Foreman 1.4.2 security and bug fix release

Foreman 1.4.2 is now available, with two important security fixes and a
number of bug fixes. This release also adds Puppet 3.5 and Facter 2.0
support, so is required to use either of these two new versions.

The two security issues resolved are:

  1. Stored cross site scripting (XSS) on 500 error page
    CVE identifier: CVE-2014-0089
    Redmine issue: Bug #4456: CVE-2014-0089 - Stored Cross Site Scripting (XSS) on 500 error page - Foreman
    Affects Foreman 1.4.0 to 1.4.1 inclusive

  2. Session fixation, new session IDs are not generated on login
    CVE identifier: CVE-2014-0090
    Redmine issue: Bug #4457: CVE-2014-0090 - Session fixation, new session IDs are not generated on login - Foreman
    Affects all known Foreman versions

Additional details are available on our security advisories page:

See the release notes and Redmine for full bug lists:

OpenStack users please note that we reverted the fix for #2270 (relating
to floating IPs) in this release due to some knock-on issues with other
compute resource providers. We'll be addressing this for a subsequent
release - apologies for any inconvenience.

==== Installation ====
Quickstart instructions using the installer:

Packages are in / under the "1.4"
directories or components.

==== Upgrading ====
Fully supported with package upgrades from both 1.3 and 1.4.0.

Please read the instructions here:

Take note of the following points, especially EL6 users:


ยทยทยท -- Dominic Cleal Red Hat Engineering