25.3.2

What's Changed

** Please take note that we utilize a new operator for this install, please ensure you update the installer to the latest git pull **

• Migrate from Redis 7 to Valkey 9 in #200
• Migrate back to rockylinux:9-minimal now that it is being updated regularly in #199
• Resolve issue with mass deleting templates and workflows in #202
• Fix dummy data generator in #201
• Hide the SSH Password text that is displayed on every playbook run in #203
• Move prompt steps inline to resolve issues with lingui marco in #204
• Fix __pycache__ directory removal in clean target - Upstream ansible/awx#16196 in #197
• Cache dashboard query - Upstream ansible/awx#16165 in #198

Security Fixes

These CVEs were against the underlying packages we depend on, not directly on Ascender. For several of these, we did not use the affected code at all. They were resolved nevertheless as they will still be reported on any vulnerability scan on the container in your environment.

• Redis 7 container's base os wasn't being updated upstream and had 4 Critical and multiple other Vulnerabilities, so we migrated to Valkey
• Upgrade sqlparse to 0.5.4 in #196
• Update filelock to resolve CVE-2025-68146 in #205

Full Changelog: 25.3.1...25.3.2

25.3.1

Security Fixes

These CVEs were against the underlying packages we depend on, not directly on Ascender. For several of these, we did not use the affected code at all. They were resolved nevertheless as they will still be reported on any vulnerability scan on the container in your environment.

• Upgrade Django to 5.2.9 to resolve CVE-2025-13372 CVE-2025-64460 in #194
• Upgrade urllib3 to 2.6.0 to resolve CVE-2025-66471 CVE-2025-66418 in #195

Full Changelog: 25.3.0...25.3.1

25.3.0

What's Changed

• Upgrade to Django v5 in #187
• Fix logic in isAuthenticated in #180
• Fix f-string in log that is broken (Upstream 16132) in #179
• Remove unused additional containers (splunk, grafana, etc...) in #184
• Remove dependency on django-crum, move to native threading. in #186
• Fix using the Ascender controller as an Inventory Source in #192
• Fix some translation issues causing text not to display in #193
• Removed options to disable gradient and custom header logo in #193
• Add better Source Var defaults for some Inventory Sources in #193
• Fix a UI caching issue when selecting Role permissions in #193
• Re-added Satellite credential in #191

Security Fixes

These CVEs were against the underlying packages we depend on, not directly on Ascender. For several of these, we did not use the affected code at all. They were resolved nevertheless as they will still be reported on any vulnerability scan on the container in your environment.

• Update django to resolve CVE-2025-59681 in #175
• Update django to resolve CVE-2025-64459 CVE-2025-64458 in #182
• Upgrade to pip 25.3 to resolve CVE-2025-8869 in #183
• Update glob / js-yaml to resolve CVE-2025-64756 & CVE-2025-64718 in #185
• Update node-forge to resolve CVE-2025-12816, CVE-2025-66031, CVE-2025-66030 in #190
• Update social-auth-app-django to resolve CVE-2025-61783 in #187

Full Changelog: 25.2.0...25.3.0

25.2.0

What's Changed

• Add option for enabling Ansible 2.9 Collections variable
• Fix all links to external documentation
• Fix API JavaScript expansion icon. size() is long deprecated and removed
• Fix some web-socket issues and memory leaks in asyncs
• Migrate off react-script
• Notebook 7 breaks currently implementation of Jupyter, so downgrade it
• Pin django-ansible-base as last commit breaks migrations
• Re-import docs from Upstream 24.6.1 repo
• Remove alert modal if custom login settings can't be fetched
• Swap to alpine node image for UI
• Upgrade receptor to latest version
• Upgrade to latest Node 20 LTS
• (Upstream) Fix maintain order of insertions into m2m relationship tables
• (Upstream) Setting with ANSIBLE_BASE_ prefix does not need to be added to ENV var for job execution

Security Fixes

These CVEs were against the underlying packages we depend on, not directly on Ascender. For several of these, we did not use the affected code at all. They were resolved nevertheless as they will still be reported on any vulnerability scan on the container in your environment.

