Foreman 1.9.1 has been released with a security fix and lots of bug
fixes covering regressions and improving stability by fixing existing
known issues.
The security issue was:
CVE-2015-5233: reports show/destroy not restricted by host
authorization
Users with view_reports or destroy_reports permissions allows a user
to view or delete reports from any host without taking their
view_hosts permission into account.
Affects Foreman 1.5.0 and higher
More information available at Foreman :: Security. A
corresponding release for the 1.8 series will be made early next week.
There was a second security issue filed (CVE-2015-5246) affecting Active
Directory logins after password changes, but this was later rejected.
Please see the security page linked above for more information, as AD
users should nevertheless be aware of this.
Full release notes for all of the changes are on the website here:
http://theforeman.org/manuals/1.9/index.html#Releasenotesfor1.9.1
http://projects.theforeman.org/rb/release/72
==== Upgrading ====
When upgrading, follow these instructions and please take note of any
known issues, we'll update the manual if they arise.
http://theforeman.org/manuals/1.9/index.html#3.6Upgrade
If you're installing a new instance, follow the quickstart:
http://theforeman.org/manuals/1.9/index.html#2.Quickstart
Packages may be found in the 1.9 directories on both deb.foreman.org and
yum.theforeman.org, and tarballs are on downloads.theforeman.org.
The GPG key used for RPMs and tarballs has the following fingerprint:
BEA5 E3F6 AF59 7107 0241 4514 E05F 7157 6E2A 21BF
(Foreman :: Security)
Bug reporting
···
============= If you come across a bug, please file it and note the version of Foreman that you're using in the report.Foreman: Foreman
Proxy: Foreman
Installer: Foreman
–
Dominic Cleal
dominic@cleal.org