Foreman 1.2.2 has been released with two security fixes. We recommend
users update as soon as possible.
The security issues resolved were:
-
Potential DoS via hosts controller due to symbol conversion
CVE identifier: CVE-2013-4180
Issue tracker: Bug #2860: CVE-2013-4180 - Potential DoS in HostsController - Foreman -
Privilege escalation as API wasn't restricted to user's hosts
CVE identifier: CVE-2013-4182
Issue tracker: Bug #2863: CVE-2013-4182 - Privileges escalation via API - Foreman
Authenticated access to Foreman is required to exploit these issues.
Our thanks to Daniel Lobato of CERN and Marek Hulan of Red Hat for
reporting them to us.
Two additional bugs were fixed, see the release notes for full details:
http://theforeman.org/manuals/1.2/index.html#Releasenotesfor1.2.2
http://projects.theforeman.org/versions/32
This release only contains an update to Foreman itself, not the smart
proxy or other projects.
==== Packages ====
From 1.2.x, simply upgrade packages from our repositories to version
1.2.2. If upgrading from 1.1, please see the upgrade notes in the
manual for more information (especially EL6 users).
Package repos are available here:
http://yum.theforeman.org/releases/1.2/
http://deb.theforeman.org/
Puppet modules for foreman-installer also available here:
http://forge.puppetlabs.com/theforeman
Tarballs available here:
http://projects.theforeman.org/projects/foreman/files
==== Reporting issues ====
If you have any issues, please follow the usual support process and file
bugs in redmine.
Support information: Foreman :: Support
Foreman: Foreman
Proxy: Foreman
SELinux: Foreman