Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3474 Red Hat Ansible Tower 3.3.1-2 Release - Container Image 7 November 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat Ansible Tower Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-1000805 CVE-2018-17456 CVE-2018-16837 CVE-2018-14682 CVE-2018-14681 CVE-2018-14680 CVE-2018-14679 CVE-2018-13988 CVE-2018-12910 CVE-2018-12384 CVE-2018-10846 CVE-2018-10845 CVE-2018-10844 CVE-2018-10768 CVE-2018-10767 CVE-2018-10733 CVE-2018-1061 CVE-2018-1060 CVE-2018-0739 CVE-2018-0737 CVE-2018-0732 CVE-2018-0495 CVE-2017-1000050 CVE-2017-18267 CVE-2017-3735 CVE-2016-9396 CVE-2015-9262 Reference: ESB-2018.3419 ESB-2018.3386 ESB-2018.3380 Original Bulletin: https://access.redhat.com/errata/RHSA-2018:3505 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat Ansible Tower 3.3.1-2 Release - Container Image Advisory ID: RHSA-2018:3505-01 Product: Red Hat Ansible Tower Advisory URL: https://access.redhat.com/errata/RHSA-2018:3505 Issue date: 2018-11-06 CVE Names: CVE-2015-9262 CVE-2016-9396 CVE-2017-3735 CVE-2017-18267 CVE-2017-1000050 CVE-2018-0495 CVE-2018-0732 CVE-2018-0737 CVE-2018-0739 CVE-2018-1060 CVE-2018-1061 CVE-2018-10733 CVE-2018-10767 CVE-2018-10768 CVE-2018-10844 CVE-2018-10845 CVE-2018-10846 CVE-2018-12384 CVE-2018-12910 CVE-2018-13988 CVE-2018-14679 CVE-2018-14680 CVE-2018-14681 CVE-2018-14682 CVE-2018-16837 CVE-2018-17456 CVE-2018-1000805 ===================================================================== 1. Summary: Security Advisory 2. Description: Red Hat Ansible Tower 3.3.1 is now available and contains the following bug fixes: - - - Fixed event callback error when in-line vaulted variables are used with ``include_vars`` - - - Fixed HSTS and X-Frame-Options to properly be set in nginx configuration - - - Fixed isolated node setup to no longer fail when ``ansible_host`` is used - - - Fixed selection of custom virtual environments in job template creation - - - Fixed websockets for job details to properly work - - - Fixed the ``/api/v2/authtoken`` compatibility shim - - - Fixed page size selection on the jobs screen - - - Fixed instances in an instance group to properly be disabled in the user interface - - - Fixed the job template selection in workflow creation to properly render - - - Fixed ``member_attr`` to properly set on some LDAP configurations during upgrade, preventing login - - - Fixed ``PosixUIDGroupType`` LDAP configurations - - - Improved the RAM requirement in the installer preflight check - - - Updated Tower to properly report an error when relaunch was used on a set of failed hosts that is too large - - - Updated sosreport configuration to gather more python environment, nginx, and supervisor configuration - - - Fixed display of extra_vars for scheduled jobs 3. Solution: The Ansible Tower Upgrade and Migration Guide is available at: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/ index.html 4. References: https://access.redhat.com/security/cve/CVE-2015-9262 https://access.redhat.com/security/cve/CVE-2016-9396 