Foreman 1.9.1 security and bug fix release

Foreman 1.9.1 has been released with a security fix and lots of bug
fixes covering regressions and improving stability by fixing existing
known issues.

The security issue was:
CVE-2015-5233: reports show/destroy not restricted by host

Users with view_reports or destroy_reports permissions allows a user
to view or delete reports from any host without taking their
view_hosts permission into account.

Affects Foreman 1.5.0 and higher

More information available at Foreman :: Security. A
corresponding release for the 1.8 series will be made early next week.

There was a second security issue filed (CVE-2015-5246) affecting Active
Directory logins after password changes, but this was later rejected.
Please see the security page linked above for more information, as AD
users should nevertheless be aware of this.

Full release notes for all of the changes are on the website here:

==== Upgrading ====
When upgrading, follow these instructions and please take note of any
known issues, we'll update the manual if they arise.

If you're installing a new instance, follow the quickstart:

Packages may be found in the 1.9 directories on both and, and tarballs are on

The GPG key used for RPMs and tarballs has the following fingerprint:
BEA5 E3F6 AF59 7107 0241 4514 E05F 7157 6E2A 21BF
(Foreman :: Security)

Bug reporting

··· ============= If you come across a bug, please file it and note the version of Foreman that you're using in the report.

Foreman: Foreman
Proxy: Foreman
Installer: Foreman

Dominic Cleal