Foreman 1.7.5 has been released with a security fix and a couple of bug
fixes.
The security issue was:
CVE-2015-1844: users are not restricted to organizations/locations
When a non-admin user is associated to organizations or locations,
their access is not correctly restricted. API access allows access to
resources in any org/location, and UI access when the user is
associated to more than one org/location is not restricted.
Users without orgs/locations enabled (the default) are unaffected.
Believed to affect Foreman 1.2.0 and higher
More information available at Foreman :: Security
Full release notes for all of the bug fixes are on the website here:
http://theforeman.org/manuals/1.7/index.html#Releasenotesfor1.7.5
http://projects.theforeman.org/rb/release/40
This may be the last 1.7.x release, and so users are recommended to
start looking at Foreman 1.8 which has now been released.
==== Upgrading ====
Fully supported with package upgrades from both 1.6 and 1.7.
When upgrading, follow these instructions and please take note of the
known issues and warnings (especially Ubuntu 12.04 users):
http://theforeman.org/manuals/1.7/index.html#3.6Upgrade
http://theforeman.org/manuals/1.7/index.html#Deprecationwarnings
If you're installing a new instance, follow the quickstart:
http://theforeman.org/manuals/1.7/index.html#2.Quickstart
Packages may be found in the 1.7 directories on both deb.foreman.org and
yum.theforeman.org, and tarballs are on downloads.theforeman.org.
The GPG key used for RPMs and tarballs has the following fingerprint:
730A 9338 F93E E729 2EAC 2052 4C25 8BD4 2D76 2E88
(Foreman :: Security)
Bug reporting