Chapter 9. Patch releases
Security, bug fixes, and enhancements for Ansible Automation Platform 2.5 are released as asynchronous erratas. All Ansible Automation Platform erratas are available on the Download Red Hat Ansible Automation Platform page.
As a Red Hat Customer Portal user, you can enable errata notifications in the account settings for Red Hat Subscription Management (RHSM). When errata notifications are enabled, you receive notifications through email whenever new erratas relevant to your registered systems are released.
Red Hat Customer Portal user accounts must have systems registered and consuming Ansible Automation Platform entitlements for Ansible Automation Platform errata notification emails to generate.
The patch releases section of the release notes will be updated over time to give notes on enhancements and bug fixes for patch releases of Ansible Automation Platform 2.5.
Additional resources
- For more information about asynchronous errata support in Ansible Automation Platform, see Red Hat Ansible Automation Platform Life Cycle.
- For information about Common Vulnerabilities and Exposures (CVEs), see What is a CVE? and Red Hat CVE Database.
9.1. Ansible Automation Platform patch release December 18, 2024
The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.
9.1.1. Enhancements
9.1.1.1. Ansible Automation Platform
-
Added help text to all missing fields in Ansible Automation Platform gateway and
django-ansible-base
. (AAP-37068) -
Consistently formatted sentence structure for
help_text
, and provided more context in the help text where it was vague.(AAP-37016) Added dynamic preferences for usage by Automation Analytics.(AAP-36710)
-
INSIGHTS_TRACKING_STATE
: Enables the service to gather data on automation and send it to Automation Analytics. -
RED_HAT_CONSOLE_URL
: This setting is used to to configure the upload URL for data collection for Automation Analytics. -
REDHAT_USERNAME
: Username used to send data to Automation Analytics. -
REDHAT_PASSWORD
: Password for the account used to send data to Automation Analytics. -
SUBSCRIPTIONS_USERNAME
: Username is used to retrieve subscription and content information. -
SUBSCRIPTIONS_PASSWORD
: Password is used to retrieve subscription and content information. -
AUTOMATION_ANALYTICS_GATHER_INTERVAL
: interval in seconds at which Automation Analytics gathers data.
-
- Added an enabled flag for turning authenticator maps on or off. (AAP-36709)
-
aap-metrics-utility
has been updated to 0.4.1. (AAP-36393) -
Added the setting
trusted_header_timeout_in_ns
to timegateX_TRUSTED_PROXY_HEADER
validation in thedjango-ansible-base
libraries used by Ansible Automation Platform components. (AAP-36712)
9.1.1.2. Documentation updates
- With this update, the Ansible Automation Platform Operator growth topology and Ansible Automation Platform Operator enterprise topology have been updated to include s390x (IBM Z) architecture test support.
9.1.1.3. Event-Driven Ansible
-
Extended the scope of the
log_level
and debug settings. (AAP-33669) - A project can now be synced with the Event-Driven Ansible collection modules. (AAP-32264)
- In the Rulebook activation create form, selecting a project is now required before selecting a rulebook.(AAP-28082)
- The btn:[Create credentials] button is now visible irrespective of whether there are any existing credentials or not.(AAP-23707)
9.1.2. Bug fixes
9.1.2.1. General
-
Fixed an issue where
django-ansible-base
fallback cache kept creating a tmp file even if the LOCATION was set to another path.(AAP-36869) -
Fixed an issue where the OIDC authenticator was not allowed to use the JSON key to extract user groups, or for a user to be modified via the new
GROUPS_CLAIM
configuration setting.(AAP-36716)
With this update, the following CVEs have been addressed:
-
CVE-2024-11079
ansible-core
: Unsafe Tagging Bypass viahostvars
Object in Ansible-Core.(AAP-35563) -
CVE-2024-53908
ansible-lightspeed-container
: Potential SQL injection inHasKey(lhs, rhs)
on Oracle.(AAP-36767) -
CVE-2024-53907
ansible-lightspeed-container
: Potential denial-of-service indjango.utils.html.strip_tags()
.(AAP-36755) - CVE-2024-11483 which allowed users to escape the scope of their personal access OAuth2 tokens, from read-scoped to read-write-scoped, in the gateway.(AAP-36261)
9.1.2.2. Red Hat Ansible Automation Platform
