Chapter 8. Asynchronous updates
Security, bug fix, and enhancement updates for Ansible Automation Platform 2.4 are released as asynchronous erratas. All Ansible Automation Platform erratas are available on the Download Red Hat Ansible Automation Platform page in the Customer Portal.
As a Red Hat Customer Portal user, you can enable errata notifications in the account settings for Red Hat Subscription Management (RHSM). When errata notifications are enabled, you receive notifications through email whenever new erratas relevant to your registered systems are released.
Red Hat Customer Portal user accounts must have systems registered and consuming Ansible Automation Platform entitlements for Ansible Automation Platform errata notification emails to generate.
The Asynchronous updates section of the release notes will be updated over time to give notes on enhancements and bug fixes for asynchronous errata releases of Ansible Automation Platform 2.4.
Additional resources
- For more information about asynchronous errata support in Ansible Automation Platform, see Red Hat Ansible Automation Platform Life Cycle.
- For information about Common Vulnerabilities and Exposures (CVEs), see What is a CVE? and Red Hat CVE Database.
8.1. Ansible Automation Platform patch release December 3, 2024
The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.
8.1.1. Enhancements
8.1.1.1. Ansible Automation Platform
- Red Hat Ansible Lightspeed has been updated to 2.4.241127.
8.1.1.2. Ansible Automation Platform Operator
-
With this update you can set PostgreSQL SSL/TLS mode to
verify-full
orverify-ca
with the propersslrootcert
configuration in the automation hub Operator.
8.1.1.3. Automation controller
- With this update, support was added for receiving webhooks from Bitbucket Data Center. Additionally, support was added for posting build statuses back.
8.1.1.4. RPM-based Ansible Automation Platform
- The 2.4-8 installer can restore a backup created with 2.4-8 or later, but cannot restore backups created with 2.4-1 to 2.4-7. The 2.4-7 installer can restore backups created with 2.4-1 to 2.4-7. Ensure that you make a backup before and after the upgrade to 2.4-8 or later.
- With this update, installer tasks that include CA or key information are obfuscated.
8.1.2. Bug fixes
8.1.2.1. General
With this update, the following CVEs have been addressed:
-
CVE-2024-9902
ansible-core
: Ansible-core user can read or write unauthorized content. -
CVE-2024-8775
ansible-core
: Exposure of sensitive information in Ansible vault files due to improper logging. -
CVE-2024-45801
automation-controller
: XSS vulnerability via prototype pollution. -
CVE-2024-45296
automation-controller
: Backtracking regular expressions causes ReDoS. -
CVE-2024-52304
automation-controller
:aiohttp
vulnerable to request smuggling due to wrong parsing of chunk extensions.
8.1.2.2. Ansible Automation Platform
- The Notification List no longer errors when notifications have a missing or null organization field.
8.1.2.3. Ansible Automation Platform Operator
-
Fixed a parsing issue with the
node_selector
parameter so it is now correctly evaluated as a dictionary. -
The
/var/log/tower
directory is now pre-created by mounting anemptyDir
so the directory exists and web logging does not throw a permission error.
8.1.2.4. Automation controller
-
Fixed job schedules running at the wrong time when the
rrule
interval was set toHOURLY
orMINUTELY
. - Fixed an issue where sensitive data was displayed in the job output.
- With this update, you can now save a constructed inventory when verbosity is greater than 2.
- Fixed an issue where unrelated jobs could be marked as a dependency of other jobs.
- Fixed an issue where Thycotic secret server credentials form fields were mis-matched.
8.1.2.5. Execution environments
-
ansible.utils
collection has been updated to 5.1.2.
8.1.2.6. Receptor
- Fixed an issue that caused a receptor runtime panic error.
8.1.2.7. RPM-based Ansible Automation Platform
-
Fixed an issue where the
metrics-utility
command failed to run after updating automation controller. -
Fixed an issue where the dispatcher service went into
FATAL
status and failed to process new jobs after a database outage. -
With this update, the receptor data directory can now be configured using the
receptor_datadir
variable. - Fixed an issue that caused wrong IDs for RBAC in the database following a backup restore.
8.2. RPM releases
Errata advisory | Component versions |
---|---|
RHSA-2024:7312 |
|
RHSA-2024:6765 |
|
RHSA-2024:6428 |
|
RHSA-2024:4522 |
|
RHSA-2024:3781 |
|
8.2.1. RHSA-2024:7312 - Security Advisory - September 27, 2024
8.2.1.1. General
With this update, the following CVEs have been addressed:
CVE-2024-21520 - Cross-site Scripting (XSS) through
break_long_headers
.-
Packages updated:
automation-controller: djangorestframework
.