• Upgrade aiohttp to resolve CVE-2025-53643
• Upgrade axios to resolve CVE-2025-58754
• Upgrade django, more work was done on CVE-2025-48432
• Upgrade django again to resolve CVE-2025-57833
• Upgrade esbuild to resolve GHSA-67mh-4wv8-2f99
• Upgrade form-data to resolve CVE-2025-7783
• Upgrade on-headers to resolve CVE-2025-7339
• Upgrade kibana, etc... images to latest
• Upgrade tmp to resolve CVE-2025-54798
• Remove @cypress/instrument-cra to resolve CVE-2017-16137
• Migrate to Lingui v5 to resolve multiple CVEs
• Migrate to webpack-dev-server v5 to resolve CVE-2025-30360 CVE-2025-30359 (DEV BUILD ONLY)
• Misc Npm updates (dependencies of dependencies) to resolve multiple CVEs

Full Changelog: 25.1.0...25.2.0

25.1.0

What's Changed

• Adding toast handler to fix errors when using list approve or deny buttons
• Address first_found skip bug in Ansible 2.16
• Add Labels listing to start using Labels as pseudo-folders for Templates
• Allow Menu Header logo to be customized
• Allow Menu gradient to be disabled
• Database deadlock by awx_callback_receiver_worker and awx_dispatcher_worker
• Facts are unintentionally deleted when the inventory is modified during a job execution
• Fix issue with saving System Settings when using local overrides
• Fix 404 error when logging in
• Fix issue on notifications when viewing a notification for a webhook
• Fix notification name search
• Fix instance peering pagination
• Resolve multiple warnings during build process
• Send job_lifecycle logs to external loggers
• Update to Python 3.11

Security Fixes

• Updated python / npm dependencies to resolve multiple CVEs.

These CVEs were against the underlying packages we depend on, not directly on Ascender. For several of these, we did not use the affected code at all. They were resolved nevertheless as they will still be reported on any vulnerability scan on the container in your environment.

• Migrate to Lingui v4 to resolve CVE-2024-21528
• Upgrade aiohttp to resolve CVE-2024-52304
• Upgrade azure-identity to resolve CVE-2024-35255
• Upgrade brace-expansion to resolve CVE-2025-5889
• Upgrade django to resolve CVE-2025-48432, CVE-2025-32873, CVE-2024-53908
• Upgrade http-proxy-middleware to resolve CVE-2025-32996, CVE-2025-32997, CVE-2024-21536
• Upgrade jinja2 to resolve CVE-2024-56326, CVE-2024-56201
• Upgrade pip to resolve CVE-2023-5752
• Upgrade requests to resolve CVE-2024-47081
• Upgrade setuptools to resolve CVE-2025-47273, CVE-2024-6345
• Upgrade path-to-regexp to resolve CVE-2024-52798
• Upgrade nanoid to resolve CVE-2024-55565,
• Upgrade cross-spawn to resolve CVE-2024-21538,
• Upgrade express to resolve CVE-2024-47764

Full Changelog: 25.0.0...25.1.0

25.0.0

What's Changed

Notable Items

• Official support for Ascender Ledger Pro 1.0. This release is certified to work with the upcoming Ascender Ledger Pro 1.0 release.
• Fix long standing bug where systems with more than 1500 packages would fail to upload data to Ledger due to rsyslog protocol limitations.
• Support for Same Site Cookies to support secure connectivity.
• Fix multiple framework CVE's and deprecation's as documented below.
• Adding the Install UUID to all External Logging to uniquely identify Ascender servers inside of an Ascender Ledger Pro install.
• Forwarding of bearer token Authorization headers when Externally logging to Ascender Ledger Pro.

Upstream Patches

• Commits pulled from upstream minus a few minor changes as we are on an older version of python (utilize
  importlib_metadata instead of importlib.metadata)
  Upstream
  ansible/awx@e68370f
  ansible/awx@3edaaeb
• Add option for SAMESITE:
  Resolves #48
  Patch from Upstream -> ansible/awx#15100

Other

• Migrate away from pkg_resources as it's deprecated -> This resolves the pkg_resources deprecation warnings.
• Move to using an image mirror
• Replace the deprecated usage of "docker-compose" with "docker compose"
• Updates rsyslog to use the imptcp input module over the legacy socket input module. It does this to avoid Messages with too long errors (Errno 90) that occur with large packet sizes. Fixes [https://github.com//issues/51]
• Add Install UUID and URL to log data

Security Fixes

• CVE-2024-11831
• CVE-2025-26699
• CVE-2025-27516
• CVE-2025-27789
• CVE-2025-26699
• CVE-2025-27516
• CVE-2025-27152
• CVE-2024-12797
• CVE-2025-26791

