Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 8. Asynchronous updates

Security, bug fix, and enhancement updates for Ansible Automation Platform 2.4 are released as asynchronous erratas. All Ansible Automation Platform erratas are available on the Download Red Hat Ansible Automation Platform page in the Customer Portal.

As a Red Hat Customer Portal user, you can enable errata notifications in the account settings for Red Hat Subscription Management (RHSM). When errata notifications are enabled, you receive notifications through email whenever new erratas relevant to your registered systems are released.

Note

Red Hat Customer Portal user accounts must have systems registered and consuming Ansible Automation Platform entitlements for Ansible Automation Platform errata notification emails to generate.

The Asynchronous updates section of the release notes will be updated over time to give notes on enhancements and bug fixes for asynchronous errata releases of Ansible Automation Platform 2.4.

The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.

Expand
Release DateComponent versions

January 28, 2026

  • Automation controller 4.5.30
  • Automation hub 4.9.5
  • Event-Driven Ansible controller 1.0.8
  • Red Hat Ansible Lightspeed 2.4.20260121
  • Ansible Automation Platform-collection installer (bundle): 2.4-14.2
  • Ansible Automation Platform-collection installer (online): 2.4-14
  • Receptor 1.6.3

The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.

CSV versions in this release:

  • Namespace-scoped Bundle: aap-operator.v2.4.0-0.1768592178
  • Cluster-scoped Bundle: aap-operator.v2.4.0-0.1768599045

8.1.1. CVE
Copy link

With this update, the following CVEs have been addressed:

  • CVE-2025-66471 automation-controller: urllib3 Streaming API improperly handles highly compressed data.(AAP-62007)
  • CVE-2025-66471 ansible-automation-platform-24/lightspeed-rhel8: urllib3 Streaming API improperly handles highly compressed data.(AAP-62004)
  • CVE-2025-69223 automation-controller: AIOHTTP’s HTTP Parser auto_decompress feature is vulnerable to zip bomb.(AAP-61853)
  • CVE-2025-69223 ansible-automation-platform-24/controller-rhel8: AIOHTTP’s HTTP Parser auto_decompress feature is vulnerable to zip bomb.(AAP-61840)
  • CVE-2025-64460 automation-controller: Django: Algorithmic complexity in XML Deserializer leads to denial of service.(AAP-60953)
  • CVE-2025-61729 receptor: Excessive resource consumption when printing error string for host certificate validation in crypto/x509.

8.1.2. Deprecated
Copy link

8.1.2.1. Execution Environment
Copy link

Openvswitch.openvswitch collection has been deprecated for two years and is no longer certified. It has been removed from console.redhat.com, but is still available from Galaxy.ansible.com. While supported it remains in ee-supported for Ansible Automation Platform 2.4 for a brief transition period, but will be removed in a future release.(ACA-4941)

8.1.3. Bug fixes
Copy link

8.1.3.1. Automation controller
Copy link

  • Fixed an issue where after upgrading Ansible Automation Platform to the latest 2.4 version, no awx.analytics.system_tracking logger was being registered.(AAP-60506)
  • Fixed an issue where jobs from other templates occasionally appeared on the template jobs page.(AAP-59615)
  • Fixed an issue where the Ansible Automation Platform 2.4 constructed inventory could only add 25 source inventories.(AAP-59568)
  • Fixed an issue where there was an excess number of API calls while scrolling through job output.(AAP-58255)

8.1.4. Enhancements
Copy link

8.1.5. Automation controller
Copy link

  • Added OpenShift 4.19 and 4.20 support for the operator bundle.(AAP-54875)

The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.

Expand
Release DateComponent versions

January 6, 2026

  • Automation controller 4.5.28
  • Automation hub 4.9.5
  • Event-Driven Ansible controller 1.0.8
  • Red Hat Ansible Lightspeed 2.4.251203
  • Ansible Automation Platform-collection installer (bundle): 2.4-14.1
  • Ansible Automation Platform-collection installer (online): 2.4-14
  • Receptor 1.6.2

The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.

CSV versions in this release:

  • Namespace aap-operator.v2.4.0-0.1767615165
  • Cluster aap-operator.v2.4.0-0.1767619081

8.2.1. CVE
Copy link

With this update, the following CVEs have been addressed:

  • CVE-2025-68664 ansible-automation-platform-24/lightspeed-rhel8: LangChain: Arbitrary code execution via serialization injection.(AAP-61249)

The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.

Expand
Release DateComponent versions

December 10, 2025

  • Automation controller 4.5.28
  • Automation hub 4.9.5
  • Event-Driven Ansible controller 1.0.8
  • Receptor 1.6.2
  • Red Hat Ansible Lightspeed 2.4.251203
  • Ansible Automation Platform-collection installer (online): 2.4-14
  • Ansible Automation Platform-collection installer (bundle): 2.4-14.1

The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.

CSV versions in this release:

  • Namespace-scoped Bundle: aap-operator.v2.4.0-0.1764863789
  • Cluster-scoped Bundle: aap-operator.v2.4.0-0.1764868132

8.3.1. General
Copy link

8.3.2. CVE
Copy link

With this update, the following CVEs have been addressed:

  • CVE-2025-64459 ansible-automation-platform-24/lightspeed-rhel8: Django SQL injection.(AAP-58032)

8.3.3. Bug fixes
Copy link

8.3.3.1. Automation controller
Copy link

  • Fixed an issue where there were extraneous API calls made from the job output screen when a job run completes.(AAP-58589)

8.3.3.2. Ansible Automation Platform Operator
Copy link

  • Fixed an issue where the user was unable to restore backup on Red Hat OpenShift Container Platform if Ansible Automation Platform was originally migrated from RPM. Postgres 15 restores missing no owner and no privilege flags.(AAP-55634)

8.3.3.3. Decision Environment
Copy link

  • Fixed an issue in the ansible-rulebook which previously caused the ansible.eda.azure_service_bus module to fail in Ansible Automation Platform 2.4, by utilizing Python 3.11. This change resolves the problem of the Microsoft Azure module not being found.(AAP-59506)

The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.

Expand
Release DateComponent versions

November 19, 2025

  • Automation controller 4.5.27
  • Automation hub 4.9.5
  • Event-Driven Ansible controller 1.0.8
  • Receptor 1.6.2
  • Red Hat Ansible Lightspeed 2.4.250225
  • Ansible Automation Platform-collection installer (online): 2.4-14
  • Ansible Automation Platform-collection installer (bundle): 2.4-14

The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.

CSV versions in this release:

  • Namespace-scoped Bundle: aap-operator.v2.4.0-0.1763136910
  • Cluster-scoped Bundle: aap-operator.v2.4.0-0.1763137360

8.4.1. General
Copy link

  • Red Hat Enterprise Linux minimum version is updated to 8.10 and 9.4.(AAP-56387)
  • nginx has been updated to 1.24.(AAP-53990)
  • With this update, Ansible Automation Platform 2.4 uses Python 3.11. Before this update, Ansible Automation Platform 2.4 used Python 3.9, which reaches end of life on RHEL 8 in November 2025.(AAP-53469)
Important

All users must download the latest version of the installation program. Attempting to install or upgrade Ansible Automation Platform 2.4 with a previous version of the installation program will fail.

8.4.2. CVE
Copy link

With this update, the following CVEs have been addressed:

  • CVE-2025-59530 receptor: quic-go crash due to premature HANDSHAKE_DONE frame.

8.4.3. New Features
Copy link

8.4.3.1. Automation controller
Copy link

  • Added two new toggle options on the subscription wizard to allow for fetching subscriptions using basic authentication.(AAP-56060)
  • Added a step in the subscription wizard that allows the user to configure automation analytics.(AAP-56061)

8.4.4. Enhancements
Copy link

8.4.4.1. Automation controller
Copy link

  • Added support for Red Hat username and password for the subscription management API.(AAP-56887)
  • Fixed an issue where some edge cases caused JSON to fail to parse a line from the worker stream with the error: Expecting value: line 1 column 1 (char 0) Line with invalid JSON data: b. Updated the pinned version for receptorctl in automation controller to address this issue.(AAP-53523)

8.4.4.2. RPM-based Ansible Automation Platform
Copy link

  • Fixed an issue where the controller was unable to make requests to subscription.rhsm.redhat.com. Set REDHAT_CANDLEPIN_VERIFY to correct CA pem.(AAP-57020)

The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.