-
Packages updated:
CVE-2024-37891 -
proxy-authorization
request header is not stripped during cross-origin redirects.-
Packages updated:
automation-controller: urllib3
.
-
Packages updated:
CVE-2024-41810 - Reflected XSS by HTML injection in redirect response.
-
Packages updated:
automation-controller
.
-
Packages updated:
8.2.1.2. Automation controller
- Fixed Galaxy credentials to be correctly ordered when assigning them by using 'ansible.controller.organization' (AAP-31398).
- Fixed gather analytics failure caused by missing '_unpartitioned_main_jobevent' table (AAP-31053).
8.2.2. RHSA-2024:6765 - Security Advisory - September 18, 2024
8.2.2.1. General
With this update, the following CVEs have been addressed:
CVE-2024-7143 - RBAC permissions incorrectly assigned in tasks that create objects.
-
Packages updated:
python-pulpcore
andpython39-pulpcore
.
-
Packages updated:
CVE-2024-37891 - proxy-authorization request header is not stripped during cross-origin redirects.
-
Packages updated:
python-urllib3: urllib3
.
-
Packages updated:
CVE-2024-24788 - malformed DNS message can cause an infinite loop.
-
Packages updated:
receptor: golang: net
.
-
Packages updated:
CVE-2024-24790 - unexpected behavior from
Is
methods for IPv4-mapped IPv6 addresses.-
Packages updated:
receptor: golang: net
andreceptor: golang: netip
.
-
Packages updated:
8.2.2.2. Automation controller
- Updated the shipping analytics data fallback to use the Red Hat Subscription Manager subscription credentials if analytics gathering is enabled (AAP-30228).
- Upgraded the 'channels-redis' library to fix Redis connection leaks (AAP-30124).
8.2.3. RHSA-2024:6428 - Security Advisory - September 05, 2024
8.2.3.1. General
- Gunicorn python package will no longer obsolete itself when checking for or applying updates (AAP-28364).
With this update, the following CVEs have been addressed:
CVE-2024-42005 - potential SQL injection in
QuerySet.values()
andvalues_list()
.-
Packages updated:
automation-controller: Django
,python3-django
, andpython39-django
.
-
Packages updated:
CVE-2024-41991 - potential denial of service vulnerability in
django.utils.html.urlize()
andAdminURLFieldWidget
.-
Packages updated:
automation-controller: Django
,python3-django
, andpython39-django
.
-
Packages updated:
CVE-2024-41990 - potential denial of service vulnerability in
django.utils.html.urlize()
.-
Packages updated:
automation-controller: Django
,python3-django
, andpython39-django
.
-
Packages updated:
CVE-2024-33663 - algorithm confusion with OpenSSH ECDSA keys and other key formats.
-
Packages updated:
automation-controller: python-jose
.
-
Packages updated:
CVE-2024-32879 - improper handling of case sensitivity in
social-auth-app-django
.-
Packages updated:
automation-controller: python-social-auth
.
-
Packages updated:
CVE-2024-6840 - gain access to the Kubernetes API server through job execution with container group.
-
Packages updated:
automation-controller
.
-
Packages updated:
CVE-2024-41989 - memory exhaustion in
django.utils.numberformat.floatformat()
.-
Packages updated:
python3-django
andpython39-django
.
-
Packages updated:
CVE-2024-39614 - Potential denial of service in
django.utils.translation.get_supported_language_variant()
.-
Packages updated:
python3-django
andpython39-django
.
-
Packages updated:
CVE-2024-39330 - Potential directory-traversal in
django.core.files.storage.Storage.save()
.-
Packages updated:
python3-django
andpython39-django
.
-
Packages updated:
CVE-2024-39329 - Username enumeration through timing difference for users with unusable passwords.
-
Packages updated:
python3-django
andpython39-django
.
-
Packages updated:
CVE-2024-38875 - Potential denial of service in
django.utils.html.urlize()
.-
Packages updated:
python3-django
andpython39-django
.
-
Packages updated:
CVE-2024-7246 - Client communicating with a HTTP/2 proxy can poison the HPACK table between the proxy and the backend.
-
Packages updated:
python3-grpcio
andpython39-grpcio
.
-
Packages updated:
CVE-2024-5569 - denial of service (infinite loop) through crafted .zip file.
-
Packages updated:
python3-zipp
andpython39-zipp
.