- Fixed an issue where when role user assignments were queried in the platform UI, the query is successful about 75% of the time.(AAP-36872)
- Fixed an issue where the user was unable to filter job templates by label in Ansible Automation Platform 2.5.(AAP-36540)
- Fixed an issue where it was not possible to open a job template after removing the user that created the template.(AAP-35820)
- Fixed an issue where the inventory source update failed, and did not allow selection of the inventory file.(AAP-35246)
- Fixed an issue where the Login Redirect Override setting was missing and not functioning as expected in Ansible Automation Platform 2.5.(AAP-33295)
- Fixed an issue where users were able to select a credential that required a password when defining a schedule.(AAP-32821)
- Fixed an issue where the job output did not show unless you switched tabs. This also fixed other display issues.(AAP-31125)
- Fixed an issue where adding a new Automation Decision role to a team did not work from the menu:Access Management[Teams] navigation path.(AAP-31873)
- Fixed an issue where migration was missing from Ansible Automation Platform.(AAP-37015)
- Fixed an issue where the gateway OAuth token was not encrypted at rest.(AAP-36715)
- Fixed an issue where the API forces the user to save a service with an API port even if one does not exist.(AAP-36714)
- Fixed an issue where the Gateway did not properly interpret SAML attributes for mappings.(AAP-36713)
- Fixed an issue where non-self-signed certificate+key pairs were allowed to be used in SAML authenticator configurations.(AAP-36707)
-
Fixed an issue where the login page was not redirecting to
/api/gateway/v1
if a user was already logged in.(AAP-36638)
9.1.2.3. Ansible automation hub
- When configuring an Ansible Remote to sync collections from other servers, a requirements file is only required for syncs from Galaxy, and optional otherwise. Without a requirements file, all collections are synced.(AAP-31238)
9.1.2.3.1. Container-based Ansible Automation Platform
-
Fixed an issue that allowed automation controller nodes to override the
receptor_peers
variable. (AAP-37085) -
Fixed an issue where the containerized installer ignored
receptor_type
for automation controller hosts and always installed them as hybrid.(AAP-37012) - Fixed an issue where Podman was not present in the task container, and the cleanup image task failed.(AAP-37011)
- Fixed an issue where only one automation controller node was configured with Execution/Hop node peers rather than all automation controller nodes.(AAP-36851)
-
Fixed an issue where the automation controller services lost connection to the database, where the containers are stopped and the
systemd
unit does not try to restart.(AAP-36850) -
Fixed an issue where receptor_type and
receptor_protocol
variables validation checks were skipped during the preflight role execution.(AAP-36857)
9.1.2.4. Event-Driven Ansible
-
Fixed an issue where the url field of the event stream was not updated if
EDA_EVENT_STREAM_BASE_URL
setting changed. (AAP-33819) -
Fixed an issue where Event-Driven Ansible and automation controller fields were pre-populated with gateway credentials when
secret: true
is set on custom credentials.(AAP-33188) - Fixed an issue where the bulk removal of selected role permissions disappeared when more than 4 permissions were selected.(AAP-28030)
- Fixed an issue where Enabled options had its own scrollbar on the Rulebook Activation Details page.(AAP-31130)
- Fixed an issue where the status of an activation was occasionally inconsistent with the status of the latest instance after a restart.(AAP-29755)
- Fixed an issue where importing a project from a non-existing branch resulted in the completed state instead of a Failed status.(AAP-29144)
-
Fixed an issue with respect to the custom credential types where if the user clicked The generate extra vars before the
fields: key
in the input configuration it would create an empty line that is uneditable.(AAP-28084) - Fixed an issue where the project sync would not fail on an empty or unstructured git repository.(AAP-35777)
- Fixed an issue where rulebook validation import/sync fails when a rulebook has a duplicated rule name.(AAP-35164)
- Fixed an issue where the Event Driven Ansible API allowed a credential’s type to be changed.(AAP-34968)
- Fixed an issue where a previously failed project could be accidentally changed to completed after a resync.(AAP-34744)
