Fwd: [foreman-announce] Foreman 1.5.1 security, bug fix and enhancement update

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --FpqsSaL3lF437MtlIiPbDqRWxKQI3k4c5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Maybe it's worth updating foreman -------- Original Message -------- Subject: [foreman-announce] Foreman 1.5.1 security, bug fix and enhanceme= nt update Date: Wed, 18 Jun 2014 13:25:10 +0100 From: Dominic Cleal <dcleal+g@redhat.com> Reply-To: foreman-users <foreman-users@googlegroups.com> To: foreman-announce <foreman-announce@googlegroups.com>, foreman-= users <foreman-users@googlegroups.com> Foreman 1.5.1 has been released, with many bug fixes for issues found in 1.5, three security fixes and a few minor features. The security issues fixed are: 1. TFTP boot file fetch API permits remote code execution CVE identifier: CVE-2014-0007 Redmine issue: http://projects.theforeman.org/issues/6086 Affects all known Foreman versions 2. Stored cross site scripting (XSS) in notification dialogs CVE identifier: CVE-2014-3491 Redmine issue: http://projects.theforeman.org/issues/5881 Affects all known Foreman versions 3. Stored cross site scripting (XSS) in YAML preview CVE identifier: CVE-2014-3492 Redmine issue: http://projects.theforeman.org/issues/6149 Affects all known Foreman versions Additional details are available on our security advisories page: http://theforeman.org/security.html Other notable changes are: - VMware compute profile issues fixed (#5652) - Puppet 3.6 smart proxy compatibility fixed (#5856) - DHCP lease conflict issues with Discovery (#5637) - New compute profiles API, fixed API host creation (#4250) - Audit field length issue with smart class parameters (#5671) The release also includes a new version of the Hammer CLI, version 0.1.1 with a number of features and fixes. See the release notes and Redmine for full change lists: http://theforeman.org/manuals/1.5/index.html#Releasenotesfor1.5.1 http://projects.theforeman.org/rb/release/16 =3D=3D=3D=3D Upgrading =3D=3D=3D=3D Fully supported with package upgrades from both 1.4 and 1.5.0. Packages are in yum.theforeman.org / deb.theforeman.org under the "1.5" directories or components. Please read the instructions here: http://theforeman.org/manuals/1.5/index.html#3.6Upgrade --=20 Dominic Cleal Red Hat Engineering --=20 You received this message because you are subscribed to the Google Groups= "foreman-announce" group. To unsubscribe from this group and stop receiving emails from it, send an= email to foreman-announce+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/d/optout. --FpqsSaL3lF437MtlIiPbDqRWxKQI3k4c5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJToZSMAAoJEEBxx+HSYmnDg1gH/1jGv6xoOHu4r7VNUc7EJRJc 66Yeqi67noqk6m7t6bNv8Pc5M0dPx4TkXQiYOeL9po6EhcOwPFzN0Hua4euubKf9 nRi0dudc1YN1kCO7URrXdoCoMw2eCbxshDqt4gpSSfsurnUBc9Zxe0/PgS5p1rQj 7hTtVO3PkCjR5zRzCiy2diGBe2br0nsEbk83DBEM5UkCvIbSb+V7nBtut7DDTi1x fW2nzs8eCaDKjUAGoaEew+Tf0RoFCvha7be5IG8gD8EKwFLGfyYZT1MPDf85Xg47 ecoO888tAvQg+//duJf3Y31HSmiX6Strn+ZfcfLHdZ5UKUEfXa6V+6iF6QN/fN0= =ErXK -----END PGP SIGNATURE----- --FpqsSaL3lF437MtlIiPbDqRWxKQI3k4c5--

