Foreman 1.11.3 has now been released to our repositories with a security
fix and various bug fixes, including for two prominent DHCP issues.
The security issue was:
CVE-2016-4451: Privilege escalation through Organization and
Locations API
When using the API as a user with unlimited filters, the current
context could be set to an organization/location that the user was
not associated to.
Affects Foreman 1.7 and higher.
See Foreman :: Security for more details.
Full release notes for all of the changes are on the website:
https://theforeman.org/manuals/1.11/index.html#Releasenotesfor1.11.3
Information
···
=========== See the links below for how to get it by installing or upgrading:Installation quick start:
https://theforeman.org/manuals/1.11/quickstart_guide.html
Upgrade instructions:
https://theforeman.org/manuals/1.11/index.html#3.6Upgrade
Release notes:
https://theforeman.org/manuals/1.11/index.html#Releasenotesfor1.11
Do take note of the upgrade warnings and deprecations in this release
as they affect most OSes in some way:
https://theforeman.org/manuals/1.11/index.html#Upgradewarnings
Downloads
Packages may be found in the 1.11 directories on both deb.foreman.org
and yum.theforeman.org, and tarballs are on downloads.theforeman.org.
The GPG key used for RPMs and tarballs has the following fingerprint:
6681 20FA 0528 3FD2 AF60 FC3A 335F 3A45 3494 A06D
(Foreman :: Security)
Debian users should note that the archive GPG key changes in the next
week to the following fingerprint:
AE0A F310 E2EA 96B6 B6F4 BD72 6F86 00B9 5632 78F6
(Foreman :: Security)
More information on the Debian GPG change is available at:
https://groups.google.com/forum/#!topic/foreman-announce/InFeaMsl7fk
Bug reporting
If you come across a bug, please file it and note the version of Foreman
that you’re using in the report.
Foreman: Foreman
Proxy: Foreman
Installer:
Foreman
–
Dominic Cleal
dominic@cleal.org