-
Packages updated:
8.2.3.2. Automation controller
-
Updated the receptor to not automatically release the receptor work unit when
RECEPTOR_KEEP_WORK_ON_ERROR
is set to true (AAP-27635). - Updated the Help link in the REST API to point to the latest API reference documentation (AAP-27573).
- Fixed a timeout error in the UI when trying to load the Activity Stream with a large number of activity records (AAP-26772).
8.2.3.3. Automation hub
- The API browser now correctly escapes JSON values (AAH-3272, AAP-14463).
8.2.4. RHSA-2024:4522 - Security Advisory - July 12, 2024
8.2.4.1. General
With this update, the following CVEs have been addressed:
CVE-2024-34064 - Jinja accepts keys containing non-attribute characters.
-
Packages updated:
automation-controller: jinja2
.
-
Packages updated:
CVE-2024-28102 - malicious JWE token can cause denial of service.
-
Packages updated:
automation-controller: jwcrypto
.
-
Packages updated:
CVE-2024-35195 - many requests to the same host ignore cert verification.
-
Packages updated:
automation-controller: requests
.
-
Packages updated:
8.2.4.2. Automation controller
-
Fixed a bug where the controller does not respect
DATABASES['OPTIONS']
setting, if specified (AAP-26398). -
Changed all uses of
ImplicitRoleField
to perform anon_delete=SET_NULL
(AAP-25136). - Fixed the HostMetric automated counter to display the correct values (AAP-25115).
- Added Django logout redirects (AAP-24543).
- Updated the dispatcher to make the database password optional in order to support PostgreSQL authentication methods that do not require them (AAP-22231).
8.2.5. RHSA-2024:3781 - Security Advisory - June 10, 2024
8.2.5.1. General
-
Added the
automation-controller-cli
package to theansible-developer
RPM repositories (AAP-23368).
With this update, the following CVEs have been addressed:
CVE-2023-45288 - unlimited number of CONTINUATION frames causes a denial of service (DoS).
-
Packages updated:
receptor: golang: net/http, x/net/http2
.
-
Packages updated:
CVE-2023-45290 - memory exhaustion in
Request.ParseMultipartForm
.-
Packages updated:
receptor: golang: net/http
.
-
Packages updated:
CVE-2023-49083 - null-pointer dereference when loading PKCS7 certificates.
-
Packages updated:
python3-cryptography
andpython39-cryptography
.
-
Packages updated:
CVE-2023-50447 - arbitrary code execution with the environment parameter.
-
Packages updated:
python3-pillow
andpython39-pillow
.
-
Packages updated:
CVE-2024-1135 - HTTP Request Smuggling due to improper validation of Transfer-Encoding headers.
-
Packages updated:
python3-gunicorn
andpython39-gunicorn
.
-
Packages updated:
CVE-2024-21503 - regular expression denial of service (ReDoS) with the
lines_with_leading_tabs_expanded()
function within thestrings.py
file.-
Packages updated:
python3-black
andpython39-black
.
-
Packages updated:
CVE-2024-24783 - verify panics on certificates with an unknown public key algorithm.
-
Packages updated:
receptor: golang: crypto/x509
.
-
Packages updated:
CVE-2024-26130 - NULL pointer dereference with
pkcs12.serialize_key_and_certificates
when called with a non-matching certificate and private key and anhmac_hash
override.-
Packages updated:
python3-cryptography
andpython39-cryptography
.
-
Packages updated:
CVE-2024-27306 - cross-site scripting (XSS) on index pages for static file handling.
-
Packages updated:
python3-aiohttp
andpython39-aiohttp
.
-
Packages updated:
CVE-2024-27351 - potential ReDoS in
django.utils.text.Truncator.words()
.-
Packages updated:
automation-controller: Django
.
-
Packages updated:
CVE-2024-28219 - buffer overflow in
_imagingcms.c
.-
Packages updated:
python3-pillow
andpython39-pillow
.
-
Packages updated:
CVE-2024-28849 - possible credential leak.
-
Packages updated:
python3-galaxy-ng: follow-redirects
,python39-galaxy-ng: follow-redirects
, andautomation-hub: follow-redirects
.
-
Packages updated:
CVE-2024-30251 - DoS when trying to parse malformed POST requests.
-
Packages updated:
python3-aiohttp
,python39-aiohttp
, andautomation-controller: aiohttp
.
-
Packages updated:
CVE-2024-32879 - improper handling of case sensitivity in
social-auth-app-django
.-
Packages updated:
python3-social-auth-app-django
andpython39-social-auth-app-django
.
