Chapter 9. Patch releases


Security, bug fixes, and enhancements for Ansible Automation Platform 2.5 are released as asynchronous erratas. All Ansible Automation Platform erratas are available on the Download Red Hat Ansible Automation Platform page.

As a Red Hat Customer Portal user, you can enable errata notifications in the account settings for Red Hat Subscription Management (RHSM). When errata notifications are enabled, you receive notifications through email whenever new erratas relevant to your registered systems are released.

Note

Red Hat Customer Portal user accounts must have systems registered and consuming Ansible Automation Platform entitlements for Ansible Automation Platform errata notification emails to generate.

The patch releases section of the release notes will be updated over time to give notes on enhancements and bug fixes for patch releases of Ansible Automation Platform 2.5.

Additional resources

9.1. Ansible Automation Platform patch release December 18, 2024

The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.

9.1.1. Enhancements

9.1.1.1. Ansible Automation Platform

  • Added help text to all missing fields in Ansible Automation Platform gateway and django-ansible-base. (AAP-37068)
  • Consistently formatted sentence structure for help_text, and provided more context in the help text where it was vague.(AAP-37016)
  • Added dynamic preferences for usage by Automation Analytics.(AAP-36710)

    • INSIGHTS_TRACKING_STATE: Enables the service to gather data on automation and send it to Automation Analytics.
    • RED_HAT_CONSOLE_URL: This setting is used to to configure the upload URL for data collection for Automation Analytics.
    • REDHAT_USERNAME: Username used to send data to Automation Analytics.
    • REDHAT_PASSWORD: Password for the account used to send data to Automation Analytics.
    • SUBSCRIPTIONS_USERNAME: Username is used to retrieve subscription and content information.
    • SUBSCRIPTIONS_PASSWORD: Password is used to retrieve subscription and content information.
    • AUTOMATION_ANALYTICS_GATHER_INTERVAL: interval in seconds at which Automation Analytics gathers data.
  • Added an enabled flag for turning authenticator maps on or off. (AAP-36709)
  • aap-metrics-utility has been updated to 0.4.1. (AAP-36393)
  • Added the setting trusted_header_timeout_in_ns to timegate X_TRUSTED_PROXY_HEADER validation in the django-ansible-base libraries used by Ansible Automation Platform components. (AAP-36712)

9.1.1.2. Documentation updates

  • With this update, the Ansible Automation Platform Operator growth topology and Ansible Automation Platform Operator enterprise topology have been updated to include s390x (IBM Z) architecture test support.

9.1.1.3. Event-Driven Ansible

  • Extended the scope of the log_level and debug settings. (AAP-33669)
  • A project can now be synced with the Event-Driven Ansible collection modules. (AAP-32264)
  • In the Rulebook activation create form, selecting a project is now required before selecting a rulebook.(AAP-28082)
  • The btn:[Create credentials] button is now visible irrespective of whether there are any existing credentials or not.(AAP-23707)

9.1.2. Bug fixes

9.1.2.1. General

  • Fixed an issue where django-ansible-base fallback cache kept creating a tmp file even if the LOCATION was set to another path.(AAP-36869)
  • Fixed an issue where the OIDC authenticator was not allowed to use the JSON key to extract user groups, or for a user to be modified via the new GROUPS_CLAIM configuration setting.(AAP-36716)

With this update, the following CVEs have been addressed:

  • CVE-2024-11079 ansible-core: Unsafe Tagging Bypass via hostvars Object in Ansible-Core.(AAP-35563)
  • CVE-2024-53908 ansible-lightspeed-container: Potential SQL injection in HasKey(lhs, rhs) on Oracle.(AAP-36767)
  • CVE-2024-53907 ansible-lightspeed-container: Potential denial-of-service in django.utils.html.strip_tags().(AAP-36755)
  • CVE-2024-11483 which allowed users to escape the scope of their personal access OAuth2 tokens, from read-scoped to read-write-scoped, in the gateway.(AAP-36261)