- Fixed an issue where no message was recorded when a project did not contain any rulebooks.(AAP-34555)
- Fixed an issue where the name for credentials in the rulebook activation form field was not updated.(AAP-34123)
- Updated the message for the rulebook activation/event streams for better clarity.(AAP-33485)
-
Fixed an issue where the source plugin was not able to use the
env vars
to establish a successful connection to the remote source.(AAP-35597) - Fixed an issue in the collection where the activation module failed with a misleading error message if the rulebook, project, decision environment, or organization, could not be found.(AAP-35360)
-
Fixed an issue where the validation a host specified as part of a container registry credential did not conform to container registry standards. The specified host was previously able to use a non-syntactically valid host (name or net address) and optional port value
(<valid-host>[:<port>])
. The validation is now applied when creating a credential as well as when modifying an existing credential regardless of fields being modified.(AAP-34969) - Fixed an issue whereby multiple Red Hat Ansible Automation Platform credentials were being attached to activations.(AAP-34025)
- Fixed an issue where there was an erroneous dependency on the existence of an organization named Default.(AAP-33551)
- Fixed an issue where occasionally an activation is reported as running, before it is ready to receive events.(AAP-31225)
- Fixed an issue where the user could not edit auto-generated injector vars while creating {EEDAName} custom credentials.(AAP-29752)
-
Fixed an issue where in some cases the
file_watch
source plugin in an Event-Driven Ansible collection raised the QueueFull exception.(AAP-29139) - Fixed an issue where the Event-Driven Ansible database increased in size continuously, even if the database was unused. Addend the purge_record script to clean up outdated database records.(AAP-30684)
9.2. Ansible Automation Platform patch release December 3, 2024
The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.
9.2.1. Enhancements
9.2.1.1. Ansible Automation Platform
- Red Hat Ansible Lightspeed has been updated to 2.5.241127.
-
redhat.insights
Ansible collection has been updated to 1.3.0. -
ansible.eda
collection has been updated to 2.2.0 in execution environment and decision environment images.
9.2.1.2. Ansible Automation Platform Operator
-
With this update, you can set PostgreSQL SSL/TLS mode to
verify-full
orverify-ca
with the propersslrootcert
configuration in the automation hub Operator.
9.2.1.3. Container-based Ansible Automation Platform
-
With this update,
ID
andImage
fields from a container image are used instead ofDigest
andImageDigest
to trigger a container update. - With this update, you can now update the registry URL value in Event-Driven Ansible credentials.
-
With this update, the
kernel.keys.maxkeys
andkernel.keys.maxbytes
settings are increased on systems with large memory configuration. -
Added
ansible_connection=local
to theinventory-growth file
and clarified its usage.
9.2.1.4. Documentation updates
- With this update, the Container growth topology and Container enterprise topology have been updated to include s390x (IBM Z) architecture test support.
9.2.1.5. RPM-based Ansible Automation Platform
- With this update, you can now update the registry URL value in Event-Driven Ansible credentials.
9.2.2. Bug fixes
9.2.2.1. General
With this update, the following CVEs have been addressed:
-
CVE-2024-52304
automation-controller
:aiohttp
vulnerable to request smuggling due to wrong parsing of chunk extensions.
9.2.2.2. Ansible Automation Platform Operator
-
With this update, missing Ansible Automation Platform Operator custom resource definitions (CRDs) are added to the
aap-must-gather
container image. - Disabled platform gateway authentication in the proxy configuration to prevent HTTP 502 errors when the control plane is down.
- The Red Hat favicon is now correctly displayed on automation controller and Event-Driven Ansible API tabs.
- With this update, the automation controller admin password is now reused during upgrade from Ansible Automation Platform 2.4 to 2.5.
-
Fixed undefined variable (
_controller_enabled
) when reconciling anAnsibleAutomationPlatformRestore
. Fixed automation hub Operatorpg_restore
error on restores due to a wrong database secret being set.
