Refer to the latest Product Documentation for Red Hat Ansible Automation Platform for the complete Automation Platform documentation.
For automation controller versions 4.4 and older, refer to the Automation Controller documentation archive.
Automation Controller Fixes
Fixed Galaxy credentials to be correctly ordered when assigning them using ansible.controller.organization (AAP-31398)
Fixed gather analytics failure due to missing _unpartitioned_main_jobevent table (AAP-31053)
Security Fixes
Updated twisted to fix an HTML injection vulnerability that could have resulted in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body (CVE-2024-41810) (AAP-28121)
Updated urllib3 to automatically strip the Proxy-Authorization header by default during cross-origin redirects (CVE-2024-37891) (AAP-27468)
Updated the package djangorestframework to avoid vulnerabilities to Cross-site Scripting (XSS) via the break_long_headers template filters (CVE-2024-21520) (AAP-26186)
Updated fallback to use RHSM subscription credential for shipping analytics data if analytics gathering is enabled (AAP-30228)
Upgraded channels-redis library to fix Redis connection leak (AAP-30124)
Automation Controller Fixes
Added a new debug setting, RECEPTOR_KEEP_WORK_ON_ERROR to prevent the receptor from releasing work unit when a job fails (AAP-27635)
Updated the Help link in the REST API to point to the latest API Reference documentation (AAP-27573)
Fixed a timeout error in the UI when trying to load the Activity Stream with a large number of activity records (AAP-26772)
Security Fixes
Fixed a potential security vulnerability associated with SQL injection in QuerySet.values() and values_list() (CVE-2024-42005) (AAP-28564)
Fixed a potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget (CVE-2024-41991) (AAP-28558)
Fixed a potential denial-of-service vulnerability in django.utils.html.urlize() (CVE-2024-41990) (AAP-28548)
Fixed controller to prevent automountServiceAccountToken to be set to true in container group pod spec override (CVE-2024-6840) (AAP-27352)
Fixed an algorithm confusion with OpenSSH ECDSA keys and other key formats (CVE-2024-33663) (AAP-23457)
Fixed improper handling of case sensitivity in social-auth-app-django (CVE-2024-32879) (AAP-23392)
This release was combined with version 4.5.10.
Automation Controller Fixes
Fixed a bug where the controller does not respect DATABASES[‘OPTIONS’] setting, if specified (AAP-26398)
Changed all uses of ImplicitRoleField to perform an on_delete=SET_NULL (AAP-25136)
Fixed the HostMetric automated counter to display the correct values (AAP-25115)
Added Django logout redirects (AAP-24543)
Updated the dispatcher to make the database password optional in order to support PostgreSQL authentication methods that do not require them (AAP-22231)
Security Fixes
Updated the requirements file to require greater than or equal to fixed version on requests (CVE-2024-35195) (AAP-24411)
Updated the requirements file to require greater than or equal to fixed version on Jinja2 dependencies (CVE-2024-34064) (AAP-23790)
Updated the requirements file to require fixed versions on python-jwcrypto and typing_extensions dependencies (CVE-2024-28102) (AAP-21665)
Automation Controller Fixes
Fixed database connection leak when the wsrelay main asyncio loop crashes (AAP-22938)
Fixed Redis connection leak on automation controller version 4.5.6 (AAP-24286)
Fixed the #! (shebang) for the Python uwsgitop script (AAP-22461)
Changed the import command to stop pre-loading objects, and instead do a targeted search when the cache fails to have a matching object (AAP-23412)
Security Fixes
Addressed an aiohttp issue with denial of service (DoS) when trying to parse malformed POST requests (CVE-2024-30251) (AAP-23653)
Addressed a python-pydantic issue with regular expression DoS via crafted email string (CVE-2024-3772) (AAP-22856)
Addressed a python-django issue with potential regular expression DoS in django.utils.text.Truncator.words() (CVE-2024-27351) (AAP-21133)
Fixed Mercurial configuration injectable in repo revision when installing via pip (CVE-2023-5752) (AAP-18435)
This release was combined with version 4.5.7.
Automation Controller Fixes
Replaced K8s API version for deployment kind to apps/v1 (AAP-21807)
Fixed controller restores to no longer overwrite the PostgreSQL secret of the original deployment (AAP-18740)
Fixed wsrelay to no longer cause controller task container to restart in an OCP deployment (AAP-21308)
Fixed schedule prompted variables and survey answers to no longer reset on edit when changing one of the basic form fields (AAP-20967)
Fixed Ansible Automation Platform to no longer terminate some jobs while running large deployments (AAP-19565)
Fixed dispatcher to appropriately terminate child processes when dispatcher terminates (AAP-21049)
Fixed upgrade from Ansible Tower 3.8.6 to AAP 2.4 to no longer fail upon database schema migration (AAP-19738)
Fixed the update execution environment image to no longer fail jobs that use the previous image (AAP-21733)
Removed string validation using comparisons of English literals for comparison, replacing validation with error/op codes as a universal approach to validation and comparison (AAP-21721)
Security Fixes
Addressed the Jinja2 issue of HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195) (AAP-19433)
Addressed the aiohttp issue with the follow_symlinks directory traversal vulnerability (CVE-2024-23334) (AAP-20064)
Addressed the aiohttp issue with HTTP request smuggling (CVE-2024-23829) (AAP-20073)
Addressed the Django issue with denial-of-service in intcomma template filter (CVE-2024-24680) (AAP-20057)
Addressed the GitPython issue with the blind local file inclusion (CVE-2023-41040) (AAP-17710)
Addressed the Axios issue of exposing confidential data stored in cookies (CVE-2023-45857) (AAP-21240)
Addressed the twisted issue of disordered HTTP pipeline response in twisted.web (CVE-2023-46137) (AAP-17652)
Addressed aiohttp issues with HTTP parser with header parsing (CVE-2023-47627) (AAP-18266)
Addressed the cryptography issue with NULL-dereference when loading PKCS7 certificates (CVE-2023-49083) (AAP-19154)
These releases were combined with version 4.5.5.
Fixed the host_name table associated with running a job template to populate properly with the hostname of the host from the job output (AAP-20131)
Enabled Hashi Vault LDAP and Userpass authentication (AAP-19842)
Fixed jobs stuck in pending state after connection to database recover (AAP-19618)
Added secure flag option for userLoggedIn cookie if SESSION_COOKIE_SECURE is set to True (AAP-19602)
Fixed twilio_backend.py to send SMS to multiple destinations (AAP-19284)
Fixed rsyslogd from unexpectedly stop sending events to Splunk HTTP Collector and recover rsyslog from 4xx errors (AAP-19069)
Fixed a TypeError in the Logging Settings Edit form of the automation controller user interface to no longer render the form inputs inaccessible (AAP-18960)
Fixed Delinea (previously: Thycotic) DevOps Secrets Vault credential plugin to work with python-dsv-sdk>=1.0.4 (AAP-18701)
Updated urllib3 to prevent cookie request header to be exposed during cross-origin redirects (AAP-17518) (CVE-2023-43804)
Updated schedule Prompt on launch fields to persist while editing (AAP-13859)
Fixed a concurrency bug that lead to WebSockets to be disconnected and the UI not being refreshed on the cluster node (AAP-18748)
Updated the “credential_type” parameter as required for the credential module (AAP-18186)
Reduced database connections in automation controller (AAP-11222)
Added hop node support for Openshift-based deployments to give users more ways to route traffic from control nodes to remote execution nodes (AAP-6078)