drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in Red Hat Ansible Tower
Name: |
Mehrere Probleme in Red Hat Ansible Tower |
|
ID: |
RHSA-2021:0780-01 |
|
Distribution: |
Red Hat |
|
Plattformen: |
Red Hat Ansible Automation Platform |
|
Datum: |
Mi, 10. März 2021, 07:12 |
|
Referenzen: |
https://access.redhat.com/security/cve/CVE-2020-10543
https://access.redhat.com/security/cve/CVE-2020-12723
https://access.redhat.com/security/cve/CVE-2021-20228
https://access.redhat.com/security/cve/CVE-2020-35678
https://access.redhat.com/security/cve/CVE-2021-20191
https://access.redhat.com/security/cve/CVE-2021-20178
https://access.redhat.com/security/cve/CVE-2021-20180
https://access.redhat.com/security/cve/CVE-2021-20253
https://access.redhat.com/security/cve/CVE-2020-10878
https://access.redhat.com/security/cve/CVE-2021-3281 |
|
Applikationen: |
Red Hat Ansible Tower |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
===================================================================== Red Hat Security Advisory
Synopsis: Important: Red Hat Ansible Tower 3.8.2-1 - Container security and bug fix update Advisory ID: RHSA-2021:0780-01 Product: Red Hat Ansible Automation Platform Advisory URL: https://access.redhat.com/errata/RHSA-2021:0780 Issue date: 2021-03-09 CVE Names: CVE-2020-10543 CVE-2020-10878 CVE-2020-12723 CVE-2020-35678 CVE-2021-3281 CVE-2021-20178 CVE-2021-20180 CVE-2021-20191 CVE-2021-20228 CVE-2021-20253 =====================================================================
1. Summary:
Red Hat Ansible Tower 3.8.2-1 - Container
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
2. Description:
Security Fix(es):
* Addressed a security issue which can allow a malicious playbook author to elevate to the awx user from outside the isolated environment: CVE-2021-20253 * Upgraded to a more recent version of Django to address CVE-2021-3281. * Upgraded to a more recent version of autobahn to address CVE-2020-35678.
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* Upgraded to the latest oVirt inventory plugin to resolve a number of inventory syncing issues that can occur on RHEL7. * Upgraded to the latest theforeman.foreman inventory plugin to resolve a few bugs and performance regressions. * Fixed several issues related to how Tower rotates its log files. * Fixed a bug which can prevent Tower from installing on RHEL8 with certain non-en_US.UTF-8 locales. * Fixed a bug which can cause unanticipated delays in certain playbook output. * Fixed a bug which can cause job runs to fail for playbooks that print certain types of raw binary data. * Fixed a bug which can cause unnecessary records in the Activity Stream when Automation Analytics data is collected. * Fixed a bug which can cause Tower PostgreSQL backups to fail when a non-default PostgreSQL username is specified. * Fixed a bug which can intermittently cause access to encrypted Tower settings to fail, resulting in failed job launches. * Fixed a bug which can cause certain long-running jobs running on isolated nodes to unexpectedly fail.
3. Solution:
For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/ index.html
4. Bugs fixed (https://bugzilla.redhat.com/):
1911314 - CVE-2020-35678 python-autobahn: allows redirect header injection 1919969 - CVE-2021-3281 django: Potential directory-traversal via archive.extract() 1928847 - CVE-2021-20253 ansible-tower: Privilege escalation via job isolation escape
5. References:
https://access.redhat.com/security/cve/CVE-2020-10543 https://access.redhat.com/security/cve/CVE-2020-10878 https://access.redhat.com/security/cve/CVE-2020-12723 https://access.redhat.com/security/cve/CVE-2020-35678 https://access.redhat.com/security/cve/CVE-2021-3281 https://access.redhat.com/security/cve/CVE-2021-20178 https://access.redhat.com/security/cve/CVE-2021-20180 https://access.redhat.com/security/cve/CVE-2021-20191 https://access.redhat.com/security/cve/CVE-2021-20228 https://access.redhat.com/security/cve/CVE-2021-20253 https://access.redhat.com/security/updates/classification/#important
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBYEecRtzjgjWX9erEAQhhqxAAnuxQGRWFCXb0gFDqL4w/xu5Z6GKKJkgx 5zppkQCrVhOZC0gte6fbX0Gc93a8zHzy2KVWWbQzWPBAf31HQUKK26PdkV1Dt2fl 5v6YAikritULYF9YHYUKZyymyFVxTEizntBk1S4t9jHj8Jgt5YBRB3oypgH+HkjA UTil2i45u0XLEbBdx3pWE54WlvoYEUgLjptT9j8l8rQVNot/GcMuVp+2tXJ0JeF4 2U7mor77CSDGO3oY5SNDcfJyYyyMsBTxjm4N2iU6P065vdWD4pOe6VuZGrj+2y+o oOhzMMyUMHNnYYyr+yg9oy5IT+cWP+bwhOGektdDgoPvmlfnDYrNxc25lc1AMht2 oDB/pI+7+Et+mJ+7iN1/a8fccK9/opNABU5EGqXIw0QbO8iG+EucMPKhd9Grm4mA MPmTYPO1TfVSSbozBr8ZJl5N12E+ndpX6YcQfmV0DZumbaz22b2JQrPjkHH4u42t IiA8Li81cZiM3wpueKsNojY4lPRQuoKKxIDXRjjMaicBGIh2lZduJuxet/rCpe+w zeU5h3TBdMvcE1La4O4wmtrG232p+eVKJRNbwFXPkWBRJd6V2hfVHHefEYPkSv9R uRr9bag1HC5G1oy6X5xlQbFJIa6SkqF96ygEr1x1Hbm3s5gUfIhppniUUPGPXN9Q XIFq5Vk5T4U= =R7ey -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce
|
|
|
|