9.2.2.3. Automation controller
- Updated the minor version of uWSGI to obtain updated log verbiage.
-
Fixed job schedules running at the wrong time when the
rrule
interval was set toHOURLY
orMINUTELY
. - Fixed an issue where sensitive data was displayed in the job output.
- Fixed an issue where unrelated jobs could be marked as a dependency of other jobs.
- Included pod anti-affinity configuration on default container group pod specification to optimally spread workload.
9.2.2.4. Container-based Ansible Automation Platform
-
With this update, you cannot change the
postgresql_admin_username
value when using a managed database node. - Added update support for PCP monitoring role.
- Disabled platform gateway authentication in the proxy configuration to prevent HTTP 502 errors when the control plane is down.
- With this update, you can use dedicated nodes for the Redis group.
- Fixed an issue where disabling TLS on platform gateway would cause installation to fail.
- Fixed an issue where disabling TLS on platform gateway proxy would cause installation to fail.
- Fixed an issue where platform gateway uninstall would leave container systemd unit files on disk.
-
Fixed an issue where the automation hub container signing service creation failed when
hub_collection_signing=false
buthub_container_signing=true
. -
Fixed an issue with the
HOME
environment variable for receptor containers which would cause a “Permission denied” error on the containerized execution node. -
Fixed an issue where not setting up the GPG agent socket properly when many hub nodes are configured, resulted in not creating a GPG socket file in
/var/tmp/pulp
. - With this update, you can now change the platform gateway port value after the initial deployment.
9.2.2.5. Receptor
- Fixed an issue that caused a Receptor runtime panic error.
9.2.2.6. RPM-based Ansible Automation Platform
-
Fixed an issue where the
metrics-utility
command failed to run after updating automation controller. -
Fixed the owner and group permissions on the
/etc/tower/uwsgi.ini
file. -
Fixed an issue where not having
eda_node_type
defined in the inventory file would result in backup failure. -
Fixed an issue where not having
routable_hostname
defined in the inventory file would result in a restore failure. -
With this update, the
inventory-growth
file is now included in the RPM installer. -
Fixed an issue where the dispatcher service went into
FATAL
status and failed to process new jobs after a database outage of a few minutes. - Disabled platform gateway authentication in the proxy configuration to allow access to the UI when the control plane is down.
-
With this update, the Receptor data directory can now be configured using the
receptor_datadir
variable.
9.3. Ansible Automation Platform patch release November 18, 2024
The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.
9.3.1. Enhancements
-
With this release, a redirect page has now been implemented that will be exhibited when you navigate to the root
/
for each component’s stand-alone URL. The API endpoint remains functional. This affects Event-Driven Ansible, automation controller, Ansible Automation Platform Operator, and OpenShift Container Platform.
9.3.2. Bug fixes
9.3.2.1. General
With this update, the following CVEs have been addressed:
CVE-2024-9902 ansible-core: Ansible-core user may read/write unauthorized content.
CVE-2024-8775 ansible-core: Exposure of sensitive information in Ansible vault files due to improper logging.
9.3.2.2. Ansible Automation Platform
- Fixed an issue where the user was unable to filter out hosts on inventory groups where it returned a Failed to load options on Ansible Automation Platform UI.
9.3.2.3. Execution Environment
- Update pywinrm to 0.4.3 in ee-minimal and ee-supported container images to fix Python 3.11 compatibility.
9.3.2.4. Ansible Automation Platform Operator
-
Fixed a syntax error when
bundle_cacert_secret
was defined due to incorrect indentation. - Fixed an issue where the default operator catalog for Ansible Automation Platform aligned to cluster-scoped versus namespace-scoped.
-
Added the ability to set tolerations and
node_selector
for the Redis statefulset and the gateway deployment. - Ensure the platform URL status is set when Ingress is used to resolve an issue with Microsoft Azure on Cloud managed deployments. This is due to the Ansible Automation Platform operator failing to finish because it is looking for OpenShift Container Platform routes that are not available on Azure Kubernetes Service.
- Fixed an issue where the Ansible Automation Platform Operator description did not render code block correctly.
