Foreman 1.8.1 security and bug fix release

Foreman 1.8.1 has been released with a security fix and lots of bug
fixes, including for regressions found in 1.8.0. Thanks for all of the
reports and debugging.

The security issue was:
CVE-2015-3155: session cookie set without secure flag on HTTPS

The session cookie created when accessing the Foreman web UI over
HTTPS is not set with the 'secure' flag, which may lead to session

Affects all known Foreman versions

More information available at Foreman :: Security

The most important bug fixes are around support for unmanaged hosts,
where overrides sometimes hadn't worked in 1.8.0, and when the
unattended mode was disabled, which had multiple errors.

Full release notes for all of the bug fixes are on the website here:

==== Upgrading ====
Fully supported with package upgrades from both 1.7 and 1.8. When
upgrading, follow these instructions and please take note of any major
known issues as we'll update the manual if they arise.

If you're installing a new instance, follow the quickstart:

If you also want to upgrade to Debian 8 (Jessie), ensure you upgrade
your current installation to 1.8 before attempting the dist-upgrade. See
for more info.

Packages may be found in the 1.8 directories on both and, and tarballs are on

The GPG key used for RPMs and tarballs has the following fingerprint:
64E3 7B1F A6C0 2416 6B53 5495 28F5 A69D 225C 9B71
(Foreman :: Security)

Bug reporting

··· ============= If you come across a bug, please file it and note the version of Foreman that you're using in the report.

Foreman: Foreman
Proxy: Foreman
Installer: Foreman

Dominic Cleal
Red Hat Engineering