Foreman 1.11.2 security and bug fix release

Foreman 1.11.2 has now been released to our repositories, with over
forty bug fixes throughout the application and a security fix.

The security issue was:
CVE-2016-3728: remote code execution in smart proxy TFTP API

The smart proxy TFTP API is vulnerable to arbitrary remote code
execution, as it passes untrusted user input (the PXE template type)
to the eval() function causing it to be executed.

Affects Foreman 0.2 and higher.

Full release notes for all of the changes are on the website:


··· =========== See the links below for how to get it by installing or upgrading:

Installation quick start:

Upgrade instructions:

Release notes:

Do take note of the upgrade warnings and deprecations in this release
as they affect most OSes in some way:


Packages may be found in the 1.11 directories on both
and, and tarballs are on

The GPG key used for RPMs and tarballs has the following fingerprint:
6681 20FA 0528 3FD2 AF60 FC3A 335F 3A45 3494 A06D
(Foreman :: Security)

Debian users should note that the archive GPG key is in the process of
changing to:
AE0A F310 E2EA 96B6 B6F4 BD72 6F86 00B9 5632 78F6
(Foreman :: Security)

More information on the Debian GPG change is available at:!topic/foreman-announce/InFeaMsl7fk

Bug reporting

If you come across a bug, please file it and note the version of Foreman
that you’re using in the report.

Foreman: Foreman
Proxy: Foreman

Dominic Cleal