-
Packages updated:
CVE-2024-34064 -
xmlattr
filter accepts keys containing non-attribute characters.-
Packages updated:
python3-jinja2
andpython39-jinja2
.
-
Packages updated:
CVE-2024-35195 - additional requests to the same host ignore cert verification.
-
Packages updated:
python3-requests
andpython39-requests
.
-
Packages updated:
CVE-2024-3651 - potential DoS with resource consumption through specially crafted inputs to
idna.encode()
.-
Packages updated:
python3-idna
andpython39-idna
.
-
Packages updated:
CVE-2024-3772 - ReDoS with a crafted email string.
-
Packages updated:
python3-pydantic
,python39-pydantic
, andautomation-controller: python-pydantic
.
-
Packages updated:
CVE-2024-4340 - parsing a heavily nested list leads to a DoS.
-
Packages updated:
python3-sqlparse
andpython39-sqlparse
.
-
Packages updated:
CVE-2023-5752 - Mercurial configuration injection in repository revision when installing with
pip
.-
Packages updated:
automation-controller: pip
.
-
Packages updated:
8.2.5.2. Automation controller
- Fixed a Redis connection leak on automation controller version 4.5.6 (AAP-24286).
-
Fixed the
#!
interpreter directive, also known as shebang, for the Pythonuwsgitop
script (AAP-22461).
8.2.5.3. Automation hub
- With this update, fetching a list of users for a namespace does not include group members (AAH-3121).
- Fixed an issue that caused a "Calculated digest does not equal passed in digest" error when syncing the community repository (AAH-3111).
- Fixed an issue where syncing a rh-certified repository after updating automation hub to the latest version failed (AAH-3218).
8.2.5.4. Event-Driven Ansible
-
Added support for the
SAFE_PLUGINS_FOR_PORT_FORWARD
setting foreda-server
to the installation program (AAP-21620). -
With this update,
eda-server
now opens the ports for a rulebook that has a source plugin that requires inbound connections only if that plugin is allowed in the settings (AAP-17416). - Fixed an issue where an activation could not be started after reaching a limit of 2048 pods due to a wrong cleanup of volumes (AAP-21065).
- Fixed an issue where some activations failed due a wrong cleanup of volumes (AAP-22132).
- With this release, activation-worker and worker targets now correctly stop worker services independently of other required Event-Driven Ansible services (AAP-23735).
8.2.6. RHSA-2024:1057 - Security Advisory - March 01, 2024
8.2.6.1. Automation hub
- Displays the download count for each collection in automation hub (AAP-18298).
8.2.6.2. Event-Driven Ansible
- Added a parameter to control the number of running activations per Event-Driven Ansible worker service (AAP-20672).
-
Added
EDA_CSRF_TRUSTED_ORIGINS
, which can be set by user input or defined based on the allowed hostnames that are determined by the installer (AAP-20244). - Event-Driven Ansible installation now fails when the pre-existing automation controller version is 4.4.0 or older (AAP-20241).
-
Added the
podman_containers_conf_logs_max_size
variable for containers.conf to control the max log size for Podman installations. The default value is 10 MiB (AAP-19775). - Setting the Event-Driven Ansible debug flag to false now correctly disables Django debug mode (AAP-19577).
-
XDG_RUNTIME_DIR
is now defined when applying Event-Driven Ansible linger settings for Podman (AAP-19265). - Fixed the Event-Driven Ansible nginx config when using a custom https port (AAP-19137).
- Some features in this release are classified as Developer Preview, including LDAP authentication functionality for Event-Driven Ansible. For more information about these Event-Driven Ansible Developer Preview features, see Event-Driven Ansible - Developer Preview.
8.2.7. RHSA-2024:0733 - Security Advisory - February 07, 2024
8.2.7.1. Automation controller
-
Fixed an error that caused
rsyslogd
to stop sending events to Splunk HTTP Collector (AAP-19069).
8.2.7.2. Automation hub
- Automation hub now uses system crypto-policies in nginx (AAP-18974).
8.2.7.3. Event-Driven Ansible
- Fixed an error that caused a manual installation failure when pinning Event-Driven Ansible to an older version (AAP-19399).
8.2.8. RHBA-2024:0104 - Bug Fix Advisory - January 11, 2024
8.2.8.1. General
- Fixed conditional code statements to align with changes from ansible-core issue #82295 (AAP-19099).
-
Fixed an issue which caused the
update-ca-trust
handler to be skipped for execution nodes in controller (AAP-18911). - Improved the error pages for automation controller (AAP-18840).
