This is only the agenda.

Foreman 3.9

Schedule | 3.9.0 TODO | CI overview

Foreman 3.8

Schedule | 3.8.0 TODO | CI overview

• 3.8.0 GA release update: Foreman 3.8.0 (GA) release process

Foreman 3.7

3.7.1 TODO | 3.7.1 DONE | CI overview

• Release Foreman 3.7.1

Foreman 3.6

CI overview

• EOL?

Katello 4.11

Katello 4.10

• Katello 4.10.0 GA update: Katello 4.10 GA Release Process

Katello 4.9

• Katello 4.9.2 update: Katello 4.9.2 release process

Katello 4.8

• EOL?

Present: @ekohl, @pcreech, @Griffin-Sullivan, @iballou, @damoore

Foreman 3.9

There has been some talk about extending the stabilization week to a longer feature freeze. This would include the week where installer modules are released. Informally getting all changes in before the end of this month has been mentioned. This is mainly to avoid the delays we had with Foreman 3.8 where some larger changes were merged shortly before branching.

• Post branching procedure next week, but go over open theforeman-rel-eng PRs to make sure the procedures are good

Foreman 3.8

• The bits are out, the release announcement will follow today.
  • Update index and versions for Foreman 3.8 GA by Griffin-Sullivan · Pull Request #2520 · theforeman/foreman-documentation · GitHub
  • Update releases notes for Foreman 3.8 GA by Griffin-Sullivan · Pull Request #2105 · theforeman/theforeman.org · GitHub
  • foreman-infra to update https://github.com/theforeman/foreman-infra/blob/376d691f2efca2d0bae8eb594c10cfd51e2117f3/puppet/modules/profiles/manifests/web.pp#L21 is missing

Foreman 3.7.1

• Planned for next Tuesday (2023-10-24). @Griffin-Sullivan will post the release procedure (and perform it)

Foreman 3.6

• Will be EOL after 3.8.0 GA is announced

Katello 4.11

• Nightly had outdated code, from Oct 6th so about a week old. This is likely because katello-master-source-release [Jenkins] failed a few times and katello-master-package-release [Jenkins] is picking up the build that passed before last. @ekohl recalls this has been seen before, but usually isn’t noticeable because we have sufficient new source builds.
• Previously Katello didn’t have a more formal stabilization week. We’d like to make Katello follow the Foreman schedule to avoid delays.

Katello 4.10

• 4.10.0 GA in progress: Katello 4.10 GA Release Process
  • Packaging still needed: Dependencies for Katello 4.10 by pcreech · Pull Request #9870 · theforeman/foreman-packaging · GitHub & Update katello to 4.10.0 by pcreech · Pull Request #9869 · theforeman/foreman-packaging · GitHub
  • Release notes: https://github.com/theforeman/foreman-documentation/pull/2481

Katello 4.9

• 4.9.2 was announced: Katello 4.9.2 is available

Katello 4.8

• Will be EOL once Katello 4.10.0 GA is announced

Reading the release notes for 3.8 it contains three CVEs, are they going to be backported to 3.7.1 or are older versions not affected? As you can not update Foreman until the matching Katello version has released, it would leave environments vulnerable for a while.

I forgot to add one CVE-2023-4886 to Foreman :: Security (which I’ll do shortly) but it does list CVE-2022-4130 and CVE-2022-3874. I think all 3 are unlikely to be exploited.

For CVE-2023-4886 I’m leaning to skipping it for 3.7.1. It only affects Katello and that the keystore password is world readable may sound bad, but the store itself isn’t. And it’s been that way since the very first commit as far as I could find.

The others could be. IIRC @evgeni did think about those.

I would not backport " CVE-2022-3874: OS command injection via ct_command and fcct_command", it’s exploitation is possible but not really severe (you gotta be admin on foreman already, and then “all” you can do is execute a command as the “foreman” user), and I’d love to avoid backporting setting migrations

Can’t speak for " CVE-2022-4130: Blind SSRF via Referer header", not my beer.