Expand
Release DateComponent versions

October 22, 2025

  • Automation controller 4.5.26
  • Automation hub 4.9.5
  • Event-Driven Ansible controller 1.0.7
  • Red Hat Ansible Lightspeed 2.4.250225
  • Ansible Automation Platform-collection installer (online): 2.4-13
  • Ansible Automation Platform-collection installer (bundle): 2.4-13.4
  • Receptor 1.6.0

CSV Versions in this release:

  • Namespace-scoped Bundle: aap-operator.v2.4.0-0.1760618328
  • Cluster-scoped Bundle: aap-operator.v2.4.0-0.1760618870

8.5.1. General
Copy link

  • The ansible.controller collection has been updated to 4.5.26.(AAP-56033)

8.5.2. Bug Fixes
Copy link

8.5.2.1. Ansible Automation Platform
Copy link

  • Fixed an issue where query performance was not optimized on the jobs list page and loading user admin data during login, which could cause expensive queries.(AAP-54299)

8.5.2.2. Automation controller
Copy link

  • Fixed an issue where the awx.awx.license appeared to succeed when given an invalid pool / subscription.(AAP-54649)
  • Fixed an issue where there were double escaped quotes in api/v2/jobs/{id}/stdout/?format=txt.(AAP-51845)

8.5.2.3. Receptor
Copy link

  • Fixed an issue where the previous version of receptor had stability issues on long-running jobs, with clusters under heavy load, and with network inconsistencies.(AAP-53742)

The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.

Expand
Release dateComponent versions

September 22, 2025

  • Automation controller 4.5.25
  • Event-Driven Ansible controller 1.0.7
  • Automation hub 4.9.5
  • Red Hat Ansible Lightspeed 2.4.250225
  • Ansible Automation Platform-collection installer (online) 2.4-13
  • Ansible Automation Platform-collection installer (bundle) 2.4-13.3
  • Receptor 1.5.7

CSV Versions in this release:

  • Namespace-scoped Bundle: aap-operator.v2.4.0-0.1758079821
  • Cluster-scoped Bundle: aap-operator.v2.4.0-0.1758080293

8.6.1. CVE
Copy link

With this update, the following CVEs have been addressed:

  • CVE-2025-57833 python3x-django: Django SQL injection in FilteredRelation column aliases. (AAP-53033)
  • CVE-2025-57833 python-django: Django SQL injection in FilteredRelation column aliases. (AAP-53032)
  • CVE-2025-57833 ansible-automation-platform-24/lightspeed-rhel8: Django SQL injection in FilteredRelation column aliases. (AAP-52603)

The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.

Expand
Release dateComponent versions

August 27, 2025

  • Automation controller 4.5.25
  • Event-Driven Ansible controller 1.0.7
  • Automation hub 4.9.5
  • Red Hat Ansible Lightspeed 2.4.250225
  • Ansible Automation Platform-collection installer (online) 2.4-13
  • Ansible Automation Platform-collection installer (bundle) 2.4-13.2
  • Receptor 1.5.7

CSV Versions in this release:

  • Namespace-scoped Bundle: aap-operator.v2.4.0-0.1755833431
  • Cluster-scoped Bundle: aap-operator.v2.4.0-0.1755833968

8.7.1. General
Copy link

  • The ansible.controller collection has been updated to 4.5.25.(AAP-51876)

8.7.2. Ansible Automation Platform
Copy link

8.7.2.1. Bug Fixes
Copy link

  • Fixed an issue to use scram-sha-256 password encryption to enable FIPS for operator deployments.(AAP-49371)
  • Fixed the scale-down process when upgrading from PostgreSQL 13 to 15.(AAP-49103)
  • Fixed an issue to resolve public_base_url undefined variable error when the 2.4 Ansible Automation Platform Operator is installed in another namespace on the same cluster as a 2.5 Ansible Automation Platform Operator install.(AAP-46486)

8.7.3. Automation controller
Copy link

8.7.3.1. Bug Fixes
Copy link

  • Fixed an optimization issue on the jobs list page to reduce the number of API calls.(AAP-50102)

8.7.4. Event-Driven Ansible
Copy link

8.7.4.1. Bug Fixes
Copy link

  • Fixed an issue with the PostgreSQL password encryption when upgrading from PG13 to PG15 on FIPS.(AAP-50453)

The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.

Expand
Release dateComponent versions

July 30, 2025

  • Automation controller 4.5.24
  • Event-Driven Ansible controller 1.0.7
  • Automation hub 4.9.4
  • Red Hat Ansible Lightspeed 2.4.250225
  • Ansible Automation Platform-collection installer (online) 2.4-13
  • Ansible Automation Platform-collection installer (bundle) 2.4-13
  • Receptor 1.5.7

CSV Versions in this release:

  • Namespace-scoped Bundle: aap-operator.v2.4.0-0.1753232084
  • Cluster-scoped Bundle: aap-operator.v2.4.0-0.1753232791

8.8.1. General
Copy link

  • The redhat.rhel_system_roles collection has been updated to 1.95.7.(AAP-49917)
  • The ansible.windows collection has been updated to 2.8.0.(AAP-48369)

8.8.2. Ansible Automation Platform
Copy link

8.8.2.1. Bug Fixes
Copy link

  • Fixed an issue where the automation hub resource was failing during a Red Hat Ansible Automation Platform Operator update due to a wrong task file reference in upgrade_postgres.yml.(AAP-49103)

8.8.3. RPM-based Ansible Automation Platform
Copy link

8.8.3.1. Bug Fixes
Copy link

  • Fixed an issue where the certified collections in the bundle installer did not match what is included in the execution environment image.(AAP-48368)

The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.

Expand
Release dateComponent versions

July 2, 2025

  • Automation controller 4.5.24
  • Event-Driven Ansible controller 1.0.7
  • Automation hub 4.9.4
  • Red Hat Ansible Lightspeed 2.4.250225
  • Ansible Automation Platform-collection installer (online) 2.4-12
  • Ansible Automation Platform-collection installer (bundle) 2.4-12
  • Receptor 1.5.5

CSV Versions in this release:

  • Namespace-scoped Bundle: aap-operator.v2.4.0-0.1750877268
  • Cluster-scoped Bundle: aap-operator.v2.4.0-0.1750878254

8.9.1. General
Copy link

  • The ansible.controller collection has been updated to 4.5.24.(AAP-48350)

8.9.2. CVE
Copy link

With this update, the following CVEs have been addressed:

  • CVE-2025-2287 receptor: Request smuggling due to acceptance of invalid chunked data in net/http.(AAP-47165)

8.9.3. Ansible Automation Platform
Copy link

8.9.3.1. Features
Copy link

  • Fresh installs on Ansible Automation Platform 2.4 will use the PostgreSQL 15 image.(AAP-45607)

8.9.4. Red Hat Ansible Lightspeed
Copy link

8.9.4.1. Features
Copy link

  • PostgreSQL 15 support, including upgrade logic for managed database deployments.(AAP-45612)

8.9.5. Automation controller
Copy link

8.9.6. Features
Copy link

  • PostgreSQL 15 support, including upgrade logic for managed database deployments.(AAP-45609)

8.9.6.1. Bug Fixes
Copy link

  • Fixed an issue where the Fact Storage was not working when automation controller’s time zone is different from UTC.(AAP-45925)

8.9.7. Automation hub
Copy link

8.9.7.1. Features
Copy link

  • PostgreSQL 15 support, including upgrade logic for managed database deployments.(AAP-45610)

8.9.8. Event-Driven Ansible
Copy link

8.9.9. Features
Copy link

  • PostgreSQL 15 support, including upgrade logic for managed database deployments.(AAP-45611)

8.9.10. Bug Fixes
Copy link

  • Fixed an intermittent activation failure when using Podman 5.x (shipped starting from RHEL 9.5).(AAP-42284)

8.9.11. Receptor
Copy link

8.9.11.1. Bug Fixes
Copy link

  • Fixed an issue where connections that had cancelled context were not removed.(AAP-47996)

8.9.12. RPM-based Ansible Automation Platform
Copy link

8.9.12.1. Enhancements
Copy link

  • PostgreSQL has been updated to 15.(AAP-46764)

8.9.12.2. Bug Fixes
Copy link

  • Fixed an issue where the bundle installer failed to update the automation controller and aap-metrics-utility in the same run.(AAP-47173)

The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.

Expand
Release dateComponent versions

June 9, 2025

  • Automation controller 4.5.23
  • Automation hub 4.9.4
  • Event-Driven Ansible controller 1.0.7
  • Receptor 1.5.5
  • Ansible Automation Platform-collection installer (online) 2.4-12
  • Ansible Automation Platform-collection installer (bundle) 2.4-12
  • Red Hat Ansible Lightspeed 2.4.250225

CSV Versions in this release:

  • Namespace-scoped Bundle: aap-operator.v2.4.0-0.1749069319
  • Cluster-scoped Bundle: aap-operator.v2.4.0-0.1749069693

8.10.1. General
Copy link

  • The ansible.controller collection has been updated to 4.5.23.(AAP-46561)

8.10.2. CVE
Copy link

With this update, the following CVEs have been addressed:

  • CVE-2025-26699 python3x-django: Potential denial-of-service vulnerability in django.utils.text.wrap().(AAP-46567)
  • CVE-2025-26699 python-django: Potential denial-of-service vulnerability in django.utils.text.wrap().(AAP-46566)
  • CVE-2025-43859 ansible-lightspeed-container: h11 accepts some malformed Chunked-Encoding bodies.(AAP-44778)

8.10.3. Ansible Automation Platform
Copy link

8.10.3.1. Bug Fixes
Copy link

  • Fixes an issue where the workflow visualizer would occasionally freeze with higher node counts.(AAP-46620)

8.10.4. Automation controller
Copy link

8.10.4.1. Features
Copy link

  • Replaced the basic authentication with service account authentication for Ansible Automation Platform subscription management.(AAP-44642)
  • Updated help text on the credentials creation page.(AAP-45499)

8.10.4.2. Enhancements
Copy link

  • Updated banner on the Credentials form (specifically for Insights credentials) to inform the user to enter client ID and secret to create an Insights credential.(AAP-43235)
  • Updated field names and help text in the System Settings UI to indicate client ID and client secret for service accounts, as well as client ID and client secret for analytics.(AAP-43161)
  • Updated license mechanism to allow users to provide username and password when fetching subscriptions via the API and AAP User Interface.(AAP-46837)

8.10.4.3. Bug Fixes
Copy link

  • Fixed a useThrottle issue where the jobs list page was spamming the API when websocket events rolled in.(AAP-46551)
  • Fixed an issue where the analytics collector failed to clean up temporary files after a failed upload to Hybrid Cloud Console.(AAP-45967)
  • Fixed an issue where the idle dispatch workers were not recycled based upon age, or after completing the last task. Default maximum age is 4 hours, controlled by WORKER_MAX_LIFETIME_SECONDS setting. Set to None to disable worker recycling.(AAP-45948)
  • Fixed a database deadlock by awx_callback_receiver_worker and awx_dispatcher_worker while trying to update hosts last_job_id and ansible_facts in two separate commands.(AAP-45122)

8.10.5. Automation hub
Copy link

8.10.5.1. Bug Fixes
Copy link

  • Fixed an issue where Ansible Automation Platform 2.4 allowed unauthenticated execution environment pulls.(AAP-46525)

The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.

Expand
Release dateComponent versions

May 7, 2025

  • Automation controller 4.5.22
  • Automation hub 4.9.3
  • Event-Driven Ansible controller 1.0.7
  • Receptor 1.5.5
  • Ansible Automation Platform-collection installer (online) 2.4-11
  • Ansible Automation Platform-collection installer (bundle) 2.4-11
  • Red Hat Ansible Lightspeed 2.4.250225

CSV Versions in this release:

  • Namespace-scoped Bundle: aap-operator.v2.4.0-0.1746132523
  • Cluster-scoped Bundle: aap-operator.v2.4.0-0.1746133932

8.11.1. General
Copy link

  • The ansible.controller collection has been updated to 4.5.22.(AAP-45011)

8.11.2. Enhancements
Copy link

8.11.2.1. Automation controller
Copy link

  • Updated the pinned version for receptorctl in automation controller.(AAP-45005)

8.11.3. Bug fixes
Copy link

With this update, the following CVEs have been addressed:

  • CVE-2025-26699 automation controller: Potential denial-of-service vulnerability in django.utils.text.wrap().(AAP-44152)

8.11.3.1. Automation controller
Copy link

  • Fixed an issue where facts were unintentionally deleted when the inventory is modified during a job execution.(AAP-45006)
  • Fixed an issue where there was an incorrect deprecation warning for awx.awx.schedule_rrule.(AAP-43475)

8.11.3.2. RPM-based Ansible Automation Platform
Copy link

  • Fixed an issue where old instance nodes were still registered in the automation controller post restore.(AAP-44232)

The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.

Expand
Release dateComponent versions

April 9, 2025

  • Automation controller 4.5.21
  • Automation hub 4.9.3
  • Event-Driven Ansible controller 1.0.7
  • Receptor 1.5.3
  • Ansible Automation Platform-collection installer (online) 2.4-10
  • Ansible Automation Platform-collection installer (offline) 2.4-10.2
  • Red Hat Ansible Lightspeed 2.4.250225

CSV Versions in this release:

  • Namespace-scoped Bundle: aap-operator.v2.4.0-0.1743629049
  • Cluster-scoped Bundle: aap-operator.v2.4.0-0.1743630487

8.12.1. General
Copy link

  • The ansible.controller collection has been updated to 4.5.21.(AAP-43127)

8.12.2. Bug fixes
Copy link

With this update, the following CVEs have been addressed:

CVE-2025-2877 ansible-rulebook: exposure of inventory passwords in plain text when starting a rulebook activation with verbosity set to debug in Event-Driven Ansible.(AAP-42816)

The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.

Expand
Release dateComponent versions

March 26, 2025

  • Automation controller 4.5.20
  • Automation hub 4.9.3
  • Event-Driven Ansible controller 1.0.7
  • Receptor 1.5.3
  • Ansible Automation Platform-collection installer (online) 2.4-10
  • Ansible Automation Platform-collection installer (offline) 2.4-10.1
  • Red Hat Ansible Lightspeed 2.4.250225

CSV Versions in this release:

  • Namespace-scoped Bundle: aap-operator.v2.4.0-0.1742444794
  • Cluster-scoped Bundle: aap-operator.v2.4.0-0.1742445409

8.13.1. General
Copy link

The ansible.controller collection has been updated to 4.5.20.(AAP-42241)

8.13.2. Bug fixes
Copy link

With this update, the following CVEs have been addressed:

  • CVE-2025-27516 ansible-lightspeed-container: Jinja sandbox breakout through attr filter selecting format method.(AAP-41689)
  • CVE-2025-27516 python3x-jinja2: Jinja sandbox breakout through attr filter selecting format method.(AAP-42106)
  • CVE-2025-27516 python-jinja2: Jinja sandbox breakout through attr filter selecting format method.(AAP-42105)
  • CVE-2025-27516 automation-controller: Jinja sandbox breakout through attr filter selecting format method.(AAP-41691)

8.13.2.1. Ansible Automation Platform Operator
Copy link

  • Fixed an issue where Ansible Automation Platform backups failed when writing YAML to the PVC on Openshift clusters with Openshift Virtualization installed.(AAP-28609)

8.13.2.2. Automation controller
Copy link

  • Fixed an issue where Insights projects were failing on Openshift Container Platform Ansible Automation Platform, due to incorrectly specifying the extra vars path.(AAP-41875)
  • Fixed an issue where the system auditor could download the execution node install bundle.(AAP-39799)
  • Fixed an issue where the latest committed code was not reflecting on controller nodes.(AAP-39228)

8.13.2.3. Automation hub
Copy link

  • Fixed an issue where the retain_repo_versions was null for the validated repos.(AAP-42004)

The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.

Expand
Release dateComponent versions

March 12, 2025

  • Automation controller 4.5.19
  • Automation hub 4.9.2
  • Event-Driven Ansible controller 1.0.7
  • Receptor 1.5.3
  • Ansible Automation Platform-collection installer (online) 2.4-10
  • Ansible Automation Platform-collection installer (offline) 2.4-10
  • Red Hat Ansible Lightspeed 2.4.250225

CSV Versions in this release:

  • Namespace-scoped Bundle: aap-operator.v2.4.0-0.1741194076
  • Cluster-scoped Bundle: aap-operator.v2.4.0-0.1741194557

8.14.1. Enhancements
Copy link

8.14.1.1. General
Copy link

  • The redhat.insights collection has been updated to 1.3.0(AAP-40261)
  • The ansible.controller collection has been updated to 4.5.19(AAP-41401)

8.14.2. Bug fixes
Copy link

8.14.2.1. Automation controller
Copy link

  • Fixed an issue where the Azure credentials automatically added the config_cred value where having both fields for the client caused an error.(AAP-39847)
  • Fixed an issue where the job schedules would run at incorrect times when that schedule’s start time fell within a Daylight Saving Time period.(AAP-39827)
  • Fixed an issue where awxkit did not have service account support for Insights credential type. The fields client_id and client_secret were missing from the credential_input_fields.(AAP-39351)
  • Fixed an issue where the python script action_plugins/insights.py could not handle service account oauth.(AAP-37463)
  • Fixed an issue where there was no service account support for Insights credential type for Ansible Automation Platform version 2.4.(AAP-37440)

8.14.2.2. Receptor
Copy link

  • Fixed an issue where automation mesh receptor was creating too many inotify processes, and where the user would encounter a too many open files error.(AAP-22605)

8.14.2.3. RPM-based Ansible Automation Platform
Copy link

  • Fixed an issue where the previously required a Red Hat Enterprise Linux minimum versions were not set to 8.8 and 9.2.(AAP-40422)

The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.

Expand
Release dateComponent versions

January 29, 2025

  • Automation controller 4.5.17
  • Automation hub 4.9.2
  • Event-Driven Ansible controller 1.0.7
  • Receptor 1.5.1
  • Ansible Automation Platform-collection installer (online) 2.4-9
  • Ansible Automation Platform-collection installer (offline) 2.4-9
  • Red Hat Ansible Lightspeed 2.4.250121

CSV Versions in this release:

  • Namespace-scoped Bundle: aap-operator.v2.4.0-0.1737661496
  • Cluster-scoped Bundle: aap-operator.v2.4.0-0.1737662040

8.15.1. Enhancements
Copy link

8.15.1.1. General
Copy link

  • The ansible.controller collection has been updated to 4.5.17.(AAP-39099)

8.15.2. Bug fixes
Copy link

8.15.2.1. CVE
Copy link

With this update, the following CVEs have been addressed:

  • CVE-2024-56326 python3x-jinja2: Jinja has a sandbox breakout through indirect reference to format method.(AAP-38851)
  • CVE-2024-11407 ansible-lightspeed-container: Denial-of-Service through data corruption in gRPC-C++.(AAP-38785)
  • CVE-2024-56374 ansible-lightspeed-container: Potential denial-of-service vulnerability in IPv6 validation.(AAP-38784)
  • CVE-2024-56201 python3x-jinja2: Jinja has a sandbox breakout through malicious filenames.(AAP-38332)
  • CVE-2024-56201 python3x-jinja2: Jinja has a sandbox breakout through malicious filenames.(AAP-38328)
  • link;CVE-2024-56201 ansible-lightspeed-container: Jinja has a sandbox breakout through malicious filenames.(AAP-38078)
  • CVE-2024-56326 ansible-lightspeed-container: Jinja has a sandbox breakout through indirect reference to format method.(AAP-38055)
  • CVE-2024-52304 ansible-lightspeed-container: aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions.(AAP-37995)
  • CVE-2024-53908 automation-controller: Potential SQL injection in HasKey(lhs, rhs) on Oracle.(AAP-36768)
  • CVE-2024-56201 automation-controller: Jinja has a sandbox breakout through malicious filenames.(AAP-38080)

8.15.2.2. Automation controller
Copy link

  • Fixed an issue where the traceback from host_metric_summary_monthly task caused a type comparison error.(AAP-37486)
  • Fixed an issue where the order of source inventories was not respected by the collection ansible.controller.(AAP-38511)

8.15.2.3. RPM-based Ansible Automation Platform
Copy link

  • Fixed an issue where setting the *pg_host= without any other context would result in an empty HOST section of settings.py in controller.(AAP-38030)
  • Fixed an issue where Automation hub backup would fail when automationhub_pg_port=".(AAP-18484)
  • Fixed an issue where providing the database installation a custom port would break the installation of postgres.(AAP-31260)
  • Fixed an issue where setup.sh -p <path_to_log_dir> did not work if the directory specified by the -p parameter was not writable. The setup script now warns if the provided log path does not have write permission.(AAP-18204)

The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.

Expand
Release dateComponent versions

December 18, 2025

  • Automation controller 4.5.15
  • Automation hub 4.9.2
  • Event-Driven Ansible controller 1.0.7
  • Receptor 1.5.1
  • Ansible Automation Platform-collection installer (online) 2.4-8
  • Ansible Automation Platform-collection installer (offline) 2.4-8.1
  • Red Hat Ansible Lightspeed 2.4.241210

CSV Versions in this release:

  • Namespace-scoped Bundle: aap-operator.v2.4.0-0.1733943951
  • Cluster-scoped Bundle: aap-operator.v2.4.0-0.1733945743

8.16.1. Enhancements
Copy link

8.16.1.1. General
Copy link

  • aap-metrics-utility has been updated to 0.4.1.(AAP-36394)
  • The ansible.controller collection has been updated to 4.5.15.(AAP-37293)

8.16.2. Bug fixes
Copy link

8.16.2.1. General
Copy link

With this update, the following CVEs have been addressed:

  • CVE-2024-53908 ansible-lightspeed-container: Potential SQL injection in HasKey(lhs, rhs) on Oracle.(AAP-36767)
  • CVE-2024-53907 ansible-lightspeed-container: Potential denial-of-service in django.utils.html.strip_tags().(AAP-37275)

8.16.2.2. Automation controller
Copy link

  • Fixed an issue where a scheduled job with count set to non-zero value would run unexpectedly.(AAP-37292)
  • Fixed an issue where when launching the job template, the named URL returned a 404 error code.(AAP-37024)
  • Fixed an issue where temporary receptor files were not being cleaned up on nodes.(AAP-36903)

The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.

Expand
Release dateComponent versions

December 3, 2025

  • Automation controller 4.5.13
  • Automation hub 4.9.2
  • Event-Driven Ansible controller 1.0.7
  • Receptor 1.5.1
  • Ansible Automation Platform-collection installer (online) 2.4-8
  • Ansible Automation Platform-collection installer (offline) 2.4-8
  • Red Hat Ansible Lightspeed 2.4.241127

CSV Versions in this release:

  • Namespace-scoped Bundle: aap-operator.v2.4.0-0.1733185647
  • Cluster-scoped Bundle: aap-operator.v2.4.0-0.1733186

8.17.1. Enhancements
Copy link

8.17.1.1. Ansible Automation Platform
Copy link

  • Red Hat Ansible Lightspeed has been updated to 2.4.241127.

8.17.1.2. Ansible Automation Platform Operator
Copy link

  • With this update you can set PostgreSQL SSL/TLS mode to verify-full or verify-ca with the proper sslrootcert configuration in the automation hub Operator.

8.17.1.3. Automation controller
Copy link

  • With this update, support was added for receiving webhooks from Bitbucket Data Center. Additionally, support was added for posting build statuses back.

8.17.1.4. RPM-based Ansible Automation Platform
Copy link

  • The 2.4-8 installer can restore a backup created with 2.4-8 or later, but cannot restore backups created with 2.4-1 to 2.4-7. The 2.4-7 installer can restore backups created with 2.4-1 to 2.4-7. Ensure that you make a backup before and after the upgrade to 2.4-8 or later.
  • With this update, installer tasks that include CA or key information are obfuscated.