-
Implemented
libffi
fix to avoiduWSGI
core dumps on failed import (AAP-18196). - Fixed an issue with checking the license type following an upgrade caused by earlier incomplete upgrade (AAP-17615).
-
Postgres certificates are now temporarily copied when checking the Postgres version for SSL mode
verify-full
(AAP-15374).
8.2.9. RHBA-2023:7460 - Bug Fix Advisory - November 21, 2023
8.2.9.1. General
- Fixed an error which caused the incorrect target database to be selected when restoring Event-Driven Ansible from a backup (AAP-18151).
-
Postgres tasks that create users in FIPS environments now use
scram-sha-256
(AAP-17516). - All Event-Driven Ansible services are enabled after installation is complete (AAP-17426).
- Ensure all backup and restore staged files and directories are cleaned up before running a backup or restore. You must also mark the files for deletion after a backup or restore (AAP-16101).
- Updated nginx to 1.22 (AAP-15962).
-
Added a task to VMs that will run the
awx-manage
command to pre-create events table partitions before executingpg_dump
and added a variable for the default number of hours to pre-create (AAP-15920).
8.2.9.2. Event-Driven Ansible
- Fixed the automation controller URL check when installing Event-Driven Ansible without controller (AAP-18169).
- Added a separate worker queue for Event-Driven Ansible activations to not interfere with application tasks such as project updates (AAP-14743).
8.2.10. RHBA-2023:5347 - Bug Fix Advisory - September 25, 2023
8.2.10.1. General
-
The installer now properly generates a new
SECRET_KEY
for controller when runningsetup.sh
with the-k
option (AAP-15565). -
Added temporary file cleanup for Podman to prevent
cannot re-exec process
error during job execution (AAP-15248). - Added new variables for additional nginx configurations per component (AAP-15124).
- The installer now correctly enforces only one Event-Driven Ansible host per Ansible Automation Platform installation (AAP-15122).
- You are now able to sync execution environment images in automation hub to automation controller on upgrade (AAP-15121).
- awx user configuration now supports rootless Podman (AAP-15072).
-
You can now mount the
/var/lib/awx
directory as a separate filesystem on execution nodes (AAP-15065). - Fixed the linger configuration for an Event-Driven Ansible user (AAP-14745).
- Fixed the values used for signing installer managed certificates for internal postgres installations (AAP-14236).
- Subject alt names for component hosts will now only be checked for signing certificates when https is enabled (AAP-14235).
-
Fixed postgres sslmode for
verify-full
that affected external postgres and postgres signed for 127.0.0.1 for internally managed postgres (AAP-13962). - Updated the inventory file to include SSL key and cert parameters for provided SSL web certificates (AAP-13854).
-
Fixed an issue with the
awx-rsyslogd
process where it starts with the wrong user (AAP-13664). -
Fixed an issue where the restore process failed to stop
pulpcore-worker
services on RHEL 9 (AAP-13297). - Podman configurations are now correctly aligned to the Event-Driven Ansible home directory (AAP-13289).
8.3. Installer releases
Installation bundle | Component versions |
---|---|
2.4-7.4 |
|
2.4-7.3 |
|
2.4-7.2 |
|
2.4-7.1 |
|
2.4-7 |
|
8.3.1. RHBA-2024:7454 - bundle installer release 2.4-7.4 - October 01, 2024
8.3.2. RHBA-2024:6877 - bundle installer release 2.4-7.3 - September 19, 2024
8.3.3. RHBA-2024:6492 - bundle installer release 2.4-7.2 - September 09, 2024
8.3.4. RHBA-2024:4555 - bundle installer release 2.4-7.1 - July 15, 2024
8.3.5. RHBA-2024:3871 - bundle installer release 2.4-7 - June 12, 2024
8.3.6. RHBA-2024:2074 - bundle installer release 2.4-6.2 - April 25, 2024
8.3.6.1. General
- Resolved a race condition that occurred when there were many nearly simultaneous uploads of the same collection. (AAH-2699)
8.3.6.2. Automation controller
-
Fixed a database connection leak that occurred when the
wsrelay
mainasyncio
loop crashes. (AAP-22938)
8.3.7. RHBA-2024:1672 - bundle installer release 2.4-6.1 - April 4, 2024
8.3.7.1. General
- Fixed an issue where worker nodes became unavailable and stuck in a running state (AAP-21828).
