Release Notes for the December 18, 2024 patch release. (#2700)

Resolves: AAP-37057
See also: AAP-37319

Author: rogrange

downstream/titles/release-notes/async/aap-25-12-18-dec.adoc

@@ -0,0 +1,171 @@
+[[aap-25-5-3-dec]]
+
+= {PlatformNameShort} patch release December 18, 2024
+
+The following enhancements and bug fixes have been implemented in this release of {PlatformNameShort}.
+
+== Enhancements
+
+=== {PlatformNameShort}
+
+* Added help text to all missing fields in {PlatformNameShort} gateway and `django-ansible-base`. (AAP-37068)
+
+* Consistently formatted sentence structure for `help_text`, and provided more context in the help text where it was vague.(AAP-37016)
+
+* Added dynamic preferences for usage by {Analytics}.(AAP-36710)
+
+** `INSIGHTS_TRACKING_STATE`: Enables the service to gather data on automation and send it to {Analytics}.
+
+** `RED_HAT_CONSOLE_URL`: This setting is used to to configure the upload URL for data collection for {Analytics}.
+
+** `REDHAT_USERNAME`: Username used to send data to {Analytics}.
+
+** `REDHAT_PASSWORD`: Password for the account used to send data to {Analytics}.
+
+** `SUBSCRIPTIONS_USERNAME`: Username is used to retrieve subscription and content information.
+
+** `SUBSCRIPTIONS_PASSWORD`: Password is used to retrieve subscription and content information.
+
+** `AUTOMATION_ANALYTICS_GATHER_INTERVAL`: interval in seconds at which {Analytics} gathers data.
+
+* Added an enabled flag for turning authenticator maps on or off. (AAP-36709)
+
+* `aap-metrics-utility` has been updated to 0.4.1. (AAP-36393)
+
+* Added the setting `trusted_header_timeout_in_ns` to timegate `X_TRUSTED_PROXY_HEADER` validation in the `django-ansible-base` libraries used by {PlatformNameShort} components. (AAP-36712)
+
+
+=== Documentation updates
+
+* With this update, the {OperatorPlatformNameShort} growth topology and {OperatorPlatformNameShort} enterprise topology have been updated to include s390x (IBM Z) architecture test support.
+
+
+=== {EDAName}
+
+* Extended the scope of the `log_level` and debug settings. (AAP-33669)
+
+* A project can now be synced with the {EDAName} collection modules. (AAP-32264)
+
+* In the Rulebook activation create form, selecting a project is now required before selecting a rulebook.(AAP-28082)
+
+* The btn:[Create credentials] button is now visible irrespective of whether there are any existing credentials or not.(AAP-23707)
+
+
+== Bug fixes
+
+=== General
+
+* Fixed an issue where `django-ansible-base` fallback cache kept creating a *tmp* file even if the *LOCATION* was set to another path.(AAP-36869)
+
+* Fixed an issue where the OIDC authenticator was not allowed to use the JSON key to extract user groups, or for a user to be modified via the new `GROUPS_CLAIM` configuration setting.(AAP-36716)
+
+
+With this update, the following CVEs have been addressed:
+
+* link:https://access.redhat.com/security/cve/cve-2024-11079[CVE-2024-11079] `ansible-core`: Unsafe Tagging Bypass via `hostvars` Object in Ansible-Core.(AAP-35563)
+
+* link:https://access.redhat.com/security/cve/cve-2024-53908[CVE-2024-53908] `ansible-lightspeed-container`: Potential SQL injection in `HasKey(lhs, rhs)` on Oracle.(AAP-36767)
+
+* link:https://access.redhat.com/security/cve/cve-2024-53907[CVE-2024-53907] `ansible-lightspeed-container`: Potential denial-of-service in `django.utils.html.strip_tags()`.(AAP-36755)
+
+* link:https://access.redhat.com/security/cve/cve-2024-11483[CVE-2024-11483] which allowed users to escape the scope of their personal access *OAuth2* tokens, from read-scoped to read-write-scoped, in the gateway.(AAP-36261)
+
+
+=== {PlatformName}
+
+* Fixed an issue where when role user assignments were queried in the platform UI, the query is successful about 75% of the time.(AAP-36872)
+
+* Fixed an issue where the user was unable to filter job templates by *label* in {PlatformNameShort} 2.5.(AAP-36540)
+
+* Fixed an issue where it was not possible to open a job template after removing the user that created the template.(AAP-35820)
+
+* Fixed an issue where the inventory source update failed, and did not allow selection of the inventory file.(AAP-35246)
+
+* Fixed an issue where the *Login Redirect Override* setting was missing and not functioning as expected in {PlatformNameShort} 2.5.(AAP-33295)
+
+* Fixed an issue where users were able to select a credential that required a password when defining a schedule.(AAP-32821)
+
+* Fixed an issue where the job output did not show unless you switched tabs. This also fixed other display issues.(AAP-31125)
+
+* Fixed an issue where adding a new Automation Decision role to a team did not work from the {MenuAMTeams} navigation path.(AAP-31873)
+
+* Fixed an issue where migration was missing from {PlatformNameShort}.(AAP-37015)
+
+* Fixed an issue where the gateway *OAuth* token was not encrypted at rest.(AAP-36715)
+
+* Fixed an issue where the API forces the user to save a service with an API port even if one does not exist.(AAP-36714)
+
+* Fixed an issue where the Gateway did not properly interpret SAML attributes for mappings.(AAP-36713)
+
+* Fixed an issue where non-self-signed *certificate+key* pairs were allowed to be used in SAML authenticator configurations.(AAP-36707)
+
+* Fixed an issue where the login page was not redirecting to `/api/gateway/v1` if a user was already logged in.(AAP-36638)
+
+
+=== {HubNameMain}
+
+* When configuring an *Ansible Remote* to sync collections from other servers, a requirements file is only required for syncs from Galaxy, and optional otherwise. Without a requirements file, all collections are synced.(AAP-31238)
+
+
+==== Container-based {PlatformNameShort}
+
+* Fixed an issue that allowed {ControllerName} nodes to override the `receptor_peers` variable. (AAP-37085)
+
+* Fixed an issue where the containerized installer ignored `receptor_type` for {ControllerName} hosts and always installed them as hybrid.(AAP-37012)
+
+* Fixed an issue where Podman was not present in the task container, and the cleanup image task failed.(AAP-37011)
+
+* Fixed an issue where only one {ControllerName} node was configured with Execution/Hop node peers rather than all {ControllerName} nodes.(AAP-36851)
+
+* Fixed an issue where the {ControllerName} services lost connection to the database, where the containers are stopped and the `systemd` unit does not try to restart.(AAP-36850)
+
+* Fixed an issue where receptor_type and `receptor_protocol` variables validation checks were skipped during the preflight role execution.(AAP-36857)
+
+
+=== {EDAName}
+
+* Fixed an issue where the url field of the event stream was not updated if `EDA_EVENT_STREAM_BASE_URL` setting changed. (AAP-33819)
+
+* Fixed an issue where {EDAName} and {ControllerName} fields were pre-populated with gateway credentials when `secret: true` is set on custom credentials.(AAP-33188)
+
+* Fixed an issue where the bulk removal of selected role permissions disappeared when more than 4 permissions were selected.(AAP-28030)
+
+ * Fixed an issue where *Enabled options* had its own scrollbar on the *Rulebook Activation Details* page.(AAP-31130)
+
+* Fixed an issue where the status of an activation was occasionally inconsistent with the status of the latest instance after a restart.(AAP-29755)
+
+* Fixed an issue where importing a project from a non-existing branch resulted in the completed state instead of a Failed status.(AAP-29144)
+
+* Fixed an issue with respect to the custom credential types where if the user clicked *The generate extra vars* before the `fields: key` in the input configuration it would create an empty line that is uneditable.(AAP-28084)
+
+* Fixed an issue where the project sync would not fail on an empty or unstructured git repository.(AAP-35777)
+
+* Fixed an issue where rulebook validation import/sync fails when a rulebook has a duplicated rule name.(AAP-35164)
+
+* Fixed an issue where the Event Driven Ansible API allowed a credential's type to be changed.(AAP-34968)
+
+* Fixed an issue where a previously failed project could be accidentally changed to *completed* after a resync.(AAP-34744)
+
+* Fixed an issue where no message was recorded when a project did not contain any rulebooks.(AAP-34555)
+
+* Fixed an issue where the name for credentials in the rulebook activation form field was not updated.(AAP-34123)
+
+* Updated the message for the rulebook activation/event streams for better clarity.(AAP-33485)
+
+* Fixed an issue where the source plugin was not able to use the `env vars` to establish a successful connection to the remote source.(AAP-35597)
+
+* Fixed an issue in the collection where the activation module failed with a misleading error message if the rulebook, project, decision environment, or organization, could not be found.(AAP-35360)
+
+* Fixed an issue where the validation a host specified as part of a container registry credential did not conform to container registry standards. The specified host was previously able to use a non-syntactically valid host (name or net address) and optional port value `(<valid-host>[:<port>])`. The validation is now applied when creating a credential as well as when modifying an existing credential regardless of fields being modified.(AAP-34969)
+
+* Fixed an issue whereby multiple {PlatformName} credentials were being attached to activations.(AAP-34025)
+
+* Fixed an issue where there was an erroneous dependency on the existence of an organization named *Default*.(AAP-33551)
+
+* Fixed an issue where occasionally an activation is reported as running, before it is ready to receive events.(AAP-31225)
+
+* Fixed an issue where the user could not edit auto-generated *injector vars* while creating {EEDAName} custom credentials.(AAP-29752)
+
+* Fixed an issue where in some cases the `file_watch` source plugin in an {EDAName} collection raised the *QueueFull* exception.(AAP-29139)
+
+* Fixed an issue where the {EDAName} database increased in size continuously, even if the database was unused. Addend the purge_record script to clean up outdated database records.(AAP-30684)