8.17.2. Bug fixes
Copy link

8.17.2.1. General
Copy link

With this update, the following CVEs have been addressed:

  • CVE-2024-9902 ansible-core: Ansible-core user can read or write unauthorized content.
  • CVE-2024-8775 ansible-core: Exposure of sensitive information in Ansible vault files due to improper logging.
  • CVE-2024-45801 automation-controller: XSS vulnerability via prototype pollution.
  • CVE-2024-45296 automation-controller: Backtracking regular expressions causes ReDoS.
  • CVE-2024-52304 automation-controller: aiohttp vulnerable to request smuggling due to wrong parsing of chunk extensions.

8.17.2.2. Ansible Automation Platform
Copy link

  • The Notification List no longer errors when notifications have a missing or null organization field.

8.17.2.3. Ansible Automation Platform Operator
Copy link

  • Fixed a parsing issue with the node_selector parameter so it is now correctly evaluated as a dictionary.
  • The /var/log/tower directory is now pre-created by mounting an emptyDir so the directory exists and web logging does not throw a permission error.

8.17.2.4. Automation controller
Copy link

  • Fixed job schedules running at the wrong time when the rrule interval was set to HOURLY or MINUTELY.
  • Fixed an issue where sensitive data was displayed in the job output.
  • With this update, you can now save a constructed inventory when verbosity is greater than 2.
  • Fixed an issue where unrelated jobs could be marked as a dependency of other jobs.
  • Fixed an issue where Thycotic secret server credentials form fields were mis-matched.

8.17.2.5. Execution environments
Copy link

  • ansible.utils collection has been updated to 5.1.2.

8.17.2.6. Receptor
Copy link

  • Fixed an issue that caused a receptor runtime panic error.

8.17.2.7. RPM-based Ansible Automation Platform
Copy link

  • Fixed an issue where the metrics-utility command failed to run after updating automation controller.
  • Fixed an issue where the dispatcher service went into FATAL status and failed to process new jobs after a database outage.
  • With this update, the receptor data directory can now be configured using the receptor_datadir variable.
  • Fixed an issue that caused wrong IDs for RBAC in the database following a backup restore.

8.18. RPM releases
Copy link

Expand
Table 8.1. Component versions per errata advisory
Errata advisoryComponent versions

RHSA-2024:7312
Sep 27, 2024

  • ansible-automation-platform-installer 2.4-7.1
  • ansible-core 2.15.12
  • Automation controller 4.5.12
  • Automation hub 4.9.2
  • Event-Driven Ansible 1.0.7

RHSA-2024:6765
Sep 18, 2024

  • ansible-automation-platform-installer 2.4-7.1
  • ansible-core 2.15.12
  • Automation controller 4.5.11
  • Automation hub 4.9.2
  • Event-Driven Ansible 1.0.7

RHSA-2024:6428
Sep 5, 2024

  • ansible-automation-platform-installer 2.4-7.1
  • ansible-core 2.15.12
  • Automation controller 4.5.10
  • Automation hub 4.9.2
  • Event-Driven Ansible 1.0.7

RHSA-2024:4522
Jul 12, 2024

  • ansible-automation-platform-installer 2.4-7.1
  • ansible-core 2.15.12
  • Automation controller 4.5.8
  • Automation hub 4.9.2
  • Event-Driven Ansible 1.0.7

RHSA-2024:3781
Jun 10, 2024

  • ansible-automation-platform-installer 2.4-7.1
  • ansible-core 2.15.11
  • Automation controller 4.5.7
  • Automation hub 4.9.2
  • Event-Driven Ansible 1.0.7

RHSA-2024:7312

8.18.1.1. General
Copy link

With this update, the following CVEs have been addressed:

  • CVE-2024-21520 - Cross-site Scripting (XSS) through break_long_headers.

    • Packages updated: automation-controller: djangorestframework.

  • CVE-2024-37891 - proxy-authorization request header is not stripped during cross-origin redirects.

    • Packages updated: automation-controller: urllib3.

  • CVE-2024-41810 - Reflected XSS by HTML injection in redirect response.

    • Packages updated: automation-controller.

8.18.1.2. Automation controller
Copy link

  • Fixed Galaxy credentials to be correctly ordered when assigning them by using 'ansible.controller.organization' (AAP-31398).
  • Fixed gather analytics failure caused by missing '_unpartitioned_main_jobevent' table (AAP-31053).

RHSA-2024:6765

8.18.2.1. General
Copy link

With this update, the following CVEs have been addressed:

  • CVE-2024-7143 - RBAC permissions incorrectly assigned in tasks that create objects.

    • Packages updated: python-pulpcore and python39-pulpcore.

  • CVE-2024-37891 - proxy-authorization request header is not stripped during cross-origin redirects.

    • Packages updated: python-urllib3: urllib3.

  • CVE-2024-24788 - malformed DNS message can cause an infinite loop.

    • Packages updated: receptor: golang: net.

  • CVE-2024-24790 - unexpected behavior from Is methods for IPv4-mapped IPv6 addresses.

    • Packages updated: receptor: golang: net and receptor: golang: netip.

8.18.2.2. Automation controller
Copy link

  • Updated the shipping analytics data fallback to use the Red Hat Subscription Manager subscription credentials if analytics gathering is enabled (AAP-30228).
  • Upgraded the 'channels-redis' library to fix Redis connection leaks (AAP-30124).

RHSA-2024:6428

8.18.3.1. General
Copy link

  • Gunicorn python package will no longer obsolete itself when checking for or applying updates (AAP-28364).

With this update, the following CVEs have been addressed:

  • CVE-2024-42005 - potential SQL injection in QuerySet.values() and values_list().

    • Packages updated: automation-controller: Django, python3-django, and python39-django.

  • CVE-2024-41991 - potential denial of service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget.

    • Packages updated: automation-controller: Django, python3-django, and python39-django.

  • CVE-2024-41990 - potential denial of service vulnerability in django.utils.html.urlize().

    • Packages updated: automation-controller: Django, python3-django, and python39-django.

  • CVE-2024-33663 - algorithm confusion with OpenSSH ECDSA keys and other key formats.

    • Packages updated: automation-controller: python-jose.

  • CVE-2024-32879 - improper handling of case sensitivity in social-auth-app-django.

    • Packages updated: automation-controller: python-social-auth.

  • CVE-2024-6840 - gain access to the Kubernetes API server through job execution with container group.

    • Packages updated: automation-controller.

  • CVE-2024-41989 - memory exhaustion in django.utils.numberformat.floatformat().

    • Packages updated: python3-django and python39-django.

  • CVE-2024-39614 - Potential denial of service in django.utils.translation.get_supported_language_variant().

    • Packages updated: python3-django and python39-django.

  • CVE-2024-39330 - Potential directory-traversal in django.core.files.storage.Storage.save().

    • Packages updated: python3-django and python39-django.

  • CVE-2024-39329 - Username enumeration through timing difference for users with unusable passwords.

    • Packages updated: python3-django and python39-django.

  • CVE-2024-38875 - Potential denial of service in django.utils.html.urlize().

    • Packages updated: python3-django and python39-django.

  • CVE-2024-7246 - Client communicating with a HTTP/2 proxy can poison the HPACK table between the proxy and the backend.

    • Packages updated: python3-grpcio and python39-grpcio.

  • CVE-2024-5569 - denial of service (infinite loop) through crafted .zip file.

    • Packages updated: python3-zipp and python39-zipp.

8.18.3.2. Automation controller
Copy link

  • Updated the receptor to not automatically release the receptor work unit when RECEPTOR_KEEP_WORK_ON_ERROR is set to true (AAP-27635).
  • Updated the Help link in the REST API to point to the latest API reference documentation (AAP-27573).
  • Fixed a timeout error in the UI when trying to load the Activity Stream with a large number of activity records (AAP-26772).

8.18.3.3. Automation hub
Copy link

  • The API browser now correctly escapes JSON values (AAH-3272, AAP-14463).

RHSA-2024:4522

8.18.4.1. General
Copy link

With this update, the following CVEs have been addressed:

  • CVE-2024-34064 - Jinja accepts keys containing non-attribute characters.

    • Packages updated: automation-controller: jinja2.

  • CVE-2024-28102 - malicious JWE token can cause denial of service.

    • Packages updated: automation-controller: jwcrypto.

  • CVE-2024-35195 - many requests to the same host ignore cert verification.

    • Packages updated: automation-controller: requests.

