Linux Security
    Linux Security
    Linux Security

    RedHat: RHSA-2020-3328:01 Moderate: Red Hat Ansible Tower 3.7.2-1 - RHEL7

    Date
    251
    Posted By
    Red Hat Ansible Tower 3.7.2-1 - RHEL7 Container 2. Description: * Updated Named URLs to allow for testing the presence or absence of objects (CVE-2020-14337)
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Moderate: Red Hat Ansible Tower 3.7.2-1 - RHEL7 Container
    Advisory ID:       RHSA-2020:3328-01
    Product:           Red Hat Ansible Tower
    Advisory URL:      https://access.redhat.com/errata/RHSA-2020:3328
    Issue date:        2020-08-05
    CVE Names:         CVE-2020-14327 CVE-2020-14328 CVE-2020-14329 
                       CVE-2020-14337 
    =====================================================================
    
    1. Summary:
    
    Red Hat Ansible Tower 3.7.2-1 - RHEL7 Container
    
    2. Description:
    
    * Updated Named URLs to allow for testing the presence or absence of
    objects (CVE-2020-14337)
    * Fixed Tower Server Side Request Forgery on Credentials (CVE-2020-14327)
    * Fixed Tower Server Side Request Forgery on Webhooks (CVE-2020-14328)
    * Fixed Tower sensitive data exposure on labels (CVE-2020-14329) 
    * Added local caching for downloaded roles and collections so they are not
    re-downloaded on nodes where they have already been updated
    * Fixed Tower’s task scheduler to no longer deadlock for clustered
    installations with large numbers of nodes 
    * Fixed the Credential Type definitions to no longer allow superusers to
    run unsafe Python code
    * Fixed credential lookups from CyberArk AIM to no longer fail unexpectedly
    * Fixed upgrades from 3.5 to 3.6 on RHEL8 in order for PostgreSQL client
    libraries to be upgraded on Tower nodes, which fixes the backup/restore
    function
    * Fixed backup/restore for PostgreSQL usernames that include capital
    letters
    * Fixed manually added host variables to no longer be removed on VMWare
    vCenter inventory syncs
    * Fixed Red Hat Satellite inventory syncs to allow Tower to properly
    respect the ``verify_ssl flag``
    
    3. Solution:
    
    For information on upgrading Ansible Tower, reference the Ansible Tower
    Upgrade and Migration Guide:
    https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/
    index.html
    
    4. Bugs fixed (https://bugzilla.redhat.com/):
    
    1856785 - CVE-2020-14327 Tower: SSRF: Server Side Request Forgery on Credential
    1856786 - CVE-2020-14328 Tower: SSRF: Server Side Request Forgery on webhooks
    1856787 - CVE-2020-14329 Tower: Sensitive Data Exposure on Label
    1859139 - CVE-2020-14337 Tower: Named URLs allow for testing the presence or absence of objects
    
    5. References:
    
    https://access.redhat.com/security/cve/CVE-2020-14327
    https://access.redhat.com/security/cve/CVE-2020-14328
    https://access.redhat.com/security/cve/CVE-2020-14329
    https://access.redhat.com/security/cve/CVE-2020-14337
    https://access.redhat.com/security/updates/classification/#moderate
    
    6. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2020 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXyrHBdzjgjWX9erEAQgLIg/7B7BH4F4OJ1pVOotbXrBG0xtkzBLi2vm1
    q1Djb6jZWXB9wGOLCWYZC2U7x7kr+T2gjM+Sa3NH1V+wWHn5kEqm+rMioCx5UQd6
    18myFb1lGDM/MzaZi8Ovh1EADrFn4QoiTeKoRxc3TIl6bW4M303P3zUTu8N9EtOk
    ddk5uV+oWtIND5m5m0uuYCNGqPOm4fwKk4H1oovCKQEGnOdy1H4dOV+mBpOfj3KS
    NWqa0vPIjcWXcMR+qgDJmq1q8+56yg7CPwEsa70cU+aV8QZdS8pcK3CZ5ZsNdCyj
    Fk+H5mIFmSUTAZX7fBpEljhXaLIzZXAAruHUwwnCJYRa1rq/P0fD8vv+z5vWWb9w
    Ige13tCL63KmCHniGDu1FLi9gx/TIO04Arx295jFyUQNLu7NmtK/BGSanJEJ8G9A
    g+BumOymOJTnBqNGc0hdD67e0eCTWAVwPvo9uaNccfD0bQNAKaxVwwJmJRG3xukS
    Ru/8HGgr+ujz+vW2Ly49JIXWzVoLaWzZgv5LZAeIJToXRS5fkabcTqO1aCYa0+JA
    qx7JVYa01o+yUv2cLjFZKHgXFTL41U/gPQ6LTsloFOdGsNmHYmwxkxTLXGNmVCj1
    wPQDILeMYeyTsg9SvfVXzhs6TCeWBtudllHaoduoygT+AwaHw0wLxhkwgpCpubqa
    MLz0UhqOJEU=
    =0wzO
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    

    Advisories

    LinuxSecurity Poll

    How are you contributing to Open Source?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 4 answer(s).
    /main-polls/37-how-are-you-contributing-to-open-source?task=poll.vote&format=json
    37
    radio
    [{"id":"127","title":"I'm involved with the development of an open-source project(s).","votes":"2","type":"x","order":"1","pct":100,"resources":[]},{"id":"128","title":"I've reported vulnerabilities I've discovered in open-source code.","votes":"0","type":"x","order":"2","pct":0,"resources":[]},{"id":"129","title":"I've provided developers with feedback on their projects.","votes":"0","type":"x","order":"3","pct":0,"resources":[]},{"id":"130","title":"I've helped another community member get started contributing to Open Source.","votes":"0","type":"x","order":"4","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.