Foreman 1.4.4 has been released, addressing two security issues and
other bugs. All users are encouraged to upgrade.
The security issues fixed are:
-
Provisioning template previews are world-readable
CVE identifier: CVE-2014-0192
Redmine issue: Bug #5436: CVE-2014-0192 - provisioning templates are world accessible - Foreman
Affects Foreman 1.4.0 to 1.4.3 inclusive -
Stored cross site scripting (XSS) in search auto-completion
CVE identifier: CVE-2014-0208
Redmine issue: Bug #5471: CVE-2014-0208 - Stored XSS inside search auto-complete key names via parameters - Foreman
Affects all known Foreman versions
Additional details are available on our security advisories page:
http://theforeman.org/security.html
See the release notes and Redmine for full bug lists:
http://theforeman.org/manuals/1.4/index.html#Releasenotesfor1.4.4
http://projects.theforeman.org/rb/release/17
==== Installation ====
Quickstart instructions using the installer:
http://theforeman.org/manuals/1.4/index.html#2.Quickstart
Packages are in yum.theforeman.org / deb.theforeman.org under the "1.4"
directories or components.
==== Upgrading ====
Fully supported with package upgrades from both 1.3 and 1.4.
Please read the instructions here:
http://theforeman.org/manuals/1.4/index.html#3.6Upgrade
Take note of the following points (especially EL6 users on 1.3):
http://theforeman.org/manuals/1.4/index.html#Upgradenotes