Foreman 1.5.1 has been released, with many bug fixes for issues found in
1.5, three security fixes and a few minor features.
The security issues fixed are:
-
TFTP boot file fetch API permits remote code execution
CVE identifier: CVE-2014-0007
Redmine issue: Bug #6086: CVE-2014-0007 - TFTP boot file fetch API permits remote code execution - Smart Proxy - Foreman
Affects all known Foreman versions -
Stored cross site scripting (XSS) in notification dialogs
CVE identifier: CVE-2014-3491
Redmine issue: Bug #5881: CVE-2014-3491 - XSS from create/update/destroy notification boxes - Foreman
Affects all known Foreman versions -
Stored cross site scripting (XSS) in YAML preview
CVE identifier: CVE-2014-3492
Redmine issue: Bug #6149: CVE-2014-3492 - XSS in host YAML view - Foreman
Affects all known Foreman versions
Additional details are available on our security advisories page:
http://theforeman.org/security.html
Other notable changes are:
- VMware compute profile issues fixed (#5652)
- Puppet 3.6 smart proxy compatibility fixed (#5856)
- DHCP lease conflict issues with Discovery (#5637)
- New compute profiles API, fixed API host creation (#4250)
- Audit field length issue with smart class parameters (#5671)
The release also includes a new version of the Hammer CLI, version 0.1.1
with a number of features and fixes.
See the release notes and Redmine for full change lists:
http://theforeman.org/manuals/1.5/index.html#Releasenotesfor1.5.1
http://projects.theforeman.org/rb/release/16
==== Upgrading ====
Fully supported with package upgrades from both 1.4 and 1.5.0.
Packages are in yum.theforeman.org / deb.theforeman.org under the "1.5"
directories or components.
Please read the instructions here:
http://theforeman.org/manuals/1.5/index.html#3.6Upgrade