RedHat: RHSA-2020-3329:01 Moderate: Red Hat Ansible Tower 3.6.5-1 - RHEL7
Summary
* Removed reports option for Satellite inventory script
* Fixed Tower Server Side Request Forgery on Credentials (CVE-2020-14327)
* Fixed the ``Job Type`` field to render properly when editing a Job
Template
* Fixed a notable delay running large project update clones
* Fixed Tower to properly sync host facts for Red Hat Satellite 6.7
inventories
* Fixed installations on Red Hat OpenShift 4.3 to no longer fail
* Fixed the usage of certain SSH keys on RHEL8 when FIPS is enabled to work
properly
* Fixed upgrades from 3.5 to 3.6 on RHEL8 in order for PostgreSQL client
libraries to be upgraded on Tower nodes, which fixes the backup/restore
function
* Fixed credential lookups from CyberArk AIM to no longer fail unexpectedly
* Fixed the ability to add a user to an organization when they already had
roles in the organization
* Fixed manually added host variables to no longer be removed on VMWare
vCenter inventory syncs
* Fixed a number of issues related to Tower’s reporting of metrics to Red
Hat Automation Analytics
Summary
Solution
For information on upgrading Ansible Tower, reference the Ansible Tower
Upgrade and Migration Guide:
https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/
index.html
References
https://access.redhat.com/security/cve/CVE-2020-14327 https://access.redhat.com/security/updates/classification/#moderate
Package List
Topic
Red Hat Ansible Tower 3.6.5-1 - RHEL7 Container
Topic
Relevant Releases Architectures
Bugs Fixed
1856785 - CVE-2020-14327 Tower: SSRF: Server Side Request Forgery on Credential