8.18.4.2. Automation controller
Copy link

  • Fixed a bug where the controller does not respect DATABASES['OPTIONS'] setting, if specified (AAP-26398).
  • Changed all uses of ImplicitRoleField to perform an on_delete=SET_NULL (AAP-25136).
  • Fixed the HostMetric automated counter to display the correct values (AAP-25115).
  • Added Django logout redirects (AAP-24543).
  • Updated the dispatcher to make the database password optional in order to support PostgreSQL authentication methods that do not require them (AAP-22231).

RHSA-2024:3781

8.18.5.1. General
Copy link

  • Added the automation-controller-cli package to the ansible-developer RPM repositories (AAP-23368).

With this update, the following CVEs have been addressed:

  • CVE-2023-45288 - unlimited number of CONTINUATION frames causes a denial of service (DoS).

    • Packages updated: receptor: golang: net/http, x/net/http2.

  • CVE-2023-45290 - memory exhaustion in Request.ParseMultipartForm.

    • Packages updated: receptor: golang: net/http.

  • CVE-2023-49083 - null-pointer dereference when loading PKCS7 certificates.

    • Packages updated: python3-cryptography and python39-cryptography.

  • CVE-2023-50447 - arbitrary code execution with the environment parameter.

    • Packages updated: python3-pillow and python39-pillow.

  • CVE-2024-1135 - HTTP Request Smuggling due to improper validation of Transfer-Encoding headers.

    • Packages updated: python3-gunicorn and python39-gunicorn.

  • CVE-2024-21503 - regular expression denial of service (ReDoS) with the lines_with_leading_tabs_expanded() function within the strings.py file.

    • Packages updated: python3-black and python39-black.

  • CVE-2024-24783 - verify panics on certificates with an unknown public key algorithm.

    • Packages updated: receptor: golang: crypto/x509.

  • CVE-2024-26130 - NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override.

    • Packages updated: python3-cryptography and python39-cryptography.

  • CVE-2024-27306 - cross-site scripting (XSS) on index pages for static file handling.

    • Packages updated: python3-aiohttp and python39-aiohttp.

  • CVE-2024-27351 - potential ReDoS in django.utils.text.Truncator.words().

    • Packages updated: automation-controller: Django.

  • CVE-2024-28219 - buffer overflow in _imagingcms.c.

    • Packages updated: python3-pillow and python39-pillow.

  • CVE-2024-28849 - possible credential leak.

    • Packages updated: python3-galaxy-ng: follow-redirects, python39-galaxy-ng: follow-redirects, and automation-hub: follow-redirects.

  • CVE-2024-30251 - DoS when trying to parse malformed POST requests.

    • Packages updated: python3-aiohttp, python39-aiohttp, and automation-controller: aiohttp.

  • CVE-2024-32879 - improper handling of case sensitivity in social-auth-app-django.

    • Packages updated: python3-social-auth-app-django and python39-social-auth-app-django.

  • CVE-2024-34064 - xmlattr filter accepts keys containing non-attribute characters.

    • Packages updated: python3-jinja2 and python39-jinja2.

  • CVE-2024-35195 - additional requests to the same host ignore cert verification.

    • Packages updated: python3-requests and python39-requests.

  • CVE-2024-3651 - potential DoS with resource consumption through specially crafted inputs to idna.encode().

    • Packages updated: python3-idna and python39-idna.

  • CVE-2024-3772 - ReDoS with a crafted email string.

    • Packages updated: python3-pydantic, python39-pydantic, and automation-controller: python-pydantic.

  • CVE-2024-4340 - parsing a heavily nested list leads to a DoS.

    • Packages updated: python3-sqlparse and python39-sqlparse.

  • CVE-2023-5752 - Mercurial configuration injection in repository revision when installing with pip.

    • Packages updated: automation-controller: pip.

8.18.5.2. Automation controller
Copy link

  • Fixed a Redis connection leak on automation controller version 4.5.6 (AAP-24286).
  • Fixed the #! interpreter directive, also known as shebang, for the Python uwsgitop script (AAP-22461).

8.18.5.3. Automation hub
Copy link

  • With this update, fetching a list of users for a namespace does not include group members (AAH-3121).
  • Fixed an issue that caused a "Calculated digest does not equal passed in digest" error when syncing the community repository (AAH-3111).
  • Fixed an issue where syncing a rh-certified repository after updating automation hub to the latest version failed (AAH-3218).

8.18.5.4. Event-Driven Ansible
Copy link

  • Added support for the SAFE_PLUGINS_FOR_PORT_FORWARD setting for eda-server to the installation program (AAP-21620).
  • With this update, eda-server now opens the ports for a rulebook that has a source plugin that requires inbound connections only if that plugin is allowed in the settings (AAP-17416).
  • Fixed an issue where an activation could not be started after reaching a limit of 2048 pods due to a wrong cleanup of volumes (AAP-21065).
  • Fixed an issue where some activations failed due a wrong cleanup of volumes (AAP-22132).
  • With this release, activation-worker and worker targets now correctly stop worker services independently of other required Event-Driven Ansible services (AAP-23735).

RHSA-2024:1057

8.18.6.1. Automation hub
Copy link

  • Displays the download count for each collection in automation hub (AAP-18298).

8.18.6.2. Event-Driven Ansible
Copy link

  • Added a parameter to control the number of running activations per Event-Driven Ansible worker service (AAP-20672).
  • Added EDA_CSRF_TRUSTED_ORIGINS, which can be set by user input or defined based on the allowed hostnames that are determined by the installer (AAP-20244).
  • Event-Driven Ansible installation now fails when the pre-existing automation controller version is 4.4.0 or older (AAP-20241).
  • Added the podman_containers_conf_logs_max_size variable for containers.conf to control the max log size for Podman installations. The default value is 10 MiB (AAP-19775).
  • Setting the Event-Driven Ansible debug flag to false now correctly disables Django debug mode (AAP-19577).
  • XDG_RUNTIME_DIR is now defined when applying Event-Driven Ansible linger settings for Podman (AAP-19265).
  • Fixed the Event-Driven Ansible nginx config when using a custom https port (AAP-19137).
  • Some features in this release are classified as Developer Preview, including LDAP authentication functionality for Event-Driven Ansible. For more information about these Event-Driven Ansible Developer Preview features, see Event-Driven Ansible - Developer Preview.

RHSA-2024:0733

8.18.7.1. Automation controller
Copy link

  • Fixed an error that caused rsyslogd to stop sending events to Splunk HTTP Collector (AAP-19069).

8.18.7.2. Automation hub
Copy link

  • Automation hub now uses system crypto-policies in nginx (AAP-18974).

8.18.7.3. Event-Driven Ansible
Copy link

  • Fixed an error that caused a manual installation failure when pinning Event-Driven Ansible to an older version (AAP-19399).

RHBA-2024:0104

8.18.8.1. General
Copy link

  • Fixed conditional code statements to align with changes from ansible-core issue #82295 (AAP-19099).
  • Fixed an issue which caused the update-ca-trust handler to be skipped for execution nodes in controller (AAP-18911).
  • Improved the error pages for automation controller (AAP-18840).
  • Implemented libffi fix to avoid uWSGI core dumps on failed import (AAP-18196).
  • Fixed an issue with checking the license type following an upgrade caused by earlier incomplete upgrade (AAP-17615).
  • Postgres certificates are now temporarily copied when checking the Postgres version for SSL mode verify-full (AAP-15374).

RHBA-2023:7460

8.18.9.1. General
Copy link

  • Fixed an error which caused the incorrect target database to be selected when restoring Event-Driven Ansible from a backup (AAP-18151).
  • Postgres tasks that create users in FIPS environments now use scram-sha-256 (AAP-17516).
  • All Event-Driven Ansible services are enabled after installation is complete (AAP-17426).
  • Ensure all backup and restore staged files and directories are cleaned up before running a backup or restore. You must also mark the files for deletion after a backup or restore (AAP-16101).
  • Updated nginx to 1.22 (AAP-15962).
  • Added a task to VMs that will run the awx-manage command to pre-create events table partitions before executing pg_dump and added a variable for the default number of hours to pre-create (AAP-15920).

