Foreman 1.11.3 security and bug fix release

Foreman 1.11.3 has now been released to our repositories with a security
fix and various bug fixes, including for two prominent DHCP issues.

The security issue was:
CVE-2016-4451: Privilege escalation through Organization and
Locations API

When using the API as a user with unlimited filters, the current
context could be set to an organization/location that the user was
not associated to.

Affects Foreman 1.7 and higher.

See Foreman :: Security for more details.

Full release notes for all of the changes are on the website:


··· =========== See the links below for how to get it by installing or upgrading:

Installation quick start:

Upgrade instructions:

Release notes:

Do take note of the upgrade warnings and deprecations in this release
as they affect most OSes in some way:


Packages may be found in the 1.11 directories on both
and, and tarballs are on

The GPG key used for RPMs and tarballs has the following fingerprint:
6681 20FA 0528 3FD2 AF60 FC3A 335F 3A45 3494 A06D
(Foreman :: Security)

Debian users should note that the archive GPG key changes in the next
week to the following fingerprint:
AE0A F310 E2EA 96B6 B6F4 BD72 6F86 00B9 5632 78F6
(Foreman :: Security)

More information on the Debian GPG change is available at:!topic/foreman-announce/InFeaMsl7fk

Bug reporting

If you come across a bug, please file it and note the version of Foreman
that you’re using in the report.

Foreman: Foreman
Proxy: Foreman

Dominic Cleal