.5. container-based installation Ansible Automation Platform
-
Fixed an issue when the port value was not defined in the
gateway_main_url
variable, the containerized installer failed with incorrect execution environment image reference error. -
Fixed an issue where the containerized installer used port number when specifying the
image_url
for a decision environment. The user should not add a port to image URLs when using the default value.
9.1.2.6. RPM-based Ansible Automation Platform
-
Fixed an issue where not setting up the gpg agent socket properly when multiple hub nodes are configured resulted in not creating a gpg socket file in
/var/run/pulp
.
9.1.2.7. Ansible development tools
- Fixed an issue where missing data files were not included in the molecule RPM package.
9.2. Ansible Automation Platform patch release October 28, 2024
The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.
9.2.1. Enhancements
9.2.1.1. Ansible Automation Platform
With this update, upgrades from Ansible Automation Platform 2.4 to 2.5 are supported for RPM and Operator-based deployments. For more information on how to upgrade, see RPM upgrade and migration. (ANSTRAT-809)
- Upgrades from 2.4 Containerized Ansible Automation Platform Tech Preview to 2.5 Containerized Ansible Automation Platform are unsupported at this time.
- Upgrades for Event-Driven Ansible are unsupported from Ansible Automation Platform 2.4 to Ansible Automation Platform 2.5.
9.2.1.2. Ansible Automation Platform Operator
- An informative redirect page is now shown when you go to the automation hub URL root. (AAP-30915)
9.2.1.3. Container-based Ansible Automation Platform
- The TLS Certificate Authority private key can now use a passphrase. (AAP-33594)
- Automation hub is populated with container images (decision and execution environments) and Ansible collections. (AAP-33759)
- The automation controller, Event-Driven Ansible, and automation hub legacy UIs now display a redirect page to the Platform UI rather than a blank page. (AAP-33794)
9.2.1.4. RPM-based Ansible Automation Platform
-
Added platform Redis to RPM-based Ansible Automation Platform. This allows a 6 node cluster for a Redis high availability (HA) deployment. Removed the variable
aap_caching_mtls
and replaced it withredis_disable_tls
andredis_disable_mtls
which are boolean flags that disable Redis server TLS and Redis client certificate authentication. (AAP-33773) - An informative redirect page is now shown when going to automation controller, Event-Driven Ansible, or automation hub URL. (AAP-33827)
9.2.2. Bug fixes
9.2.2.1. Ansible Automation Platform
- Removed the Legacy external password option from the Authentication Type list. (AAP-31506)
-
Ansible Galaxy’s
sessionauth
class is now always the first in the list of authentication classes so that the platform UI can successfully authenticate. (AAP-32146) -
CVE-2024-10033 -
automation-gateway
: Fixed a Cross-site Scripting (XSS) vulnerability on theautomation-gateway
component that allowed a malicious user to perform actions that impact users. -
CVE-2024-22189 -
receptor
: Resolved an issue inquic-go
that would allow an attacker to trigger a denial of service by sending a large number ofNEW_CONNECTION_ID
frames that retire old connection IDs.
9.2.2.2. Automation controller
-
CVE-2024-41989 -
automation-controller
: Before this update, in Django, iffloatformat
received a string representation of a number in scientific notation with a large exponent, it could lead to significant memory consumption. With this update, decimals with more than 200 digits are now returned as is. -
CVE-2024-45230 -
automation-controller
: Resolved an issue in Python’s Djangourlize()
andurlizetrunc()
functions where excessive input with a specific sequence of characters would lead to denial of service.