9.1.2.2. Red Hat Ansible Automation Platform

  • Fixed an issue where when role user assignments were queried in the platform UI, the query is successful about 75% of the time.(AAP-36872)
  • Fixed an issue where the user was unable to filter job templates by label in Ansible Automation Platform 2.5.(AAP-36540)
  • Fixed an issue where it was not possible to open a job template after removing the user that created the template.(AAP-35820)
  • Fixed an issue where the inventory source update failed, and did not allow selection of the inventory file.(AAP-35246)
  • Fixed an issue where the Login Redirect Override setting was missing and not functioning as expected in Ansible Automation Platform 2.5.(AAP-33295)
  • Fixed an issue where users were able to select a credential that required a password when defining a schedule.(AAP-32821)
  • Fixed an issue where the job output did not show unless you switched tabs. This also fixed other display issues.(AAP-31125)
  • Fixed an issue where adding a new Automation Decision role to a team did not work from the menu:Access Management[Teams] navigation path.(AAP-31873)
  • Fixed an issue where migration was missing from Ansible Automation Platform.(AAP-37015)
  • Fixed an issue where the gateway OAuth token was not encrypted at rest.(AAP-36715)
  • Fixed an issue where the API forces the user to save a service with an API port even if one does not exist.(AAP-36714)
  • Fixed an issue where the Gateway did not properly interpret SAML attributes for mappings.(AAP-36713)
  • Fixed an issue where non-self-signed certificate+key pairs were allowed to be used in SAML authenticator configurations.(AAP-36707)
  • Fixed an issue where the login page was not redirecting to /api/gateway/v1 if a user was already logged in.(AAP-36638)

9.1.2.3. Ansible automation hub

  • When configuring an Ansible Remote to sync collections from other servers, a requirements file is only required for syncs from Galaxy, and optional otherwise. Without a requirements file, all collections are synced.(AAP-31238)
9.1.2.3.1. Container-based Ansible Automation Platform
  • Fixed an issue that allowed automation controller nodes to override the receptor_peers variable. (AAP-37085)
  • Fixed an issue where the containerized installer ignored receptor_type for automation controller hosts and always installed them as hybrid.(AAP-37012)
  • Fixed an issue where Podman was not present in the task container, and the cleanup image task failed.(AAP-37011)
  • Fixed an issue where only one automation controller node was configured with Execution/Hop node peers rather than all automation controller nodes.(AAP-36851)
  • Fixed an issue where the automation controller services lost connection to the database, where the containers are stopped and the systemd unit does not try to restart.(AAP-36850)
  • Fixed an issue where receptor_type and receptor_protocol variables validation checks were skipped during the preflight role execution.(AAP-36857)

