Foreman 1.11.1 has now been released to our repositories, with over
sixty bug fixes throughout the application, particularly in host
creation and compute profiles.
The security issue was:
CVE-2016-3693: application information leakage through templates
A provisioning template containing inspect will expose sensitive
information about the Rails controller and application when rendered
when using Safemode rendering (the default setting). This includes
the application secret token, possibly permitting a privilege
escalation.
Affects all known versions of Foreman.
Full release notes for all of the changes are on the website:
http://theforeman.org/manuals/1.11/index.html#Releasenotesfor1.11.1
Information
···
=========== See the links below for how to get it by installing or upgrading:Installation quick start:
http://theforeman.org/manuals/1.11/quickstart_guide.html
Upgrade instructions:
http://theforeman.org/manuals/1.11/index.html#3.6Upgrade
Release notes:
http://theforeman.org/manuals/1.11/index.html#Releasenotesfor1.11
Do take note of the upgrade warnings and deprecations in this release
as they affect most OSes in some way:
http://theforeman.org/manuals/1.11/index.html#Upgradewarnings
Downloads
Packages may be found in the 1.11 directories on both deb.foreman.org
and yum.theforeman.org, and tarballs are on downloads.theforeman.org.
The GPG key used for RPMs and tarballs has the following fingerprint:
6681 20FA 0528 3FD2 AF60 FC3A 335F 3A45 3494 A06D
(Foreman :: Security)
Debian users should note that the archive GPG key is in the process of
changing to:
AE0A F310 E2EA 96B6 B6F4 BD72 6F86 00B9 5632 78F6
(Foreman :: Security)
More information on the Debian GPG change is available at:
https://groups.google.com/forum/#!topic/foreman-announce/InFeaMsl7fk
Bug reporting
If you come across a bug, please file it and note the version of Foreman
that you’re using in the report.
Foreman: Foreman
Proxy: Foreman
Installer:
Foreman
–
Dominic Cleal
dominic@cleal.org