https://access.redhat.com/security/cve/CVE-2017-3735 https://access.redhat.com/security/cve/CVE-2017-18267 https://access.redhat.com/security/cve/CVE-2017-1000050 https://access.redhat.com/security/cve/CVE-2018-0495 https://access.redhat.com/security/cve/CVE-2018-0732 https://access.redhat.com/security/cve/CVE-2018-0737 https://access.redhat.com/security/cve/CVE-2018-0739 https://access.redhat.com/security/cve/CVE-2018-1060 https://access.redhat.com/security/cve/CVE-2018-1061 https://access.redhat.com/security/cve/CVE-2018-10733 https://access.redhat.com/security/cve/CVE-2018-10767 https://access.redhat.com/security/cve/CVE-2018-10768 https://access.redhat.com/security/cve/CVE-2018-10844 https://access.redhat.com/security/cve/CVE-2018-10845 https://access.redhat.com/security/cve/CVE-2018-10846 https://access.redhat.com/security/cve/CVE-2018-12384 https://access.redhat.com/security/cve/CVE-2018-12910 https://access.redhat.com/security/cve/CVE-2018-13988 https://access.redhat.com/security/cve/CVE-2018-14679 https://access.redhat.com/security/cve/CVE-2018-14680 https://access.redhat.com/security/cve/CVE-2018-14681 https://access.redhat.com/security/cve/CVE-2018-14682 https://access.redhat.com/security/cve/CVE-2018-16837 https://access.redhat.com/security/cve/CVE-2018-17456 https://access.redhat.com/security/cve/CVE-2018-1000805 https://access.redhat.com/security/updates/classification/#critical RHSA-2018:3347 5. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW+G3u9zjgjWX9erEAQgAUhAAqRxiXQ+HEeMacLOOXiNtHZ91AdCbtZIX O1xI1WdLJH9kEEgk526iQIfbom/1bxb2dRT5RJEbsNV0FdXBd6R259BGWLETt5TI 6sSIFhIpm0c2Gij0rDFTkc4MvUctC2PEqN55NaWGEyPJmOKS3kl4l7w39fYOfaXJ VeyMrtB8XvqwuF3niMInoUjdQZGDQNFHrK5+zVl7rPy5GiecQLbL2Vnkw40Vh7jo b6vsiZo/T5KNE31L4Iz7yhgdY04KHdhHC5+Ro6CWPjdrINCyn5zYiq53RwaO0QGW eMsgsqLZMcg3wcuufsVshwiiLrCvkndNsF6QvxJiNwtejCnbyQURk/Nk5a8qar3n B9A1QYhn48PGqRSVkWjP1UwN1Jrkm5h7iZfcUh8unKQ7TAXY3uyEZFqAmUYr9kA6 1KkhHpis7FsYO2ss/oU/fUolvEJ/h66CbnQbdNafVtPESkGAFfTPUdLB5g2GWJr5 Iz6k21HIsDbyU6mFpC54KGl+YGPpbc1dmrlZkrf3SPeLtUrNVfdBRn0TiUU0b5rF 9QIHJnbrdyYFT4UpElZpB6ef1aoTM3lNy4UyXV+y2MfyVkey3z4ODjRiBNG6EN6o n40beq2ygg78+xAR4opzuuDoBsF03RkDDGzx+t4bMC0K1M7263qX0jRpS75YqQPb XQt29l/WyEU= =irbz - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW+Iy6GaOgq3Tt24GAQjkgBAAnt0sKA09zACM/XjI+ZaIO99bhv6BPCs7 3IhqfVRLrKZ+apTgqhLeoX6JN80AU0Ytb7+jkAWBQvscX+YjwL8zyj9E2na0i3As 5eFlIl/4shwxsXYwKHvkXPcZU01uE1OCPICW9BOl4ynZCt7C3qjZRABC96vPEeW3 McB7Ne5FBKSmobKEt9gyAmvrI9tMN0oWCYljrIsFgBeNFwk12AO18BArfVYFN24r 783BqpiBBTdRUzJUoMk1vxzM4AY5MrCAvlhl3ujWYfoFCK2gRN+/Kr2UQlkTNG/H T+zwQmefYoPgleQwkukeIasOOtKoBP3rLV/MDRcWIafq5WGtRI221AOCx5bfwsA7 MfuQ6ySvFiUtQed/Io/NNKqgIcz2PGY30Dg5wZ7T87TfgTrMZUawAeSkXduZYFXN zx8gMe9AYq9bLLdjTsl1nmSp3CBIlb8C1DCd8UtAGyQsF9lCafnBbhARNnIwZOed rZMDWs6md+xhvvCCaTMrDDZ4LH/CUwp0fOnOeuacQwH55jwPwgOfTSEy8f+XjWXG 2xuCiMNvLRR/hdMOOk1HNTegWZ45A7Ex4y80HTZ6qPVY6PvT96CR/seYcOdZDV3p XH6HW6f3hoo7wxSDCv7HnEKw39AkrWEye0UW5p5pxhLlHPlpAzby1eBQV4i/YHHj V3KlLrc47fY= =A6p+ -----END PGP SIGNATURE-----