9.1.2.4. Event-Driven Ansible

  • Fixed an issue where the url field of the event stream was not updated if EDA_EVENT_STREAM_BASE_URL setting changed. (AAP-33819)
  • Fixed an issue where Event-Driven Ansible and automation controller fields were pre-populated with gateway credentials when secret: true is set on custom credentials.(AAP-33188)
  • Fixed an issue where the bulk removal of selected role permissions disappeared when more than 4 permissions were selected.(AAP-28030)
  • Fixed an issue where Enabled options had its own scrollbar on the Rulebook Activation Details page.(AAP-31130)
  • Fixed an issue where the status of an activation was occasionally inconsistent with the status of the latest instance after a restart.(AAP-29755)
  • Fixed an issue where importing a project from a non-existing branch resulted in the completed state instead of a Failed status.(AAP-29144)
  • Fixed an issue with respect to the custom credential types where if the user clicked The generate extra vars before the fields: key in the input configuration it would create an empty line that is uneditable.(AAP-28084)
  • Fixed an issue where the project sync would not fail on an empty or unstructured git repository.(AAP-35777)
  • Fixed an issue where rulebook validation import/sync fails when a rulebook has a duplicated rule name.(AAP-35164)
  • Fixed an issue where the Event Driven Ansible API allowed a credential’s type to be changed.(AAP-34968)
  • Fixed an issue where a previously failed project could be accidentally changed to completed after a resync.(AAP-34744)
  • Fixed an issue where no message was recorded when a project did not contain any rulebooks.(AAP-34555)
  • Fixed an issue where the name for credentials in the rulebook activation form field was not updated.(AAP-34123)
  • Updated the message for the rulebook activation/event streams for better clarity.(AAP-33485)
  • Fixed an issue where the source plugin was not able to use the env vars to establish a successful connection to the remote source.(AAP-35597)
  • Fixed an issue in the collection where the activation module failed with a misleading error message if the rulebook, project, decision environment, or organization, could not be found.(AAP-35360)
  • Fixed an issue where the validation a host specified as part of a container registry credential did not conform to container registry standards. The specified host was previously able to use a non-syntactically valid host (name or net address) and optional port value (<valid-host>[:<port>]). The validation is now applied when creating a credential as well as when modifying an existing credential regardless of fields being modified.(AAP-34969)
  • Fixed an issue whereby multiple Red Hat Ansible Automation Platform credentials were being attached to activations.(AAP-34025)
  • Fixed an issue where there was an erroneous dependency on the existence of an organization named Default.(AAP-33551)
  • Fixed an issue where occasionally an activation is reported as running, before it is ready to receive events.(AAP-31225)
  • Fixed an issue where the user could not edit auto-generated injector vars while creating {EEDAName} custom credentials.(AAP-29752)
  • Fixed an issue where in some cases the file_watch source plugin in an Event-Driven Ansible collection raised the QueueFull exception.(AAP-29139)
  • Fixed an issue where the Event-Driven Ansible database increased in size continuously, even if the database was unused. Addend the purge_record script to clean up outdated database records.(AAP-30684)

9.2. Ansible Automation Platform patch release December 3, 2024

The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.

9.2.1. Enhancements

9.2.1.1. Ansible Automation Platform

  • Red Hat Ansible Lightspeed has been updated to 2.5.241127.
  • redhat.insights Ansible collection has been updated to 1.3.0.
  • ansible.eda collection has been updated to 2.2.0 in execution environment and decision environment images.

9.2.1.2. Ansible Automation Platform Operator

  • With this update, you can set PostgreSQL SSL/TLS mode to verify-full or verify-ca with the proper sslrootcert configuration in the automation hub Operator.

9.2.1.3. Container-based Ansible Automation Platform

  • With this update, ID and Image fields from a container image are used instead of Digest and ImageDigest to trigger a container update.
  • With this update, you can now update the registry URL value in Event-Driven Ansible credentials.
  • With this update, the kernel.keys.maxkeys and kernel.keys.maxbytes settings are increased on systems with large memory configuration.
  • Added ansible_connection=local to the inventory-growth file and clarified its usage.

9.2.1.4. Documentation updates

  • With this update, the Container growth topology and Container enterprise topology have been updated to include s390x (IBM Z) architecture test support.

9.2.1.5. RPM-based Ansible Automation Platform

  • With this update, you can now update the registry URL value in Event-Driven Ansible credentials.

9.2.2. Bug fixes

9.2.2.1. General

With this update, the following CVEs have been addressed:

  • CVE-2024-52304 automation-controller: aiohttp vulnerable to request smuggling due to wrong parsing of chunk extensions.

9.2.2.2. Ansible Automation Platform Operator

  • With this update, missing Ansible Automation Platform Operator custom resource definitions (CRDs) are added to the aap-must-gather container image.
  • Disabled platform gateway authentication in the proxy configuration to prevent HTTP 502 errors when the control plane is down.
  • The Red Hat favicon is now correctly displayed on automation controller and Event-Driven Ansible API tabs.
  • With this update, the automation controller admin password is now reused during upgrade from Ansible Automation Platform 2.4 to 2.5.
  • Fixed undefined variable (_controller_enabled) when reconciling an AnsibleAutomationPlatformRestore. Fixed automation hub Operator pg_restore error on restores due to a wrong database secret being set.

9.2.2.3. Automation controller

  • Updated the minor version of uWSGI to obtain updated log verbiage.
  • Fixed job schedules running at the wrong time when the rrule interval was set to HOURLY or MINUTELY.
  • Fixed an issue where sensitive data was displayed in the job output.
  • Fixed an issue where unrelated jobs could be marked as a dependency of other jobs.
  • Included pod anti-affinity configuration on default container group pod specification to optimally spread workload.

9.2.2.4. Container-based Ansible Automation Platform

  • With this update, you cannot change the postgresql_admin_username value when using a managed database node.
  • Added update support for PCP monitoring role.
  • Disabled platform gateway authentication in the proxy configuration to prevent HTTP 502 errors when the control plane is down.
  • With this update, you can use dedicated nodes for the Redis group.
  • Fixed an issue where disabling TLS on platform gateway would cause installation to fail.
  • Fixed an issue where disabling TLS on platform gateway proxy would cause installation to fail.
  • Fixed an issue where platform gateway uninstall would leave container systemd unit files on disk.
  • Fixed an issue where the automation hub container signing service creation failed when hub_collection_signing=false but hub_container_signing=true.
  • Fixed an issue with the HOME environment variable for receptor containers which would cause a “Permission denied” error on the containerized execution node.
  • Fixed an issue where not setting up the GPG agent socket properly when many hub nodes are configured, resulted in not creating a GPG socket file in /var/tmp/pulp.
  • With this update, you can now change the platform gateway port value after the initial deployment.

9.2.2.5. Receptor

  • Fixed an issue that caused a Receptor runtime panic error.

9.2.2.6. RPM-based Ansible Automation Platform

  • Fixed an issue where the metrics-utility command failed to run after updating automation controller.
  • Fixed the owner and group permissions on the /etc/tower/uwsgi.ini file.
  • Fixed an issue where not having eda_node_type defined in the inventory file would result in backup failure.
  • Fixed an issue where not having routable_hostname defined in the inventory file would result in a restore failure.
  • With this update, the inventory-growth file is now included in the RPM installer.
  • Fixed an issue where the dispatcher service went into FATAL status and failed to process new jobs after a database outage of a few minutes.
  • Disabled platform gateway authentication in the proxy configuration to allow access to the UI when the control plane is down.
  • With this update, the Receptor data directory can now be configured using the receptor_datadir variable.

9.3. Ansible Automation Platform patch release November 18, 2024

The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.

9.3.1. Enhancements

  • With this release, a redirect page has now been implemented that will be exhibited when you navigate to the root / for each component’s stand-alone URL. The API endpoint remains functional. This affects Event-Driven Ansible, automation controller, Ansible Automation Platform Operator, and OpenShift Container Platform.

9.3.2. Bug fixes

9.3.2.1. General

With this update, the following CVEs have been addressed:

CVE-2024-9902 ansible-core: Ansible-core user may read/write unauthorized content.

CVE-2024-8775 ansible-core: Exposure of sensitive information in Ansible vault files due to improper logging.

9.3.2.2. Ansible Automation Platform

  • Fixed an issue where the user was unable to filter out hosts on inventory groups where it returned a Failed to load options on Ansible Automation Platform UI.

9.3.2.3. Execution Environment

  • Update pywinrm to 0.4.3 in ee-minimal and ee-supported container images to fix Python 3.11 compatibility.

9.3.2.4. Ansible Automation Platform Operator

  • Fixed a syntax error when bundle_cacert_secret was defined due to incorrect indentation.
  • Fixed an issue where the default operator catalog for Ansible Automation Platform aligned to cluster-scoped versus namespace-scoped.
  • Added the ability to set tolerations and node_selector for the Redis statefulset and the gateway deployment.
  • Ensure the platform URL status is set when Ingress is used to resolve an issue with Microsoft Azure on Cloud managed deployments. This is due to the Ansible Automation Platform operator failing to finish because it is looking for OpenShift Container Platform routes that are not available on Azure Kubernetes Service.
  • Fixed an issue where the Ansible Automation Platform Operator description did not render code block correctly.
  • It is necessary to specify the CONTROLLER_SSO_URL and AUTOMATION_HUB_SSO_URL settings in Gateway to fix the OIDC auth redirect flow.
  • It is necessary to set the SERVICE_BACKED_SSO_AUTH_CODE_REDIRECT_URL setting to fix the OIDC auth redirect flow.

9.3.2.5. Container-based Ansible Automation Platform

  • Fixed an issue when the port value was not defined in the gateway_main_url variable, the containerized installer failed with incorrect execution environment image reference error.
  • Fixed an issue where the containerized installer used port number when specifying the image_url for a decision environment. The user should not add a port to image URLs when using the default value.

9.3.2.6. RPM-based Ansible Automation Platform

  • Fixed an issue where not setting up the gpg agent socket properly when multiple hub nodes are configured resulted in not creating a gpg socket file in /var/run/pulp.

9.3.2.7. Ansible development tools

  • Fixed an issue where missing data files were not included in the molecule RPM package.

9.4. Ansible Automation Platform patch release October 28, 2024

The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.

9.4.1. Enhancements

9.4.1.1. Ansible Automation Platform

  • With this update, upgrades from Ansible Automation Platform 2.4 to 2.5 are supported for RPM and Operator-based deployments. For more information on how to upgrade, see RPM upgrade and migration. (ANSTRAT-809)

    • Upgrades from 2.4 Containerized Ansible Automation Platform Tech Preview to 2.5 Containerized Ansible Automation Platform are unsupported at this time.
    • Upgrades for Event-Driven Ansible are unsupported from Ansible Automation Platform 2.4 to Ansible Automation Platform 2.5.

9.4.1.2. Ansible Automation Platform Operator

  • An informative redirect page is now shown when you go to the automation hub URL root. (AAP-30915)

9.4.1.3. Container-based Ansible Automation Platform

  • The TLS Certificate Authority private key can now use a passphrase. (AAP-33594)
  • Automation hub is populated with container images (decision and execution environments) and Ansible collections. (AAP-33759)
  • The automation controller, Event-Driven Ansible, and automation hub legacy UIs now display a redirect page to the Platform UI rather than a blank page. (AAP-33794)

9.4.1.4. RPM-based Ansible Automation Platform

  • Added platform Redis to RPM-based Ansible Automation Platform. This allows a 6 node cluster for a Redis high availability (HA) deployment. Removed the variable aap_caching_mtls and replaced it with redis_disable_tls and redis_disable_mtls which are boolean flags that disable Redis server TLS and Redis client certificate authentication. (AAP-33773)
  • An informative redirect page is now shown when going to automation controller, Event-Driven Ansible, or automation hub URL. (AAP-33827)

9.4.2. Bug fixes

9.4.2.1. Ansible Automation Platform

  • Removed the Legacy external password option from the Authentication Type list. (AAP-31506)
  • Ansible Galaxy’s sessionauth class is now always the first in the list of authentication classes so that the platform UI can successfully authenticate. (AAP-32146)
  • CVE-2024-10033 - automation-gateway: Fixed a Cross-site Scripting (XSS) vulnerability on the automation-gateway component that allowed a malicious user to perform actions that impact users.
  • CVE-2024-22189 - receptor: Resolved an issue in quic-go that would allow an attacker to trigger a denial of service by sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs.

9.4.2.2. Automation controller

  • CVE-2024-41989 - automation-controller: Before this update, in Django, if floatformat received a string representation of a number in scientific notation with a large exponent, it could lead to significant memory consumption. With this update, decimals with more than 200 digits are now returned as is.
  • CVE-2024-45230 - automation-controller: Resolved an issue in Python’s Django urlize() and urlizetrunc() functions where excessive input with a specific sequence of characters would lead to denial of service.

