ManageIQ Ivanchuk-7 and Jansa-1 RC2 are now available. These releases are primarily security fix releases, after extensive security testing. Many thanks goes to the IBM Security team for finding and reporting these vulnerabilities.

Security Issues

Critical severity

• CVE-2020-14325 - User Impersonation in the API for OIDC and SAML

High severity

• CVE-2020-10778 - Business logic bypass through widgets
• CVE-2020-10779 - Missing functional level access control & IDOR lead to compromise
• CVE-2020-14324 - Out-of-band OS Command Injection through conversion host (Ivanchuk only)

Moderate severity

• CVE-2020-10777 - Cross Site Scripting in report menu title / HTML Code Injection
• CVE-2020-10780 - CSV Injection in Orchestration Templates
• CVE-2020-10783 - Missing access control leads to escalation of admin group privileges
• CVE-2020-14296 - Server-Side Request Forgery (SSRF) in Ansible Tower Provider
• Host Header Injection

Other notable changes

Ivanchuk-7

Fixed

• DialogFieldTagControl - don’t add <None> for multiselects (#19696)
• Fix vm retirement initiated on global region (#20244)
• Fixed Settings hierarchy on Global region (#20299)
• [Automation Engine] Prevent git import to overwrite base system domain in datastore (manageiq-automation_engine#355)
• [Pods] Add ansible-runner (manageiq-pods#561)
• [Openstack Provider] Skip Volumes without mountpoint in VM refresh (manageiq-providers-openstack#517)
• [UI] MiqTask to get stdout for Ansible should be owned by user who requested view (manageiq-ui-classic#7093)

Added

• Add support for Service request copy (#18859)
• [Automation Engine] Update object based on ansible set_stats data (manageiq-automation_engine#381)
• [Automation Engine] Update service_vars with playbook set_stats data (manageiq-automation_engine#399)
• [Openstack Provider] Add STF Event monitor backend (manageiq-providers-openstack#556)
• [oVirt Provider] Vm disk resize (manageiq-providers-ovirt#483)
• [UI] Enable Copy feature for ServiceRequests (manageiq-ui-classic#5539)
• [UI] Catalog Item: allow for selecting / deselecting whole tenant subtree (manageiq-ui-classic#7142)
• [UI] Allow for file:// urls in git repository (manageiq-ui-classic#7105)

Here are the changes (since Ivanchuk-6) per affected repository in GitHub:

• manageiq
• manageiq-api
• manageiq-appliance
• manageiq-appliance-build
• manageiq-automation_engine
• manageiq-content
• manageiq-pods
• manageiq-providers-ansible_tower
• manageiq-providers-openstack
• manageiq-providers-ovirt
• manageiq-ui-classic
• manageiq-ui-service

Jansa-1 RC2

Fixed

• Call column_type on parsed field to get the actual column type (#20398)
• [API] Updated the API to return nil virtual attributes and associations (manageiq-api#875)
• [Amazon Provider] Update volume_id fetching for volume modification events (manageiq-providers-amazon#639)

Here are the changes (since Jansa-1 RC1) per affected repository in GitHub:

• manageiq
• manageiq-api
• manageiq-appliance
• manageiq-appliance-build
• manageiq-content
• manageiq-pods
• manageiq-providers-amazon
• manageiq-providers-ansible_tower
• manageiq-providers-lenovo
• manageiq-providers-openstack
• manageiq-providers-vmware
• manageiq-ui-classic

You can download the Ivanchuk-7 and Jansa-1 RC2 releases here.

For questions or support, join in on the talk page.