Foreman 1.7.5 security and bug fix release

Foreman 1.7.5 has been released with a security fix and a couple of bug

The security issue was:
CVE-2015-1844: users are not restricted to organizations/locations

When a non-admin user is associated to organizations or locations,
their access is not correctly restricted. API access allows access to
resources in any org/location, and UI access when the user is
associated to more than one org/location is not restricted.

Users without orgs/locations enabled (the default) are unaffected.

Believed to affect Foreman 1.2.0 and higher

More information available at Foreman :: Security

Full release notes for all of the bug fixes are on the website here:

This may be the last 1.7.x release, and so users are recommended to
start looking at Foreman 1.8 which has now been released.

==== Upgrading ====
Fully supported with package upgrades from both 1.6 and 1.7.

When upgrading, follow these instructions and please take note of the
known issues and warnings (especially Ubuntu 12.04 users):

If you're installing a new instance, follow the quickstart:

Packages may be found in the 1.7 directories on both and, and tarballs are on

The GPG key used for RPMs and tarballs has the following fingerprint:
730A 9338 F93E E729 2EAC 2052 4C25 8BD4 2D76 2E88
(Foreman :: Security)

Bug reporting

··· ============= If you come across a bug, please file it and note the version of Foreman that you're using in the report.

Foreman: Foreman
Proxy: Foreman
Installer: Foreman

Dominic Cleal
Red Hat Engineering