9.4.2.3. Automation hub

  • Refactored the dynaconf hooks to preserve the necessary authentication classes for Ansible Automation Platform 2.5 deployments. (AAP-31680)
  • During role migrations, model permissions are now re-added to roles to preserve ownership. (AAP-31417)

9.4.2.4. Ansible Automation Platform Operator

  • The port is now correctly set when configuring the platform gateway cache redis_host setting when using an external Redis cache. (AAP-33279)
  • Added checksums to the automation hub deployments so that pods are cycled to pick up changes to the PostgreSQL configuration and galaxy server settings Kubernetes secrets. (AAP-33518)

9.4.2.5. Container-based Ansible Automation Platform

  • Fixed the uninstall playbook execution when the environment was already uninstalled. (AAP-32981)

9.5. Ansible Automation Platform patch release October 14, 2024

The following fixes have been implemented in this release of Red Hat Ansible Automation Platform.

9.5.1. Fixed issues

9.5.1.1. Ansible Automation Platform

  • Fixed an issue in platform gateway where examining output logs for UWSGI shows a message that can be viewed as insensitive. (AAP-33213)
  • Fixed external Redis port configuration issue, which resulted in a cluster_host error when trying to connect to Redis. (AAP-32691)
  • Fixed a faulty conditional which was causing managed Redis to be deployed even if an external Redis was being configured. (AAP-31607)
  • After the initial deployment of Ansible Automation Platform, if you make changes to the automation controller, automation hub, or Event-Driven Ansible sections of the Ansible Automation Platform CR specification, those changes are now propagated to the component custom resources. (AAP-32350)
  • Fixed addressing issues when the filter keep_keys is used, all keys are removed from the dictionary. The keepkey fix is available in the updated ansible.utils collection. (AAP-32960)
  • Fixed an issue in cisco.ios.ios_static_routes where the metric distance is to be populated in the forward_router_address attribute. (AAP-32960)
  • Fixed an issue where Ansible Automation Platform Operator is not transferring metric settings to the controller. (AAP-32073)
  • Fixed an issue where you have a schedule on a resource, such as a job template, that prompts for credentials, and you update the credential to be different from what is on the resource by default, the new credential is not submitted to the API and it does not get updated. (AAP-31957)
  • Fixed an issue where setting *pg_host= without any other context no longer results in an empty HOST section of settings.py in controller. (AAP-32440)

9.5.2. Advisories

The following errata advisories are included in this release:

9.6. Ansible Automation Platform patch release October 7, 2024

The following enhancements and fixes have been implemented in this release of Red Hat Ansible Automation Platform.

9.6.1. Enhancements

  • Event-Driven Ansible workers and scheduler add timeout and retry resilience when communicating with a Redis cluster. (AAP-32139)
  • Removed the MTLS credential type that was incorrectly added. (AAP-31848)

9.6.2. Fixed issues

9.6.2.1. Ansible Automation Platform

  • Fixed conditional that was skipping necessary tasks in the restore role, which was causing restores to not finish reconciling. (AAP-30437)
  • Systemd services in the containerized installer are now set with restart policy set to always by default. (AAP-31824)
  • FLUSHDB is now modified to account for shared usage of a Redis database. It now respects access limitations by removing only those keys that the client has permissions to. (AAP-32138)
  • Added a fix to ensure default extra_vars values are rendered in the Prompt on launch wizard. (AAP-30585)
  • Filtered out the unused ANSIBLE_BASE_ settings from the environment variable in job execution. (AAP-32208)

9.6.2.2. Event-Driven Ansible

  • Configured the setting EVENT_STREAM_MTLS_BASE_URL to the correct default to ensure MTLS is disallowed in the RPM installer. (AAP-32027)
  • Configured the setting EVENT_STREAM_MTLS_BASE_URL to the correct default to ensure MTLS is disallowed in the containerized installer. (AAP-31851)
  • Fixed a bug where the Event-Driven Ansible workers and scheduler are unable to reconnect to the Redis cluster if a primary Redis node enters a failed state and a new primary node is promoted. See the KCS article Redis failover causes Event-Driven Ansible activation failures that include the steps that were necessary before this bug was fixed. (AAP-30722)

9.6.3. Advisories

The following errata advisories are included in this release:

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.