8.18.9.2. Event-Driven Ansible
Copy link

  • Fixed the automation controller URL check when installing Event-Driven Ansible without controller (AAP-18169).
  • Added a separate worker queue for Event-Driven Ansible activations to not interfere with application tasks such as project updates (AAP-14743).

RHBA-2023:5347

8.18.10.1. General
Copy link

  • The installer now properly generates a new SECRET_KEY for controller when running setup.sh with the -k option (AAP-15565).
  • Added temporary file cleanup for Podman to prevent cannot re-exec process error during job execution (AAP-15248).
  • Added new variables for additional nginx configurations per component (AAP-15124).
  • The installer now correctly enforces only one Event-Driven Ansible host per Ansible Automation Platform installation (AAP-15122).
  • You are now able to sync execution environment images in automation hub to automation controller on upgrade (AAP-15121).
  • awx user configuration now supports rootless Podman (AAP-15072).
  • You can now mount the /var/lib/awx directory as a separate filesystem on execution nodes (AAP-15065).
  • Fixed the linger configuration for an Event-Driven Ansible user (AAP-14745).
  • Fixed the values used for signing installer managed certificates for internal postgres installations (AAP-14236).
  • Subject alt names for component hosts will now only be checked for signing certificates when https is enabled (AAP-14235).
  • Fixed postgres sslmode for verify-full that affected external postgres and postgres signed for 127.0.0.1 for internally managed postgres (AAP-13962).
  • Updated the inventory file to include SSL key and cert parameters for provided SSL web certificates (AAP-13854).
  • Fixed an issue with the awx-rsyslogd process where it starts with the wrong user (AAP-13664).
  • Fixed an issue where the restore process failed to stop pulpcore-worker services on RHEL 9 (AAP-13297).
  • Podman configurations are now correctly aligned to the Event-Driven Ansible home directory (AAP-13289).

8.19. Installer releases
Copy link

Expand
Table 8.2. Component versions per installation bundle
Installation bundleComponent versions

2.4-7.4
October 01, 2024

  • ansible-core 2.15.12
  • Automation controller 4.5.12
  • Automation hub 4.9.2
  • Event-Driven Ansible 1.0.7

2.4-7.3
September 19, 2024

  • ansible-core 2.15.12
  • Automation controller 4.5.11
  • Automation hub 4.9.2
  • Event-Driven Ansible 1.0.7

2.4-7.2
September 06, 2024

  • ansible-core 2.15.12
  • Automation controller 4.5.10
  • Automation hub 4.9.2
  • Event-Driven Ansible 1.0.7

2.4-7.1
July 15, 2024

  • ansible-core 2.15.12
  • Automation controller 4.5.8
  • Automation hub 4.9.2
  • Event-Driven Ansible 1.0.7

2.4-7
June 12, 2024

  • ansible-core 2.15.11
  • Automation controller 4.5.7
  • Automation hub 4.9.2
  • Event-Driven Ansible 1.0.7

RHBA-2024:7454

RHBA-2024:6877

RHBA-2024:6492

RHBA-2024:4555

RHBA-2024:3871

RHBA-2024:2074

8.19.6.1. General
Copy link

  • Resolved a race condition that occurred when there were many nearly simultaneous uploads of the same collection. (AAH-2699)

8.19.6.2. Automation controller
Copy link

  • Fixed a database connection leak that occurred when the wsrelay main asyncio loop crashes. (AAP-22938)

RHBA-2024:1672

8.19.7.1. General
Copy link

  • Fixed an issue where worker nodes became unavailable and stuck in a running state (AAP-21828).
  • automation-controller: axios: Exposure of confidential data stored in cookies (CVE-2023-45857)
  • python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words() (CVE-2024-27351)
  • receptor: golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)
  • automation-controller: python-aiohttp: HTTP request smuggling (CVE-2024-23829)
  • automation-controller: aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)
  • python3x-aiohttp: aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)
  • python-aiohttp: aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)
  • automation-controller: Django: denial of service in intcomma template filter (CVE-2024-24680)
  • automation-controller: jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)
  • automation-controller: python-cryptography: NULL-dereference when loading PKCS7 certificates (CVE-2023-49083)
  • receptor: golang: net/http/internal: Denial of service by resource consumption through HTTP requests (CVE-2023-39326)
  • automation-controller: python-aiohttp: Issues in HTTP parser with header parsing (CVE-2023-47627)
  • automation-controller: GitPython: Blind local file inclusion (CVE-2023-41040)
  • automation-controller: python-twisted: Disordered HTTP pipeline response in twisted.web (CVE-2023-46137)

8.19.7.2. Automation controller
Copy link

  • The update execution environment image no longer fails with jobs that use the previous image (AAP-21733).
  • Replaced string validation of English literals with error codes to allow for universal validation and comparison (AAP-21721).
  • The dispatcher now appropriately ends child processes when the dispatcher terminates (AAP-21049).
  • Fixed a bug where schedule prompted variables and survey answers were reset in edit mode when changing one of the basic form fields (AAP-20967).
  • The upgrade from Ansible Tower 3.8.6 to Ansible Automation Platform 2.4 no longer fails after a database schema migration (AAP-19738).
  • Fixed a bug in OpenShift Container Platform deployments that caused the controller task container to restart (AAP-21308).

RHBA-2024:1158

8.19.8.1. General
Copy link

  • python-django: Django: denial-of-service in intcomma template filter (CVE-2024-24680)
  • pycryptodomex: pycryptodome: Side-channel leakage for OAEP decryption in PyCryptodome and pycryptodomex (CVE-2023-52323)
  • python3x-jinja2: jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)
  • python-jinja2: jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)
  • python3x-aiohttp: CRLF injection if user controls the HTTP method using aiohttp client (CVE-2023-49082)
  • python-aiohttp: aiohttp: CRLF injection if user controls the HTTP method using aiohttp client (CVE-2023-49082)
  • python3x-aiohttp: aiohttp: HTTP request modification (CVE-2023-49081)
  • python3x-aiohttp: python-aiohttp: Issues in HTTP parser with header parsing (CVE-2023-47627)
  • python-aiohttp: Issues in HTTP parser with header parsing (CVE-2023-47627)
  • python3x-pillow: python-pillow: Uncontrolled resource consumption when text length in an ImageDraw instance operates on a long text argument (CVE-2023-44271)
  • python-pillow: Uncontrolled resource consumption when text length in an ImageDraw instance operates on a long text argument (CVE-2023-44271)

8.19.8.2. Event-Driven Ansible
Copy link

  • event_driven: Ansible Automation Platform: Insecure WebSocket used when interacting with Event-Driven Ansible server (CVE-2024-1657).

RHBA-2023:6831

8.19.9.1. General
Copy link

  • python3-urllib3/python39-urllib3: Cookie request header is not stripped during cross-origin redirects (CVE-2023-43804)

8.19.9.2. Automation controller
Copy link

  • automation-controller: Django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)
  • Customers using the infra.controller_configuration collection (which uses ansible.controller collection) to update their Ansible Automation Platform environment no longer receive an HTTP 499 response (AAP-17422).

RHBA-2023:5886

8.19.10.1. General
Copy link

  • receptor: golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)
  • receptor: golang: crypto/tls: slow verification of certificate chains containing large RSA keys (CVE-2023-29409)

8.19.10.2. Automation controller
Copy link

  • receptor: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

RHBA-2023:5812

8.19.11.1. General
Copy link

  • ansible-core: malicious role archive can cause ansible-galaxy to overwrite arbitrary files (CVE-2023-5115)
  • python3-django/python39-django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)

8.19.11.2. Automation controller
Copy link

  • Added a new Subscription Usage page to the controller UI to view historical usage of licenses (AAP-16983).
  • automation-controller: Django: Potential denial of service vulnerability in django.utils.encoding.uri_to_iri() (CVE-2023-41164)

RHBA-2023:5653

8.19.12.1. General
Copy link

  • Updated ansible-lint to include an offline mode, which is enabled by default, to prevent outbound network calls (AAH-2606).

