Foreman 1.8.1 has been released with a security fix and lots of bug
fixes, including for regressions found in 1.8.0. Thanks for all of the
reports and debugging.
The security issue was:
CVE-2015-3155: session cookie set without secure flag on HTTPS
The session cookie created when accessing the Foreman web UI over
HTTPS is not set with the 'secure' flag, which may lead to session
hijacking.
Affects all known Foreman versions
More information available at Foreman :: Security
The most important bug fixes are around support for unmanaged hosts,
where overrides sometimes hadn't worked in 1.8.0, and when the
unattended mode was disabled, which had multiple errors.
Full release notes for all of the bug fixes are on the website here:
http://theforeman.org/manuals/1.8/index.html#Releasenotesfor1.8.1
http://projects.theforeman.org/rb/release/50
==== Upgrading ====
Fully supported with package upgrades from both 1.7 and 1.8. When
upgrading, follow these instructions and please take note of any major
known issues as we'll update the manual if they arise.
http://theforeman.org/manuals/1.8/index.html#3.6Upgrade
If you're installing a new instance, follow the quickstart:
http://theforeman.org/manuals/1.8/index.html#2.Quickstart
If you also want to upgrade to Debian 8 (Jessie), ensure you upgrade
your current installation to 1.8 before attempting the dist-upgrade. See
http://projects.theforeman.org/projects/foreman/wiki/Debian_jessie_notes
for more info.
Packages may be found in the 1.8 directories on both deb.foreman.org and
yum.theforeman.org, and tarballs are on downloads.theforeman.org.
The GPG key used for RPMs and tarballs has the following fingerprint:
64E3 7B1F A6C0 2416 6B53 5495 28F5 A69D 225C 9B71
(Foreman :: Security)
Bug reporting