Foreman 1.6.2 and 1.5.4 have been released to fix an important security
issue affecting the smart proxy (foreman-proxy). The update covers only
this package, and a new installer for 1.6 to improve out of the box
security.
It's strongly recommended that users update foreman-proxy and restrict
access to the smart proxy with the trusted_hosts setting and/or a firewall.
CVE-2014-3691: SSL certificate verification bypass in smart proxy
Affects all known Foreman versions
More information at Foreman :: Security
Steps you should take:
Upgrade the package as appropriate:
yum upgrade foreman-proxy
apt-get --only-upgrade install foreman-proxy
Set trusted_hosts in /etc/foreman-proxy/settings.yml
:trusted_hosts:
Restart foreman-proxy
service foreman-proxy restart
If you're running an older release, we'd generally recommend updating to
a more recent branch (1.6 ideally) to include other security fixes, but
you may also apply the 1.5 patch available from http://projects.theforeman.org/issues/7822#note-12
Does this affect Foreman 1.4? Or is Foreman 1.4 End-of-lifed now?
Maintaining two versions of Foreman makes sense to me, I just don't know
what the Foreman product lifecycle is.
-= Stefan
···
On Thursday, October 9, 2014 2:21:26 AM UTC-7, Dominic Cleal wrote:
>
> Foreman 1.6.2 and 1.5.4 have been released to fix an important security
> issue affecting the smart proxy (foreman-proxy). The update covers only
> this package, and a new installer for 1.6 to improve out of the box
> security.
>
> It's strongly recommended that users update foreman-proxy and restrict
> access to the smart proxy with the trusted_hosts setting and/or a
> firewall.
>
> CVE-2014-3691: SSL certificate verification bypass in smart proxy
> Affects all known Foreman versions
> More information at http://theforeman.org/security.html
>
> Steps you should take:
> 1. Upgrade the package as appropriate:
> yum upgrade foreman-proxy
> apt-get --only-upgrade install foreman-proxy
>
> 2. Set trusted_hosts in /etc/foreman-proxy/settings.yml
> :trusted_hosts:
> - foreman.example.com
>
> 3. Restart foreman-proxy
> service foreman-proxy restart
>
> If you're running an older release, we'd generally recommend updating to
> a more recent branch (1.6 ideally) to include other security fixes, but
> you may also apply the 1.5 patch available from
> http://projects.theforeman.org/issues/7822#note-12
>
> Release notes are available here:
> 1.6.2: http://theforeman.org/manuals/1.6/index.html#Releasenotesfor1.6.2
> 1.5.4: http://theforeman.org/manuals/1.5/index.html#Releasenotesfor1.5.4
>
> Our thanks go to Michael Moll, Jon McKenzie and Michael Messmore for
> their reports to the project.
>
> A reminder: if you suspect or are aware of a security issue in Foreman,
> please contact foreman-...@googlegroups.com or see
> http://theforeman.org/security.html for more information.
>
> --
> Dominic Cleal
> Red Hat Engineering
>
> Maintaining two versions of Foreman makes sense to me, I just don't know
> what the Foreman product lifecycle is.
I am afraid we don't have any info on our page about our policy. Our
policy is usually to maintain only latest stable version, in case of
important security bugfixes we do N-1 release (this case).
Feel free to chip in and backport it for 1.4. That would be appreciated.
And then service foreman-proxy restart. To test, use curl -k https://0.0.0.0:8443/features and it should fail with a message about
the cert not being presented.