8.19.12.2. Automation controller
Copy link

  • Fixed settings lookup to no longer leave some services in a supervisord FATAL unresponsive state (AAP-16460).
  • Replaced the SQL commands for creating a partition with the use of ATTACH PARTITION to avoid exclusive table lock on event tables (AAP-16350).
  • Fixed settings to allow simultaneous use of SOCIAL_AUTH_SAML_ORGANIZATION_ATTR and SOCIAL_AUTH_SAML_ORGANIZATION_MAP for a given organization (AAP-16183).
  • Fixed Content Security Policy (CSP) to enable Pendo retrieval (AAP-16057).
  • Updated the Thycotic DevOps Secrets Vault credential plugin to allow for filtering based on secret_field (AAP-15695).

RHBA-2023:5140

8.19.13.1. Automation controller
Copy link

  • Fixed a bug that caused a deadlock on shutdown when Redis was unavailable (AAP-14203).
  • The login form no longer supports autocomplete on the password field due to security concerns (AAP-15545).
  • automation-controller: cryptography: memory corruption via immutable objects (CVE-2023-23931)
  • automation-controller: GitPython: Insecure non-multi options in clone and clone_from is not blocked (CVE-2023-40267)
  • python3-gitpython/python39-gitpython: Insecure non-multi options in clone and clone_from is not blocked (CVE-2023-40267)

RHBA-2023:4782

8.19.14.1. Automation controller
Copy link

  • automation-controller: python-django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator (CVE-2023-36053)
  • automation-controller: python-django: Potential denial-of-service vulnerability in file uploads (CVE-2023-24580)
  • Changing credential types by using the drop-down list in the Launch prompt window no longer causes the screen to disappear (AAP-11444).
  • Upgraded python dependencies which include upgrades from Django 3.2 to 4.2.3, psycopg2 to psycopg3, and additional libraries as needed. Also added a new setting in the UI exposing the CSRF_TRUSTED_ORIGIN settings (AAP-12345).
  • Fixed slow database UPDATE statements on the job events table which could cause a task manager timeout (AAP-12586).
  • Fixed an issue where adding a new label to a job through the Prompt On Launch option would not add the label to the job details (AAP-14204).
  • Added noopener and noreferrer attributes to controller UI links that were missing these attributes (AAP-14345).
  • Fixed the broken User Guide link in the Edit Subscription Details page (AAP-14375).
  • Turned off auto-complete on the remaining controller UI forms that were missing that attribute (AAP-14442).
  • The Add button on the credentials page is now accessible for users with the correct permissions (AAP-14525).
  • Fixed an unexpected error that occurred when adding a new host while using a manifest with size 10 (AAP-14675).
  • Applied environment variables from the AWX_TASK_ENV setting when running credential lookup plugins (AAP-14683).
  • Interrupted jobs (such as canceled jobs) no longer clear facts from hosts if the job ran on an execution node (AAP-14878).
  • Using a license that is missing a usage attribute no longer returns a 400 error (AAP-14880).
  • Fixed sub-keys under data from HashiCorp Vault Secret Lookup responses to check for secrets, if found (AAP-14946).
  • Fixed Ansible facts to retry saving to hosts if there is a database deadlock (AAP-15021).

8.19.14.2. Event-Driven Ansible
Copy link

  • automation-eda-controller: token exposed at importing project (CVE-2023-4380)
  • python3-cryptography/python39-cryptography: memory corruption via immutable objects (CVE-2023-23931)
  • python3-requests/python39-requests: Unintended leak of Proxy-Authorization header (CVE-2023-32681)
  • Contributor and editor roles now have permissions to access users and set the AWX token (AAP-11573).
  • The onboarding wizard now requests controller token creation (AAP-11907).
  • Corrected the filtering capability of the Rule Audit screens so that a search yields results with the starts with function (AAP-11987).
  • Enabling or disabling rulebook activation no longer increases the restarts counter by 1 (AAP-12042).
  • Filtering by a text string now displays all applicable items in the UI, including those that are not visible in the list at that time (AAP-12446).
  • Audit records are no longer missing when running activations with multiple jobs (AAP-12522).
  • The event payload is no longer missing key attributes when a job template fails (AAP-12529).
  • Fixed the Git token leak that occurs when importing a project fails (AAP-12767).
  • The restart policy in Kubernetes (k8s) now restarts a successful activation that is incorrectly marked as failed (AAP-12862).
  • Activation statuses are now reported correctly, whether you are disabling or enabling them (AAP-12896).
  • When the run_job_template action fails, ansible-rulebook prints an error log in the activation output and creates an entry in rule audit so the user is alerted that the rule has failed (AAP-12909).
  • When a user tries to bulk delete rulebook activations from the list, the request now completes successfully and consistently (AAP-13093).
  • The Rulebook Activation link now functions correctly in the Rule Audit Detail UI (AAP-13182).
  • The ansible-rulebook now only connects to the controller if the rulebook being processed has a run_job_template action (AAP-13209).
  • Fixed a bug where some audit rule records had the wrong rulebook link (AAP-13844).
  • Fixed a bug where only the first 10 audit rules had the right link (AAP-13845).
  • Before this update, project credentials could not be updated if there was a change to the credential used in the project. With this update, credentials can be updated in a project with a new or different credential (AAP-13983).
  • The User Access section of the navigation panel no longer disappears after creating a decision environment (AAP-14273).
  • Fixed a bug where filtering for audit rules did not work properly on OpenShift Container Platform (AAP-14512).

RHBA-2023:4621

8.19.15.1. Automation controller
Copy link

  • automation controller: Html injection in custom login info (CVE-2023-3971)
  • Organization admin users are no longer shown an error on the Instances list (AAP-11195).
  • Fixed the workflow job within the workflow approval to display the correct details (AAP-11433).
  • Credential name search in the ad hoc commands prompt no longer requires case-sensitive input (AAP-11442).
  • The Back to list button in the controller UI now maintains previous search filters (AAP-11527).
  • Topology view and Instances are only available as sidebar menu options to System Administrators and System Auditors (AAP-11585).
  • Fixed the frequency of the scheduler to run on the correct day of the week as specified by the user (AAP-11776).
  • Fixed an issue with slow database UPDATE statements when using nested tasks (include_tasks) causing task manager timeout (AAP-12586).
  • Added the ability to add execution and hop nodes to VM-based controller installations from the UI (AAP-12849).
  • Added the awx-manage command for creating future events table partitions (AAP-12907).
  • Re-enabled Pendo support by providing the correct Pendo API key (AAP-13415).
  • Added the ability to filter teams by using partial names in the dialog for granting teams access to a resource (AAP-13557).
  • Fixed a bug where a weekly rrule string without a BYDAY value would result in the UI throwing a TypeError (AAP-13670).
  • Fixed a server error that happened when deleting workflow jobs ran before event partitioning migration (AAP-13806).
  • Added API reference documentation for the new bulk API endpoint (AAP-13980).
  • Fixed an issue where related items were not visible in some cases. For example, job template instance groups, organization galaxy credentials, and organization instance groups (AAP-14057).

RHBA-2023:4288

8.19.16.1. Automation hub
Copy link

  • Fixed issue by using gpg key with passphrase for signing services (AAH-2445).

8.20. Ansible plug-ins for Red Hat Developer Hub
Copy link

8.20.1. 1.2 (March 2025)
Copy link

The following updates were introduced in Ansible plug-ins for Red Hat Developer Hub 1.2:

  • Improvements in error handling and logging for collection and playbook project scaffolder.
  • Updates to the backstage-rhaap-backend plugin for compatibility with RHDH 1.4.

The technology preview release of Ansible plug-ins for Red Hat Developer Hub provides links to the following curated content:

  • Learning paths

    • Introduction to Ansible
    • Getting started with the Ansible VS Code extension
    • YAML Essentials for Ansible
    • Getting started with Ansible playbooks
    • Getting started with Content Collections
    • Ansible plug-ins for Red Hat Developer Hub user guide

  • Interactive labs

    • Getting started with Ansible Navigator
    • Getting started with Ansible Builder
    • Writing your first playbook

    • Signing Ansible Content Collections with Private Automation Hub

      Note

      Learning paths and interactive labs are hosted on developers.redhat.com for the tech preview. Customers must sign up for a Red Hat Developer account to access them.

  • Software templates

    • Create Ansible Collection Project
    • Create Ansible Playbook Project

  • Documentation updates

    • Installing Ansible plug-ins for Red Hat Developer Hub
    • Using Ansible plug-ins for Red Hat Developer Hub

Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top