-
It is necessary to specify the
CONTROLLER_SSO_URL
andAUTOMATION_HUB_SSO_URL
settings in Gateway to fix the OIDC auth redirect flow. -
It is necessary to set the
SERVICE_BACKED_SSO_AUTH_CODE_REDIRECT_URL
setting to fix the OIDC auth redirect flow.
9.3.2.5. Container-based Ansible Automation Platform
-
Fixed an issue when the port value was not defined in the
gateway_main_url
variable, the containerized installer failed with incorrect execution environment image reference error. -
Fixed an issue where the containerized installer used port number when specifying the
image_url
for a decision environment. The user should not add a port to image URLs when using the default value.
9.3.2.6. RPM-based Ansible Automation Platform
-
Fixed an issue where not setting up the gpg agent socket properly when multiple hub nodes are configured resulted in not creating a gpg socket file in
/var/run/pulp
.
9.3.2.7. Ansible development tools
- Fixed an issue where missing data files were not included in the molecule RPM package.
9.4. Ansible Automation Platform patch release October 28, 2024
The following enhancements and bug fixes have been implemented in this release of Ansible Automation Platform.
9.4.1. Enhancements
9.4.1.1. Ansible Automation Platform
With this update, upgrades from Ansible Automation Platform 2.4 to 2.5 are supported for RPM and Operator-based deployments. For more information on how to upgrade, see RPM upgrade and migration. (ANSTRAT-809)
- Upgrades from 2.4 Containerized Ansible Automation Platform Tech Preview to 2.5 Containerized Ansible Automation Platform are unsupported at this time.
- Upgrades for Event-Driven Ansible are unsupported from Ansible Automation Platform 2.4 to Ansible Automation Platform 2.5.
9.4.1.2. Ansible Automation Platform Operator
- An informative redirect page is now shown when you go to the automation hub URL root. (AAP-30915)
9.4.1.3. Container-based Ansible Automation Platform
- The TLS Certificate Authority private key can now use a passphrase. (AAP-33594)
- Automation hub is populated with container images (decision and execution environments) and Ansible collections. (AAP-33759)
- The automation controller, Event-Driven Ansible, and automation hub legacy UIs now display a redirect page to the Platform UI rather than a blank page. (AAP-33794)
9.4.1.4. RPM-based Ansible Automation Platform
-
Added platform Redis to RPM-based Ansible Automation Platform. This allows a 6 node cluster for a Redis high availability (HA) deployment. Removed the variable
aap_caching_mtls
and replaced it withredis_disable_tls
andredis_disable_mtls
which are boolean flags that disable Redis server TLS and Redis client certificate authentication. (AAP-33773) - An informative redirect page is now shown when going to automation controller, Event-Driven Ansible, or automation hub URL. (AAP-33827)
9.4.2. Bug fixes
9.4.2.1. Ansible Automation Platform
- Removed the Legacy external password option from the Authentication Type list. (AAP-31506)
-
Ansible Galaxy’s
sessionauth
class is now always the first in the list of authentication classes so that the platform UI can successfully authenticate. (AAP-32146) -
CVE-2024-10033 -
automation-gateway
: Fixed a Cross-site Scripting (XSS) vulnerability on theautomation-gateway
component that allowed a malicious user to perform actions that impact users. -
CVE-2024-22189 -
receptor
: Resolved an issue inquic-go
that would allow an attacker to trigger a denial of service by sending a large number ofNEW_CONNECTION_ID
frames that retire old connection IDs.
9.4.2.2. Automation controller
-
CVE-2024-41989 -
automation-controller
: Before this update, in Django, iffloatformat
received a string representation of a number in scientific notation with a large exponent, it could lead to significant memory consumption. With this update, decimals with more than 200 digits are now returned as is. -
CVE-2024-45230 -
automation-controller
: Resolved an issue in Python’s Djangourlize()
andurlizetrunc()
functions where excessive input with a specific sequence of characters would lead to denial of service.
