[Announce] Two security issues: bookmarks, permissions

Two separate security issues have been reported to the project, and
patches are now available for them. These affect all versions of
Foreman, but require a login to exploit.

We'd like to thank Ramon de C Valle for discovering and reporting the
vulnerabilities to us.

  1. Remote code execution in Foreman via bookmark controller name
    CVE identifier: CVE-2013-2121
    CVSS v2 score: 6 (Important)
    Issue tracker: Bug #2631: Remote code execution in Foreman via bookmark controller name - Foreman

    Patch for Foreman 1.1:
    https://github.com/theforeman/foreman/commit/8920e796.patch

  2. Users with create/edit user permissions can escalate to admin
    CVE identifier: CVE-2013-2113
    CVSS v2 score: 3.5 (Moderate)
    Issue tracker: Bug #2630: Users with create/edit user permissions can escalate to admin - Foreman

    Patch for Foreman 1.1:
    https://github.com/theforeman/foreman/commit/7eadf32c.patch

Fixes will be available in Foreman 1.2.0-RC2, which should be out today.
Foreman 1.1 users can apply the backported patches above to your
installation (I recommend that you backup /usr/share/foreman before
applying them).

Users running from source will find fixes have been pushed to develop,
1.2-stable and 1.1-stable branches.

ยทยทยท -- Dominic Cleal Red Hat Engineering