- automation-controller: axios: Exposure of confidential data stored in cookies (CVE-2023-45857)
-
python-django: Potential regular expression denial-of-service in
django.utils.text.Truncator.words()
(CVE-2024-27351)
- receptor: golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)
- automation-controller: python-aiohttp: HTTP request smuggling (CVE-2024-23829)
- python-aiohttp: HTTP request smuggling (CVE-2024-23829)
-
automation-controller: aiohttp:
follow_symlinks
directory traversal vulnerability (CVE-2024-23334)
-
python3x-aiohttp: aiohttp:
follow_symlinks
directory traversal vulnerability (CVE-2024-23334)
-
python-aiohttp: aiohttp:
follow_symlinks
directory traversal vulnerability (CVE-2024-23334)
-
automation-controller: Django: denial of service in
intcomma
template filter (CVE-2024-24680)
-
automation-controller: jinja2: HTML attribute injection when passing user input as keys to
xmlattr
filter (CVE-2024-22195)
- automation-controller: python-cryptography: NULL-dereference when loading PKCS7 certificates (CVE-2023-49083)
- receptor: golang: net/http/internal: Denial of service by resource consumption through HTTP requests (CVE-2023-39326)
- automation-controller: python-aiohttp: Issues in HTTP parser with header parsing (CVE-2023-47627)
- automation-controller: GitPython: Blind local file inclusion (CVE-2023-41040)
-
automation-controller: python-twisted: Disordered HTTP pipeline response in
twisted.web
(CVE-2023-46137)
8.3.7.2. Automation controller
- The update execution environment image no longer fails with jobs that use the previous image (AAP-21733).
- Replaced string validation of English literals with error codes to allow for universal validation and comparison (AAP-21721).
- The dispatcher now appropriately ends child processes when the dispatcher terminates (AAP-21049).
- Fixed a bug where schedule prompted variables and survey answers were reset in edit mode when changing one of the basic form fields (AAP-20967).
- The upgrade from Ansible Tower 3.8.6 to Ansible Automation Platform 2.4 no longer fails after a database schema migration (AAP-19738).
- Fixed a bug in OpenShift Container Platform deployments that caused the controller task container to restart (AAP-21308).
8.3.8. RHBA-2024:1158 - bundle installer release 2.4-6 - March 6, 2024
8.3.8.1. General
- python-django: Django: denial-of-service in intcomma template filter (CVE-2024-24680)
- pycryptodomex: pycryptodome: Side-channel leakage for OAEP decryption in PyCryptodome and pycryptodomex (CVE-2023-52323)
- python-pygments: pygments: ReDoS in pygments (CVE-2022-40896)
- python3x-jinja2: jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)
- python-jinja2: jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)
- python3x-aiohttp: CRLF injection if user controls the HTTP method using aiohttp client (CVE-2023-49082)
- python-aiohttp: aiohttp: CRLF injection if user controls the HTTP method using aiohttp client (CVE-2023-49082)
- python3x-aiohttp: aiohttp: HTTP request modification (CVE-2023-49081)
- python-aiohttp: aiohttp: HTTP request modification (CVE-2023-49081)
- python3x-aiohttp: python-aiohttp: Issues in HTTP parser with header parsing (CVE-2023-47627)
- python-aiohttp: Issues in HTTP parser with header parsing (CVE-2023-47627)
-
python3x-pillow: python-pillow: Uncontrolled resource consumption when text length in an
ImageDraw
instance operates on a long text argument (CVE-2023-44271)
-
python-pillow: Uncontrolled resource consumption when text length in an
ImageDraw
instance operates on a long text argument (CVE-2023-44271)
8.3.8.2. Event-Driven Ansible
- event_driven: Ansible Automation Platform: Insecure WebSocket used when interacting with Event-Driven Ansible server (CVE-2024-1657).
8.3.9. RHBA-2023:6831 - bundle installer release 2.4-2.4 - November 08, 2023
8.3.9.1. General
- python3-urllib3/python39-urllib3: Cookie request header is not stripped during cross-origin redirects (CVE-2023-43804)
8.3.9.2. Automation controller
- automation-controller: Django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)
-
Customers using the
infra.controller_configuration
collection (which usesansible.controller
collection) to update their Ansible Automation Platform environment no longer receive an HTTP 499 response (AAP-17422).
8.3.10. RHBA-2023:5886 - bundle installer release 2.4-2.3 - October 19, 2023
8.3.10.1. General
- receptor: golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)
- receptor: golang: crypto/tls: slow verification of certificate chains containing large RSA keys (CVE-2023-29409)
8.3.10.2. Automation controller
- receptor: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)
8.3.11. RHBA-2023:5812 - bundle installer release 2.4-2.2 - October 17, 2023
8.3.11.1. General
- ansible-core: malicious role archive can cause ansible-galaxy to overwrite arbitrary files (CVE-2023-5115)
- python3-django/python39-django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)
8.3.11.2. Automation controller
- Added a new Subscription Usage page to the controller UI to view historical usage of licenses (AAP-16983).
- automation-controller: Django: Potential denial of service vulnerability in django.utils.encoding.uri_to_iri() (CVE-2023-41164)
8.3.12. RHBA-2023:5653 - bundle installer release 2.4-2.1 - October 10, 2023
8.3.12.1. General
- Updated ansible-lint to include an offline mode, which is enabled by default, to prevent outbound network calls (AAH-2606).
8.3.12.2. Automation controller
-
Fixed settings lookup to no longer leave some services in a
supervisord
FATAL
unresponsive state (AAP-16460). -
Replaced the SQL commands for creating a partition with the use of
ATTACH PARTITION
to avoid exclusive table lock on event tables (AAP-16350). -
Fixed settings to allow simultaneous use of
SOCIAL_AUTH_SAML_ORGANIZATION_ATTR
andSOCIAL_AUTH_SAML_ORGANIZATION_MAP
for a given organization (AAP-16183). - Fixed Content Security Policy (CSP) to enable Pendo retrieval (AAP-16057).
-
Updated the Thycotic DevOps Secrets Vault credential plugin to allow for filtering based on
secret_field
(AAP-15695).
8.3.13. RHBA-2023:5140 - bundle installer release 2.4-1.4 - September 12, 2023
8.3.13.1. Automation controller
- Fixed a bug that caused a deadlock on shutdown when Redis was unavailable (AAP-14203).
- The login form no longer supports autocomplete on the password field due to security concerns (AAP-15545).
- automation-controller: cryptography: memory corruption via immutable objects (CVE-2023-23931)
- automation-controller: GitPython: Insecure non-multi options in clone and clone_from is not blocked (CVE-2023-40267)
- python3-gitpython/python39-gitpython: Insecure non-multi options in clone and clone_from is not blocked (CVE-2023-40267)
8.3.14. RHBA-2023:4782 - bundle installer release 2.4-1.3 - August 28, 2023
8.3.14.1. Automation controller
- automation-controller: python-django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator (CVE-2023-36053)
- automation-controller: python-django: Potential denial-of-service vulnerability in file uploads (CVE-2023-24580)
- Changing credential types by using the drop-down list in the Launch prompt window no longer causes the screen to disappear (AAP-11444).
-
Upgraded python dependencies which include upgrades from Django 3.2 to 4.2.3, psycopg2 to psycopg3, and additional libraries as needed. Also added a new setting in the UI exposing the
CSRF_TRUSTED_ORIGIN
settings (AAP-12345). - Fixed slow database UPDATE statements on the job events table which could cause a task manager timeout (AAP-12586).
- Fixed an issue where adding a new label to a job through the Prompt On Launch option would not add the label to the job details (AAP-14204).
-
Added
noopener
andnoreferrer
attributes to controller UI links that were missing these attributes (AAP-14345). - Fixed the broken User Guide link in the Edit Subscription Details page (AAP-14375).
- Turned off auto-complete on the remaining controller UI forms that were missing that attribute (AAP-14442).
- The Add button on the credentials page is now accessible for users with the correct permissions (AAP-14525).
- Fixed an unexpected error that occurred when adding a new host while using a manifest with size 10 (AAP-14675).
-
Applied environment variables from the
AWX_TASK_ENV
setting when running credential lookup plugins (AAP-14683). - Interrupted jobs (such as canceled jobs) no longer clear facts from hosts if the job ran on an execution node (AAP-14878).
-
Using a license that is missing a
usage
attribute no longer returns a 400 error (AAP-14880). -
Fixed sub-keys under
data
from HashiCorp Vault Secret Lookup responses to check for secrets, if found (AAP-14946). - Fixed Ansible facts to retry saving to hosts if there is a database deadlock (AAP-15021).
8.3.14.2. Event-Driven Ansible
- automation-eda-controller: token exposed at importing project (CVE-2023-4380)
- python3-cryptography/python39-cryptography: memory corruption via immutable objects (CVE-2023-23931)
- python3-requests/python39-requests: Unintended leak of Proxy-Authorization header (CVE-2023-32681)
- Contributor and editor roles now have permissions to access users and set the AWX token (AAP-11573).
- The onboarding wizard now requests controller token creation (AAP-11907).
-
Corrected the filtering capability of the Rule Audit screens so that a search yields results with the
starts with
function (AAP-11987). - Enabling or disabling rulebook activation no longer increases the restarts counter by 1 (AAP-12042).