9.4.2.3. Automation hub
-
Refactored the
dynaconf
hooks to preserve the necessary authentication classes for Ansible Automation Platform 2.5 deployments. (AAP-31680) - During role migrations, model permissions are now re-added to roles to preserve ownership. (AAP-31417)
9.4.2.4. Ansible Automation Platform Operator
-
The port is now correctly set when configuring the platform gateway cache
redis_host
setting when using an external Redis cache. (AAP-33279) - Added checksums to the automation hub deployments so that pods are cycled to pick up changes to the PostgreSQL configuration and galaxy server settings Kubernetes secrets. (AAP-33518)
9.4.2.5. Container-based Ansible Automation Platform
- Fixed the uninstall playbook execution when the environment was already uninstalled. (AAP-32981)
9.5. Ansible Automation Platform patch release October 14, 2024
The following fixes have been implemented in this release of Red Hat Ansible Automation Platform.
9.5.1. Fixed issues
9.5.1.1. Ansible Automation Platform
- Fixed an issue in platform gateway where examining output logs for UWSGI shows a message that can be viewed as insensitive. (AAP-33213)
-
Fixed external Redis port configuration issue, which resulted in a
cluster_host
error when trying to connect to Redis. (AAP-32691) - Fixed a faulty conditional which was causing managed Redis to be deployed even if an external Redis was being configured. (AAP-31607)
- After the initial deployment of Ansible Automation Platform, if you make changes to the automation controller, automation hub, or Event-Driven Ansible sections of the Ansible Automation Platform CR specification, those changes are now propagated to the component custom resources. (AAP-32350)
-
Fixed addressing issues when the filter
keep_keys
is used, all keys are removed from the dictionary. Thekeepkey
fix is available in the updatedansible.utils
collection. (AAP-32960) -
Fixed an issue in
cisco.ios.ios_static_routes
where the metric distance is to be populated in theforward_router_address
attribute. (AAP-32960) - Fixed an issue where Ansible Automation Platform Operator is not transferring metric settings to the controller. (AAP-32073)
- Fixed an issue where you have a schedule on a resource, such as a job template, that prompts for credentials, and you update the credential to be different from what is on the resource by default, the new credential is not submitted to the API and it does not get updated. (AAP-31957)
-
Fixed an issue where setting
*pg_host=
without any other context no longer results in an empty HOST section ofsettings.py
in controller. (AAP-32440)
9.5.2. Advisories
The following errata advisories are included in this release:
9.6. Ansible Automation Platform patch release October 7, 2024
The following enhancements and fixes have been implemented in this release of Red Hat Ansible Automation Platform.
9.6.1. Enhancements
- Event-Driven Ansible workers and scheduler add timeout and retry resilience when communicating with a Redis cluster. (AAP-32139)
- Removed the MTLS credential type that was incorrectly added. (AAP-31848)
9.6.2. Fixed issues
9.6.2.1. Ansible Automation Platform
- Fixed conditional that was skipping necessary tasks in the restore role, which was causing restores to not finish reconciling. (AAP-30437)
- Systemd services in the containerized installer are now set with restart policy set to always by default. (AAP-31824)
- FLUSHDB is now modified to account for shared usage of a Redis database. It now respects access limitations by removing only those keys that the client has permissions to. (AAP-32138)
- Added a fix to ensure default extra_vars values are rendered in the Prompt on launch wizard. (AAP-30585)
- Filtered out the unused ANSIBLE_BASE_ settings from the environment variable in job execution. (AAP-32208)
9.6.2.2. Event-Driven Ansible
- Configured the setting EVENT_STREAM_MTLS_BASE_URL to the correct default to ensure MTLS is disallowed in the RPM installer. (AAP-32027)
- Configured the setting EVENT_STREAM_MTLS_BASE_URL to the correct default to ensure MTLS is disallowed in the containerized installer. (AAP-31851)
- Fixed a bug where the Event-Driven Ansible workers and scheduler are unable to reconnect to the Redis cluster if a primary Redis node enters a failed state and a new primary node is promoted. See the KCS article Redis failover causes Event-Driven Ansible activation failures that include the steps that were necessary before this bug was fixed. (AAP-30722)
9.6.3. Advisories
The following errata advisories are included in this release: