Foreman 1.10.4 has been released with a security fix and handful of
other requested fixes. This is likely to be the last release in the
1.10.x series, so please update soon.
The security issue was:
CVE-2016-3728: remote code execution in smart proxy TFTP API
The smart proxy TFTP API is vulnerable to arbitrary remote code
execution, as it passes untrusted user input (the PXE template type)
to the eval() function causing it to be executed.
Affects Foreman 0.2 and higher.
More information available at Foreman :: Security. This
fix is also in Foreman 1.11.2 and higher.
Full release notes for all of the changes are on the website here:
Note that no foreman-installer 1.10.4 package has been supplied for EL6
and Ubuntu 12.04 (Precise) due to a bug in the build process. The
existing 1.10.3 package will work identically.
==== Upgrading ====
When upgrading, follow these instructions:
If you're installing a new instance, follow the quickstart:
Packages may be found in the 1.10 directories on both deb.foreman.org
and yum.theforeman.org, and tarballs are on downloads.theforeman.org.
Foreman 1.10 adds Debian packages for armhf (v7).
The GPG key used for RPMs and tarballs has the following fingerprint:
9EFD 673A 649D 77F5 C615 44AC C1B2 621D BE67 E9DA
(Foreman :: Security)
···============= If you come across a bug, please file it and note the version of Foreman that you're using in the report.