- Filtering by a text string now displays all applicable items in the UI, including those that are not visible in the list at that time (AAP-12446).
- Audit records are no longer missing when running activations with multiple jobs (AAP-12522).
- The event payload is no longer missing key attributes when a job template fails (AAP-12529).
- Fixed the Git token leak that occurs when importing a project fails (AAP-12767).
- The restart policy in Kubernetes (k8s) now restarts a successful activation that is incorrectly marked as failed (AAP-12862).
- Activation statuses are now reported correctly, whether you are disabling or enabling them (AAP-12896).
-
When the
run_job_template
action fails, ansible-rulebook prints an error log in the activation output and creates an entry in rule audit so the user is alerted that the rule has failed (AAP-12909). - When a user tries to bulk delete rulebook activations from the list, the request now completes successfully and consistently (AAP-13093).
- The Rulebook Activation link now functions correctly in the Rule Audit Detail UI (AAP-13182).
-
The ansible-rulebook now only connects to the controller if the rulebook being processed has a
run_job_template
action (AAP-13209). - Fixed a bug where some audit rule records had the wrong rulebook link (AAP-13844).
- Fixed a bug where only the first 10 audit rules had the right link (AAP-13845).
- Before this update, project credentials could not be updated if there was a change to the credential used in the project. With this update, credentials can be updated in a project with a new or different credential (AAP-13983).
- The User Access section of the navigation panel no longer disappears after creating a decision environment (AAP-14273).
- Fixed a bug where filtering for audit rules did not work properly on OpenShift Container Platform (AAP-14512).
8.3.15. RHBA-2023:4621 - bundle installer release 2.4-1.2 - August 10, 2023
8.3.15.1. Automation controller
- automation controller: Html injection in custom login info (CVE-2023-3971)
- Organization admin users are no longer shown an error on the Instances list (AAP-11195).
- Fixed the workflow job within the workflow approval to display the correct details (AAP-11433).
- Credential name search in the ad hoc commands prompt no longer requires case-sensitive input (AAP-11442).
- The Back to list button in the controller UI now maintains previous search filters (AAP-11527).
- Topology view and Instances are only available as sidebar menu options to System Administrators and System Auditors (AAP-11585).
- Fixed the frequency of the scheduler to run on the correct day of the week as specified by the user (AAP-11776).
- Fixed an issue with slow database UPDATE statements when using nested tasks (include_tasks) causing task manager timeout (AAP-12586).
- Added the ability to add execution and hop nodes to VM-based controller installations from the UI (AAP-12849).
-
Added the
awx-manage
command for creating future events table partitions (AAP-12907). - Re-enabled Pendo support by providing the correct Pendo API key (AAP-13415).
- Added the ability to filter teams by using partial names in the dialog for granting teams access to a resource (AAP-13557).
- Fixed a bug where a weekly rrule string without a BYDAY value would result in the UI throwing a TypeError (AAP-13670).
- Fixed a server error that happened when deleting workflow jobs ran before event partitioning migration (AAP-13806).
- Added API reference documentation for the new bulk API endpoint (AAP-13980).
- Fixed an issue where related items were not visible in some cases. For example, job template instance groups, organization galaxy credentials, and organization instance groups (AAP-14057).
8.3.16. RHBA-2023:4288 - bundle installer release 2.4-1.1 - July 26, 2023
8.3.16.1. Automation hub
-
Fixed issue by using
gpg
key with passphrase for signing services (AAH-2445).
8.4. Ansible plug-ins for Red Hat Developer Hub
8.4.1. 1.0.0 technical preview release (July 2024)
The technology preview release of Ansible plug-ins for Red Hat Developer Hub provides links to the following curated content:
Learning paths
- Introduction to Ansible
- Getting started with the Ansible VS Code extension
- YAML Essentials for Ansible
- Getting started with Ansible playbooks
- Getting started with Content Collections
- Ansible plug-ins for Red Hat Developer Hub user guide
Interactive labs
- Getting started with Ansible Navigator
- Getting started with Ansible Builder
- Writing your first playbook
Signing Ansible Content Collections with Private Automation Hub
NoteLearning paths and interactive labs are hosted on developers.redhat.com for the tech preview. Customers must sign up for a Red Hat Developer account to access them.
Software templates
- Create Ansible Collection Project
- Create Ansible Playbook Project
Documentation updates
- Installing Ansible plug-ins for Red Hat Developer Hub
- Using Ansible plug-ins for Red Hat Developer Hub
Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.