Foreman 1.4.2 is now available, with two important security fixes and a
number of bug fixes. This release also adds Puppet 3.5 and Facter 2.0
support, so is required to use either of these two new versions.
The two security issues resolved are:
Stored cross site scripting (XSS) on 500 error page
CVE identifier: CVE-2014-0089
Redmine issue: Bug #4456: CVE-2014-0089 - Stored Cross Site Scripting (XSS) on 500 error page - Foreman
Affects Foreman 1.4.0 to 1.4.1 inclusive
Session fixation, new session IDs are not generated on login
CVE identifier: CVE-2014-0090
Redmine issue: Bug #4457: CVE-2014-0090 - Session fixation, new session IDs are not generated on login - Foreman
Affects all known Foreman versions
Additional details are available on our security advisories page:
See the release notes and Redmine for full bug lists:
OpenStack users please note that we reverted the fix for #2270 (relating
to floating IPs) in this release due to some knock-on issues with other
compute resource providers. We'll be addressing this for a subsequent
release - apologies for any inconvenience.
==== Installation ====
Quickstart instructions using the installer:
Packages are in yum.theforeman.org / deb.theforeman.org under the "1.4"
directories or components.
==== Upgrading ====
Fully supported with package upgrades from both 1.3 and 1.4.0.
Please read the instructions here:
Take note of the following points, especially EL6 users: