ManageIQ Kasparov-2 and Jansa-4 are now available. These releases include a security fix, which is also included in the new Lasker-1 GA release. Many thanks goes to Jason Frey (@Fryguy) and Gregg Tanzillo (@gtanzillo) for finding and fixing these vulnerabilities. Also, many thanks go to all of the contributors for all of their enhancements and bug fixes.

Security Issues

High severity

• CVE-2021-32756 - Arbitrary eval through MiqExpression

Other notable changes

Kasparov-2

Bug

• Handle Unicode characters in httpd auth headers [#21171], [manageiq-api#1031]
• Improve the provider check for authentication status [#21198]
• [Docker build] Ensure that the postgres directory has the correct permissions. [#21151]
• [Podified build] Replace all kubernetes label unsafe characters with - [#21139]
• [Podified build] If there is a HttpdAuthConfig, add the backup label to it [manageiq-pod#692]
• [API] Fix Provider create product feature [manageiq-api#1038]
• [API] Fix storing ae_attributes as uri_attributes for create/edit in CustomButtons [manageiq-api#967]
• [Amazon provider] Don’t normalize_os_name if image_location is nil [manageiq-providers-amazon#700]
• [Amazon provider] Fix AgentCoordinatorWorker sync_workers [manageiq-providers-amazon#686]
• [Ansible Tower provider] Fix API path not being added to URL [manageiq-providers-ansible_tower#260]
• [Ansible Tower provider] Fix username and password required error on edit [manageiq-providers-ansible_tower#258]
• [Azure provider] The Per Disk Read/Write Per Sec Metric was removed [manageiq-providers-azure#436]
• [IBM Cloud provider] Remove default ‘Network Interfaces’ selection [manageiq-providers-ibm_cloud#184]
• [Kubernetes provider] Only collect metrics if the metrics endpoint has valid authentication [manageiq-providers-kubernetes#431]
• [OpenStack provider] Extend error catching in detect_service for tenant [manageiq-providers-openstack#702]
• [OpenStack provider] Fix domain_id params / verify key mismatch [manageiq-providers-openstack#699]
• [OpenStack provider] Fix for the OpenStack port always being nil and defaulting to 5000 [manageiq-providers-openstack#696]
• [oVirt provider] Fix metrics connection setup failure [manageiq-providers-ovirt#551]
• [SCVMM provider] Handle missing VM VMCPath [manageiq-providers-scvmm#184]
• [VMware provider] Clear cached tags after finishing a full refresh [manageiq-providers-vmware#695]
• [UI] Fix tenants tree in Edit catalog item [manageiq-ui-classic#7733]
• [UI] Fix reference to missing product feature preventing add/update/reset chargeback rates [manageiq-ui-classic#7729]
• [UI] Fix Monitor > Alerts > All Alerts [manageiq-ui-classic#7726]

Enhancement

• [Podified build] Add backup labels to the PVCs [manageiq-pods#711]
• [Podified build] List all known server GUIDs if the deployment status is new replica [#21197]
• [IBM Cloud provider] Add api endpoints for new regions [manageiq-providers-ibm_cloud#169]
• [IBM Cloud provider] Allow API endpoint overrides through settings [manageiq-providers-ibm_cloud#150]

Here are the changes (since Kasparov-1) per affected repository in GitHub:

• manageiq
• manageiq-api
• manageiq-appliance-build
• manageiq-content
• manageiq-pods
• manageiq-providers-amazon
• manageiq-providers-ansible_tower
• manageiq-providers-azure
• manageiq-providers-ibm_cloud
• manageiq-providers-kubernetes
• manageiq-providers-openstack
• manageiq-providers-ovirt
• manageiq-providers-scvmm
• manageiq-providers-vmware
• manageiq-rpm_build
• manageiq-ui-classic

Jansa-4

Bug

• [API] Fix storing ae_attributes as uri_attributes for create/edit in CustomButtons [manageiq-api#967]
• [Amazon provider] Fix AgentCoordinatorWorker sync_workers [manageiq-providers-amazon#686]
• [Azure provider] The Per Disk Read/Write Per Sec Metric was removed [manageiq-providers-azure#436]
• [SCVMM provider] Handle missing VM VMCPath [manageiq-providers-scvmm#184]
• [VMware provider] Ensure all OperationsWorker connections create monitor_updates thread [manageiq-providers-vmware#685]
• [UI] Fix reference to missing product feature preventing add/update/reset chargeback rates [manageiq-ui-classic#7729]
• [UI] Fix Monitor > Alerts > All Alerts [manageiq-ui-classic#7726]
• [UI] Fix error in policy condition edit [manageiq-ui-classic#7579]
• [UI] Do not display disabled domains in automate entrypoint selections [manageiq-ui-classic#6744]

Here are the changes (since Jansa-3) per affected repository in GitHub:

• manageiq
• manageiq-api
• manageiq-appliance-build
• manageiq-content
• manageiq-pods
• manageiq-providers-amazon
• manageiq-providers-azure
• manageiq-providers-ovirt
• manageiq-providers-scvmm
• manageiq-providers-vmware
• manageiq-rpm_build
• manageiq-ui-classic

With the release of Lasker-1, you can obtain the Jansa-4 and Kasparov-2 releases here. Since we no longer support Ivanchuk, we highly recommend upgrading to a supported release instead.

For questions or support, join in on the talk page.