Foreman 1.11.4 security and bug fix release

Foreman 1.11.4 has now been released to our repositories with three
security fixes and a few bug fixes.

The security issues were:

  • CVE-2016-5390: API host interfaces data not restricted by view_hosts
  • CVE-2016-4995: information disclosure through unauthorized template
  • CVE-2016-4475: privilege escalation through orgs/location API and UI

See Foreman :: Security for more details.

Full release notes for all of the changes are on the website:

Also a reminder - this is probably the last update to the 1.11.x series
as 1.12 is stable and highly recommended over 1.11.


··· =========== See the links below for how to get it:

Upgrade instructions:

Release notes:

Do take note of the upgrade warnings and deprecations in this release
as they affect most OSes in some way:


Packages may be found in the 1.11 directories on both
and, and tarballs are on

The GPG key used for RPMs and tarballs has the following fingerprint:
6681 20FA 0528 3FD2 AF60 FC3A 335F 3A45 3494 A06D
(Foreman :: Security)

Bug reporting

If you come across a bug, please file it and note the version of Foreman
that you’re using in the report.

Foreman: Foreman
Proxy: Foreman

Dominic Cleal