Full Changelog: 24.0.4...25.0.0

24.0.4

What's Changed

Upstream Patches

• Update defaults.py to increase rsyslog max size by @cigamit in #35

Security Fixes

• Updated NPM packages to resolve multiple CVEs
  • path-to-regexp: GHSA-rhx6-c78j-4q9w,
  • nanoid: GHSA-mwcw-c2x4-8c55,
  • cross-spawn: GHSA-3xgq-45jj-v275,
  • express: GHSA-pxg6-pf52-xh8x
• Upgrating aiohttp>=3.10.11 fixing CVE-2024-52304 by @zorrinna in #38
• Updating http-proxy-middleware to version 2.0.7 CVE-2024-21536 by @zorrinna in #50
• Update jinja2 to fix CVE-2024-56326 and CVE-2024-56201 by @cigamit in #40
• CVE-2023-5752:
  • Updating PIP to version 23.3 for CVE-2023-5752 by @TheWitness in #43
  • Update PIP to 23.3 to address Mercurial Injection CVE-2023-5752 by @TheWitness in #44
• CVE-2024-6345:
  • Udating for setuptools to address CVE-2024-6345 by @TheWitness in #45
  • Udating for setuptools to address CVE-2024-6345 by @TheWitness in #47

Other

• Add CIQ Depot credential by @brianphan in #34
• Update requirements.txt for sqlparse 0.5.2 by @TheWitness in #36

New Contributors

• @brianphan made their first contribution in #34
• @TheWitness made their first contribution in #36
• @zorrinna made their first contribution in #38

Full Changelog: 24.0.3...24.0.4

24.0.3

What's Changed

Upstream Patches

• Fix issue with websocket blocking forever - Upstream #15043
• Adding podAntiAffinity - Upstream #15578
• Resolve CI Issues
• Bump to receptor v1.4.9

Security Fixes

• Updated NPM packages to resolve multiple CVEs
  • ansi-regex: CVE-2021-3807
  • cookie: CVE-2024-47764
  • minimatch: CVE-2022-3517
  • rollup: CVE-2024-47068
  • semver: CVE-2022-25883

24.0.2

What's Changed

Upstream Patches

• Fix failing bulk launch job due to create partition race
• Add restart for websocket
• Avoid race conditions when removing multiple instances
• Only refresh session if updating own password
• Wrap preload data in a transaction
• Fix error "Min value should be Decimal"
• Fix: catch correct exception when parsing filter
• Fix SAMLAuth backend to correctly return social auth pipeline results

Security Fixes

• Updated python dependencies to resolve multiple CVEs.

These CVEs were against the underlying packages we depend on, not directly on Ascender. For several of these, we did not use the affected code at all. They were resolved nevertheless as they will still be reported on any vulnerability scan on the container in your environment.

aiohttp - CVE-2024-42367
cryptography - CVE-2023-50782
cryptography - CVE-2024-26130
cryptography - CVE-2024-0727
cryptography - GHSA-h4gh-qq45-vh27
django - CVE-2024-45231
django - CVE-2024-45230
django - CVE-2024-39329
django - CVE-2024-38875
django - CVE-2024-39330
django - CVE-2024-39614
django - CVE-2024-27351
djangorestframework - CVE-2024-21520
dompurify - CVE-2024-45801
idna - CVE-2024-3651
jinja2 - CVE-2024-34064
jwcrypto - CVE-2023-6681
jwcrypto - CVE-2024-28102
pydantic - CVE-2024-3772
resolve - CVE-2024-35195
social-auth-app-django - CVE-2024-32879
sqlparse - CVE-2024-4340
twisted - CVE-2024-41671
twisted - CVE-2024-41810
urllib3 - CVE-2023-45803
urllib3 - CVE-2024-37891
uwsgi - CVE-2023-27522
zipp - CVE-2024-5569

• Updated NPM packages to resolve multiple CVEs

axios - CVE-2024-39338
braces - CVE-2024-4068
debug - CVE-2017-16137
micromatch - CVE-2024-4067
webpack - CVE-2024-43788
ws - CVE-2024-37890
(... and many more)

24.0.1

Fix CVE-2024-24680 - DJango DoS
Fix CVE-2024-30251 - AIOHTTP DoS (also fixes 2 other AIOHTTP related CVEs)
Update AWX NPM packages to resolve several CVEs
Restore Host Activity to Host Lists
Pin Docker and Request versions to fix build process