-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Ansible Tower 3.6.5-1 - RHEL7 Container
Advisory ID:       RHSA-2020:3329-01
Product:           Red Hat Ansible Tower
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:3329
Issue date:        2020-08-05
CVE Names:         CVE-2020-14327 
====================================================================
1. Summary:

Red Hat Ansible Tower 3.6.5-1 - RHEL7 Container

2. Description:

* Removed reports option for Satellite inventory script
* Fixed Tower Server Side Request Forgery on Credentials (CVE-2020-14327)
* Fixed the ``Job Type`` field to render properly when editing a Job
Template
* Fixed a notable delay running large project update clones
* Fixed Tower to properly sync host facts for Red Hat Satellite 6.7
inventories
* Fixed installations on Red Hat OpenShift 4.3 to no longer fail
* Fixed the usage of certain SSH keys on RHEL8 when FIPS is enabled to work
properly
* Fixed upgrades from 3.5 to 3.6 on RHEL8 in order for PostgreSQL client
libraries to be upgraded on Tower nodes, which fixes the backup/restore
function
* Fixed credential lookups from CyberArk AIM to no longer fail unexpectedly
* Fixed the ability to add a user to an organization when they already had
roles in the organization
* Fixed manually added host variables to no longer be removed on VMWare
vCenter inventory syncs
* Fixed a number of issues related to Tower’s reporting of metrics to Red
Hat Automation Analytics

3. Solution:

For information on upgrading Ansible Tower, reference the Ansible Tower
Upgrade and Migration Guide:
https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/
index.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1856785 - CVE-2020-14327 Tower: SSRF: Server Side Request Forgery on Credential

5. References:

https://access.redhat.com/security/cve/CVE-2020-14327
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXyrG7tzjgjWX9erEAQjTpA/9EkZENU9KqxjLw4K1CynuMe4NmCMsphgJ
K8PPdrQNcGbZyAdFPoX0c1zzHWsEFJ8pcwGN4zO+qh3lpm2AuxJ3xiz8JRNMy62o
87qoVUbuP1RSWlkdkldK49j3XQcYs2LzWaokM9Y5H/wRGfaRDhg3Og4pOH4Lnkqi
GK8UGLcxFkS0MCkIad7Uh0MrcvQ/5h3ijD9xWdg4/R2AxvOqn2RoW26clPJOZLVB
QCP04WyUascWjBQBZHNBfdPqvJ1CfGrHnXcnRpNF7GdSPjCWtRBS9OyMjFVDz2a/
9TA5WflLRhtVxB2FEFxeStewSsv9zOwSbu44Lf/6SDr1HlpKDR8PcViIlM+X6+N0
H1AevHi3H/uXTpGTLlTBlXG1BcJ8VGgP4FTu5N4y1gCoO7dAKyD1uMrDNAE3U5o0
bnNDo6nG2zJ9OuVgBEzyGUzxsX41mfRYs6dV/0hiKfzX7ZBu2tckLRUmGX0itLhT
iiDUuDdffjBkUXRqYifBsW3cUttwR/nvFFLGyZMXLDJasd1YV2p4hXfto1rsUui/
XMVSJ+UrmqsLgmzlSnzM7w/HfheUy8+3xBJyVUUB7vHPM8Ajo29yLauCkGXl70T3
Dqv0lC4dD76a4d8KcVZPghW2benk5cIeYVSD94EnzllEje4pesS9p0eSqmQC7Amd
F44f3+Z1Q9Y=1XgD
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2020-3329:01 Moderate: Red Hat Ansible Tower 3.6.5-1 - RHEL7

Red Hat Ansible Tower 3.6.5-1 - RHEL7 Container 2

Summary

* Removed reports option for Satellite inventory script * Fixed Tower Server Side Request Forgery on Credentials (CVE-2020-14327) * Fixed the ``Job Type`` field to render properly when editing a Job Template * Fixed a notable delay running large project update clones * Fixed Tower to properly sync host facts for Red Hat Satellite 6.7 inventories * Fixed installations on Red Hat OpenShift 4.3 to no longer fail * Fixed the usage of certain SSH keys on RHEL8 when FIPS is enabled to work properly * Fixed upgrades from 3.5 to 3.6 on RHEL8 in order for PostgreSQL client libraries to be upgraded on Tower nodes, which fixes the backup/restore function * Fixed credential lookups from CyberArk AIM to no longer fail unexpectedly * Fixed the ability to add a user to an organization when they already had roles in the organization * Fixed manually added host variables to no longer be removed on VMWare vCenter inventory syncs * Fixed a number of issues related to Tower’s reporting of metrics to Red Hat Automation Analytics



Summary


Solution

For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/ index.html

References

https://access.redhat.com/security/cve/CVE-2020-14327 https://access.redhat.com/security/updates/classification/#moderate

Package List


Severity
Advisory ID: RHSA-2020:3329-01
Product: Red Hat Ansible Tower
Advisory URL: https://access.redhat.com/errata/RHSA-2020:3329
Issued Date: : 2020-08-05
CVE Names: CVE-2020-14327

Topic

Red Hat Ansible Tower 3.6.5-1 - RHEL7 Container


Topic


 

Relevant Releases Architectures


Bugs Fixed

1856785 - CVE-2020-14327 Tower: SSRF: Server Side Request Forgery on Credential


Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved