Foreman 1.8.4 security and bug fix release

Foreman 1.8.4 has been released with a security fix and two bug fixes.

The security issue was:
CVE-2015-5233: reports show/destroy not restricted by host

Users with view_reports or destroy_reports permissions allows a user
to view or delete reports from any host without taking their
view_hosts permission into account.

Affects Foreman 1.5.0 and higher

More information available at Foreman :: Security.

There was a second security issue filed (CVE-2015-5246) affecting Active
Directory logins after password changes, but this was later rejected.
Please see the security page linked above for more information, as AD
users should nevertheless be aware of this.

A bug fix allows deletion of duplicate network interfaces on hosts,
which should help people who have been affected by bugs on fact imports.
Please note that the Foreman 1.9 stable release has and will receive
further fixes in this area.

Full release notes for all of the changes are on the website here:

==== Upgrading ====
Fully supported with package upgrades from both 1.7 and 1.8. When
upgrading, follow these instructions:

If you're installing a new instance, follow the quickstart:

If you also want to upgrade to Debian 8 (Jessie), ensure you upgrade
your current installation to 1.8 before attempting the dist-upgrade. See
for more info.

Packages may be found in the 1.8 directories on both and, and tarballs are on

The GPG key used for RPMs and tarballs has the following fingerprint:
64E3 7B1F A6C0 2416 6B53 5495 28F5 A69D 225C 9B71
(Foreman :: Security)

Bug reporting

··· ============= If you come across a bug, please file it and note the version of Foreman that you're using in the report.

Foreman: Foreman
Proxy: Foreman
Installer: Foreman

Dominic Cleal