Foreman 1.4.5 has been released, addressing three security issues in the
core web UI and smart proxy. All users are encouraged to upgrade.
The security issues fixed are:
-
TFTP boot file fetch API permits remote code execution
CVE identifier: CVE-2014-0007
Redmine issue: Bug #6086: CVE-2014-0007 - TFTP boot file fetch API permits remote code execution - Smart Proxy - Foreman
Affects all known Foreman versions -
Stored cross site scripting (XSS) in notification dialogs
CVE identifier: CVE-2014-3491
Redmine issue: Bug #5881: CVE-2014-3491 - XSS from create/update/destroy notification boxes - Foreman
Affects all known Foreman versions -
Stored cross site scripting (XSS) in YAML preview
CVE identifier: CVE-2014-3492
Redmine issue: Bug #6149: CVE-2014-3492 - XSS in host YAML view - Foreman
Affects all known Foreman versions
Additional details are available on our security advisories page:
http://theforeman.org/security.html
See the release notes and Redmine for full bug lists:
http://theforeman.org/manuals/1.4/index.html#Releasenotesfor1.4.5
http://projects.theforeman.org/rb/release/19
==== Installation ====
Quickstart instructions using the installer:
http://theforeman.org/manuals/1.4/index.html#2.Quickstart
Packages are in yum.theforeman.org / deb.theforeman.org under the "1.4"
directories or components.
==== Upgrading ====
Fully supported with package upgrades from both 1.3 and 1.4.
Please read the instructions here:
http://theforeman.org/manuals/1.4/index.html#3.6Upgrade
Take note of the following points (especially EL6 users on 1.3):
http://theforeman.org/manuals/1.4/index.html#Upgradenotes