9.2.2.3. Automation hub
-
Refactored the
dynaconf
hooks to preserve the necessary authentication classes for Ansible Automation Platform 2.5 deployments. (AAP-31680) - During role migrations, model permissions are now re-added to roles to preserve ownership. (AAP-31417)
9.2.2.4. Ansible Automation Platform Operator
-
The port is now correctly set when configuring the platform gateway cache
redis_host
setting when using an external Redis cache. (AAP-33279) - Added checksums to the automation hub deployments so that pods are cycled to pick up changes to the PostgreSQL configuration and galaxy server settings Kubernetes secrets. (AAP-33518)
9.2.2.5. Container-based Ansible Automation Platform
- Fixed the uninstall playbook execution when the environment was already uninstalled. (AAP-32981)
9.3. Ansible Automation Platform patch release October 14, 2024
The following fixes have been implemented in this release of Red Hat Ansible Automation Platform.
9.3.1. Fixed issues
9.3.1.1. Ansible Automation Platform
- Fixed an issue in platform gateway where examining output logs for UWSGI shows a message that can be viewed as insensitive. (AAP-33213)
-
Fixed external Redis port configuration issue, which resulted in a
cluster_host
error when trying to connect to Redis. (AAP-32691) - Fixed a faulty conditional which was causing managed Redis to be deployed even if an external Redis was being configured. (AAP-31607)
- After the initial deployment of Ansible Automation Platform, if you make changes to the automation controller, automation hub, or Event-Driven Ansible sections of the Ansible Automation Platform CR specification, those changes are now propagated to the component custom resources. (AAP-32350)
-
Fixed addressing issues when the filter
keep_keys
is used, all keys are removed from the dictionary. Thekeepkey
fix is available in the updatedansible.utils
collection. (AAP-32960) -
Fixed an issue in
cisco.ios.ios_static_routes
where the metric distance is to be populated in theforward_router_address
attribute. (AAP-32960) - Fixed an issue where Ansible Automation Platform Operator is not transferring metric settings to the controller. (AAP-32073)
- Fixed an issue where you have a schedule on a resource, such as a job template, that prompts for credentials, and you update the credential to be different from what is on the resource by default, the new credential is not submitted to the API and it does not get updated. (AAP-31957)
-
Fixed an issue where setting
*pg_host=
without any other context no longer results in an empty HOST section ofsettings.py
in controller. (AAP-32440)
9.3.2. Advisories
The following errata advisories are included in this release:
9.4. Ansible Automation Platform patch release October 7, 2024
The following enhancements and fixes have been implemented in this release of Red Hat Ansible Automation Platform.
9.4.1. Enhancements
- Event-Driven Ansible workers and scheduler add timeout and retry resilience when communicating with a Redis cluster. (AAP-32139)
- Removed the MTLS credential type that was incorrectly added. (AAP-31848)
9.4.2. Fixed issues
9.4.2.1. Ansible Automation Platform
- Fixed conditional that was skipping necessary tasks in the restore role, which was causing restores to not finish reconciling. (AAP-30437)
- Systemd services in the containerized installer are now set with restart policy set to always by default. (AAP-31824)
- FLUSHDB is now modified to account for shared usage of a Redis database. It now respects access limitations by removing only those keys that the client has permissions to. (AAP-32138)
- Added a fix to ensure default extra_vars values are rendered in the Prompt on launch wizard. (AAP-30585)
- Filtered out the unused ANSIBLE_BASE_ settings from the environment variable in job execution. (AAP-32208)
9.4.2.2. Event-Driven Ansible
- Configured the setting EVENT_STREAM_MTLS_BASE_URL to the correct default to ensure MTLS is disallowed in the RPM installer. (AAP-32027)
- Configured the setting EVENT_STREAM_MTLS_BASE_URL to the correct default to ensure MTLS is disallowed in the containerized installer. (AAP-31851)
- Fixed a bug where the Event-Driven Ansible workers and scheduler are unable to reconnect to the Redis cluster if a primary Redis node enters a failed state and a new primary node is promoted. See the KCS article Redis failover causes Event-Driven Ansible activation failures that include the steps that were necessary before this bug was fixed. (AAP-30722)
9.4.3. Advisories
The following errata advisories are included in this release: