Foreman 1.9.1 has been released with a security fix and lots of bug
fixes covering regressions and improving stability by fixing existing
The security issue was:
CVE-2015-5233: reports show/destroy not restricted by host
Users with view_reports or destroy_reports permissions allows a user
to view or delete reports from any host without taking their
view_hosts permission into account.
Affects Foreman 1.5.0 and higher
More information available at Foreman :: Security. A
corresponding release for the 1.8 series will be made early next week.
There was a second security issue filed (CVE-2015-5246) affecting Active
Directory logins after password changes, but this was later rejected.
Please see the security page linked above for more information, as AD
users should nevertheless be aware of this.
Full release notes for all of the changes are on the website here:
==== Upgrading ====
When upgrading, follow these instructions and please take note of any
known issues, we'll update the manual if they arise.
If you're installing a new instance, follow the quickstart:
The GPG key used for RPMs and tarballs has the following fingerprint:
BEA5 E3F6 AF59 7107 0241 4514 E05F 7157 6E2A 21BF
(Foreman :: Security)