Foreman 1.11.4 security and bug fix release

Support
1

Foreman 1.11.4 has now been released to our repositories with three
security fixes and a few bug fixes.

The security issues were:

  • CVE-2016-5390: API host interfaces data not restricted by view_hosts
    filters
  • CVE-2016-4995: information disclosure through unauthorized template
    previews
  • CVE-2016-4475: privilege escalation through orgs/location API and UI

See Foreman :: Security for more details.

Full release notes for all of the changes are on the website:
https://theforeman.org/manuals/1.11/index.html#Releasenotesfor1.11.4

Also a reminder - this is probably the last update to the 1.11.x series
as 1.12 is stable and highly recommended over 1.11.

Information

··· =========== See the links below for how to get it:

Upgrade instructions:
https://theforeman.org/manuals/1.11/index.html#3.6Upgrade

Release notes:
https://theforeman.org/manuals/1.11/index.html#Releasenotesfor1.11

Do take note of the upgrade warnings and deprecations in this release
as they affect most OSes in some way:
https://theforeman.org/manuals/1.11/index.html#Upgradewarnings

Downloads

Packages may be found in the 1.11 directories on both deb.foreman.org
and yum.theforeman.org, and tarballs are on downloads.theforeman.org.

The GPG key used for RPMs and tarballs has the following fingerprint:
6681 20FA 0528 3FD2 AF60 FC3A 335F 3A45 3494 A06D
(Foreman :: Security)

Bug reporting

If you come across a bug, please file it and note the version of Foreman
that you’re using in the report.

Foreman: Foreman
Proxy: Foreman
Installer:
Foreman


Dominic Cleal
dominic@cleal.org