An update to Kafo (a component of Foreman installer) has been released
to our Foreman 1.4 and nightly repositories. All users are recommended
to update. This fixes CVE-2014-0135, which affects all versions of Kafo.
Upgrade instructions
···
==================== RPM users: yum upgrade rubygem-kafo rm -f /tmp/default_values.yamlDebian users:
apt-get --only-upgrade install ruby-kafo
rm -f /tmp/default_values.yaml
Description
When Kafo (used in the Foreman installer) runs, a
/tmp/default_values.yaml file is written to and created with world
readable permissions. This is prone to race-condition attacks and
contains default values for all parameters, such as autogenerated passwords.
More information at Foreman :: Security
–
Dominic Cleal
Red Hat Engineering