Foreman 1.12.2 security and bug fix release

Foreman 1.12.2 is now available in our repositories with a number of bug
fixes and some security issues fixed:

  • CVE-2016-6319: Foreman form helpers do not escape JS when rendering label
  • CVE-2016-6320: network interface device identifiers may contain stored
    XSS on host form
  • Ruby on Rails updated to for security fixes

More information at Foreman :: Security

Full release notes for all of the changes:

Please note that a change to the location/organization external node
(ENC) parameters originally shipped in 1.12.0 has been reverted in this
release. The full names of the location/org have been added instead to
the location_full and organization_full parameters.


··· =========== See the links below for how to get it by installing or upgrading:

Installation quick start:

Upgrade instructions:

Release notes:

Do take note of the upgrade warnings and deprecations in this release:

Our list of supported OSes has changed, so please check these when
setting up new installations or upgrading.

We also have an experimental guide to upgrading a combined Foreman 1.12
and Puppet 3 installation to a Puppet 4 installation:


Packages may be found in the 1.12 directories on both
and, and tarballs are on

The GPG key used for RPMs and tarballs has the following fingerprint:
860D D70A 378A 84CE 8D47 C10E B507 F6A6 7D49 2D06
(Foreman :: Security)

Bug reporting

If you come across a bug, please file it and note the version of Foreman
that you’re using in the report.

Foreman: Foreman
Proxy: Foreman

Dominic Cleal