Foreman 1.11.1 security and bug fix release

Foreman 1.11.1 has now been released to our repositories, with over
sixty bug fixes throughout the application, particularly in host
creation and compute profiles.

The security issue was:
CVE-2016-3693: application information leakage through templates

A provisioning template containing inspect will expose sensitive
information about the Rails controller and application when rendered
when using Safemode rendering (the default setting). This includes
the application secret token, possibly permitting a privilege

Affects all known versions of Foreman.

Full release notes for all of the changes are on the website:


··· =========== See the links below for how to get it by installing or upgrading:

Installation quick start:

Upgrade instructions:

Release notes:

Do take note of the upgrade warnings and deprecations in this release
as they affect most OSes in some way:


Packages may be found in the 1.11 directories on both
and, and tarballs are on

The GPG key used for RPMs and tarballs has the following fingerprint:
6681 20FA 0528 3FD2 AF60 FC3A 335F 3A45 3494 A06D
(Foreman :: Security)

Debian users should note that the archive GPG key is in the process of
changing to:
AE0A F310 E2EA 96B6 B6F4 BD72 6F86 00B9 5632 78F6
(Foreman :: Security)

More information on the Debian GPG change is available at:!topic/foreman-announce/InFeaMsl7fk

Bug reporting

If you come across a bug, please file it and note the version of Foreman
that you’re using in the report.

Foreman: Foreman
Proxy: Foreman

Dominic Cleal