On Wed, Jun 18, 2014 at 03:30:52PM +0200, David Caro wrote:
Maybe it's worth updating foreman
Given we already run 1.5.0 and I'm doing so now. Foreman may be unavailable for a few minutes.
-------- Original Message -------- Subject: [foreman-announce] Foreman 1.5.1 security, bug fix and enhancement update Date: Wed, 18 Jun 2014 13:25:10 +0100 From: Dominic Cleal <dcleal+g@redhat.com> Reply-To: foreman-users <foreman-users@googlegroups.com> To: foreman-announce <foreman-announce@googlegroups.com>, foreman-users <foreman-users@googlegroups.com>
Foreman 1.5.1 has been released, with many bug fixes for issues found in 1.5, three security fixes and a few minor features.
The security issues fixed are:
1. TFTP boot file fetch API permits remote code execution CVE identifier: CVE-2014-0007 Redmine issue: http://projects.theforeman.org/issues/6086 Affects all known Foreman versions
2. Stored cross site scripting (XSS) in notification dialogs CVE identifier: CVE-2014-3491 Redmine issue: http://projects.theforeman.org/issues/5881 Affects all known Foreman versions
3. Stored cross site scripting (XSS) in YAML preview CVE identifier: CVE-2014-3492 Redmine issue: http://projects.theforeman.org/issues/6149 Affects all known Foreman versions
Additional details are available on our security advisories page: http://theforeman.org/security.html
Other notable changes are:
- VMware compute profile issues fixed (#5652) - Puppet 3.6 smart proxy compatibility fixed (#5856) - DHCP lease conflict issues with Discovery (#5637) - New compute profiles API, fixed API host creation (#4250) - Audit field length issue with smart class parameters (#5671)
The release also includes a new version of the Hammer CLI, version 0.1.1 with a number of features and fixes.
See the release notes and Redmine for full change lists: http://theforeman.org/manuals/1.5/index.html#Releasenotesfor1.5.1 http://projects.theforeman.org/rb/release/16
==== Upgrading ==== Fully supported with package upgrades from both 1.4 and 1.5.0.
Packages are in yum.theforeman.org / deb.theforeman.org under the "1.5" directories or components.
Please read the instructions here: http://theforeman.org/manuals/1.5/index.html#3.6Upgrade
-- Dominic Cleal Red Hat Engineering
-- You received this message because you are subscribed to the Google Groups "foreman-announce" group. To unsubscribe from this group and stop receiving emails from it, send an email to foreman-announce+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
_______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra

On Thu, Jun 19, 2014 at 10:38:12AM +0200, Ewoud Kohl van Wijngaarden wrote:
On Wed, Jun 18, 2014 at 03:30:52PM +0200, David Caro wrote:
Maybe it's worth updating foreman
Given we already run 1.5.0 and I'm doing so now. Foreman may be unavailable for a few minutes.
I should have sent an email right after the update, but the upgrade went smooth. If you notice any issues, please report them.
-------- Original Message -------- Subject: [foreman-announce] Foreman 1.5.1 security, bug fix and enhancement update Date: Wed, 18 Jun 2014 13:25:10 +0100 From: Dominic Cleal <dcleal+g@redhat.com> Reply-To: foreman-users <foreman-users@googlegroups.com> To: foreman-announce <foreman-announce@googlegroups.com>, foreman-users <foreman-users@googlegroups.com>
Foreman 1.5.1 has been released, with many bug fixes for issues found in 1.5, three security fixes and a few minor features.
The security issues fixed are:
1. TFTP boot file fetch API permits remote code execution CVE identifier: CVE-2014-0007 Redmine issue: http://projects.theforeman.org/issues/6086 Affects all known Foreman versions
2. Stored cross site scripting (XSS) in notification dialogs CVE identifier: CVE-2014-3491 Redmine issue: http://projects.theforeman.org/issues/5881 Affects all known Foreman versions
3. Stored cross site scripting (XSS) in YAML preview CVE identifier: CVE-2014-3492 Redmine issue: http://projects.theforeman.org/issues/6149 Affects all known Foreman versions
Additional details are available on our security advisories page: http://theforeman.org/security.html
Other notable changes are:
- VMware compute profile issues fixed (#5652) - Puppet 3.6 smart proxy compatibility fixed (#5856) - DHCP lease conflict issues with Discovery (#5637) - New compute profiles API, fixed API host creation (#4250) - Audit field length issue with smart class parameters (#5671)
The release also includes a new version of the Hammer CLI, version 0.1.1 with a number of features and fixes.
See the release notes and Redmine for full change lists: http://theforeman.org/manuals/1.5/index.html#Releasenotesfor1.5.1 http://projects.theforeman.org/rb/release/16
==== Upgrading ==== Fully supported with package upgrades from both 1.4 and 1.5.0.
Packages are in yum.theforeman.org / deb.theforeman.org under the "1.5" directories or components.
Please read the instructions here: http://theforeman.org/manuals/1.5/index.html#3.6Upgrade
-- Dominic Cleal Red Hat Engineering
-- You received this message because you are subscribed to the Google Groups "foreman-announce" group. To unsubscribe from this group and stop receiving emails from it, send an email to foreman-announce+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
_______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
_______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
participants (2)
-
David Caro
-
Ewoud Kohl van Wijngaarden