1. Foreman 3.19 release notes

1.1. Headline features

1.1.1. User interface & experience

Foreman recurring tasks use standardized rake tasks and systemd timers

In this release, recurring Foreman maintenance tasks are no longer managed by ad‑hoc cron jobs. Instead, they now run through a standardized set of rake tasks, managed in /etc/cron.d/foreman. This change provides a more container‑native approach and enables plugins to register their tasks by using the Foreman::Cron framework.

Foreman core provides the following rake tasks:

  • foreman-rake cron:hourly

  • foreman-rake cron:daily

  • foreman-rake cron:weekly

  • foreman-rake cron:monthly

Users can no longer freely customize arbitrary schedules for these core recurring jobs. This is an intentional limitation to keep behavior more predictable and maintainable.

Important

During upgrade, existing cron schedules are not automatically detected or preserved. After upgrading, recurring jobs run on the new standardized schedules. If you previously relied on custom timings, review the new behavior and adjust any custom automation.
All Hosts page improvements

The All Hosts page has been enhanced for easier management of host collections and system purpose. You can now more efficiently make changes for multiple hosts at once.

React migration and PatternFly 5 components

Foreman 3.19 continues the UI modernization with migration of the Models page to React and updates to PatternFly 5 components including ActionButtons, PersonalAccessTokens, Charts (Area, Bar), and PageLayout. This provides improved performance and accessibility.

Notification management improvements

New features for managing notifications allow cleaning up all notifications or filtering by blueprint, with improved display of server messages in the UI and better notification title visibility.

1.1.2. Infrastructure & platform updates

Agama installer support

Added support for the Agama installer (SLES16), expanding Foreman’s provisioning capabilities for SUSE Linux Enterprise systems.

1.2. Upgrade warnings

HTTPS-only host registration

Host registration now uses HTTPS for the /unattended/built endpoint. This means that registration no longer requires Port 80, and it is not possible to use Port 80 during registration.

Registration template cleanup

The redhat_register snippet has been updated to remove references to deprecated Spacewalk and auto-attach functionality. Custom templates extending this snippet may need updates.

1.3. Deprecations

Hammer CLI plugin Admin is deprecated

As an alternative, you can use the foreman-installer to manage your Foreman server or Smart Proxy server.

PatternFly 3 components

The following PatternFly 3 components are deprecated and will be removed in a future release. Migrate to PatternFly 5 equivalents:

  • PF3-based table implementation

  • Unused PF3 buttons

  • PF3-based SearchInput component

  • RedirectCancelButton

Form components

Multiple form-related components have been deprecated in favor of PatternFly 5 alternatives:

  • forms/Form.js

  • forms/TextField

  • forms/RadioButtonGroup

  • forms/DateTime

  • Multiple components in common/forms/*

Use the PatternFly 5 form components for new development.

2. Katello 4.21 release notes

2.1. Headline features

Content credentials page modernized

The content credentials page has been rewritten in React with modern Patternfly styling. The page functions the same as before. https://projects.theforeman.org/issues/39197

Container image tagging restored in Hammer CLI

You can now tag container images by using Hammer CLI again. https://projects.theforeman.org/issues/39186

Pulp 3.105 required

Katello now requires Pulp 3.105. If you interact directly with certain Pulp APIs, expect breaking changes, for example events switching from asynchronous to synchronous. Consult the Pulp 3.105 to 3.85 changelog for more details.

Expanded foreman-maintain reports

The foreman-maintain report now includes significantly more Katello-specific data about your environment:

  • Count of all content types

  • Rolling content view publication information

  • Counts of all host types: image-mode, smart-proxy assigned, and multi content view

2.2. Upgrade warnings

Python content on Smart Proxies requires a complete sync

If you have Smart Proxies syncing Python content from Foreman, run a complete sync on those Smart Proxies after the upgrade. This is required because of changes to Python distributions in Pulp 3.105.

Host groups use a single content view environment

Host groups are now associated with a single content view environment, rather than separate content view and lifecycle environment fields. Before upgrading, ensure the following:

  • Host groups must either assign both the content view and lifecycle environment fields, or assign neither field. This avoids breaking host group inheritance.

  • Do not rely on host group inheritance to compose a content view environment from separate lifecycle environment and content view assignments.

  • The content views and lifecycle environments on your host groups must be coherent. The content view of the host group must be promoted to the lifecycle environment of the host group.

2.3. Deprecations

There are no deprecations with Katello 4.21.

3. Foreman 3.19.0

You can find the complete list of changes on Redmine.

3.1. Foreman

  • TableIndexPage does not show server messages correctly - #39285

  • Use new_host_path for Notification - #39279

  • Support to clean up all notifications - #39278

  • Unused prop "showHide" in Editor - #39273

  • Navigation search shortcut placeholder - #39243

  • Deprecate PF3-based table implementation - #39235

  • CVE-2026-24001 nodejs-diff: denial of service vulnerability in parsePatch and applyPatch - #39234

  • Broken Apipie DSL cache generation and help section in live docs - #39233

  • Host deletion notification is gone after page refreshed on host delete on new host ui - #39227

  • Fix RHSM OS race condition reintroduced by recent refactor - #39226

  • Authorizer checks cause queries to include unnecessary taxonomy-related joins - #39209

  • Migrate Model Pages to React - #39200

  • Update ActionButtons to PF5 - #39182

  • All hosts- Add action – Configure Notifications - #39181

  • Facts upload fails due to new Cloud Billing - #39180

  • Deprecate unused PF3 buttons - #39174

  • Deprecate PF3-based common/SearchInput component - #39171

  • Fix of #38972 could make existing Foreman environment doesn't work - #39165

  • Update PF3 components in PersonalAccessTokens with PF5 components - #39164

  • Deprecate RedirectCancelButton - #39160

  • Exclude last_used_at from PersonalAccessToken auditing to prevent taxable_taxonomies bloat - #39158

  • Move robottelo test to upstream - #39152

  • Update developer docs for Foreman::Cron - #39151

  • Reports still reference obsolete subscription data - #39127

  • Foreman UI Displays Wrong Number of Hosts When Filter By Report Origin (Puppet , Ansible) - #39110

  • power manager should allow proxmox values - #39109

  • Fix taxonomy creation for unprivileged users due to callback ordering and cache issues - #39106

  • typo POWER_REQURST_KEY should be POWER_REQUEST_KEY - #39105

  • Ubuntu Autoinstall (preseed cloud-init) does not apply `time-zone` - #39100

  • Deprecate multiple components in common/forms/* - #39098

  • Deprecate forms/TextField - #39097

  • Deprecate forms/RadioButtonGroup - #39096

  • Deprecate forms/DateTime - #39095

  • Allow to overwrite boot_order for libvirt - #39094

  • Update Table component to wrap table headers for better readability - #39086

  • Rebuild host only if host turned off - #39067

  • update EditorHostSelect to pf5 - #38916

  • Support for Agama installer (SLES16) - #38877

  • Power status icon in new All Hosts page needs to be centered - #38749

  • deprecate foremans forms/Form.js - #38470

  • Deprecate bindMethods function as it is not used anywhere in Foreman - #36455

  • db:seed should run on every upgrade even if there are no changes to seed files directly - #35375

3.1.1. API

  • Allow VM ids with dots in the compute_resources controller - #39123

  • Importing from a compute resource with a UUID parameter is not documented - #38526

3.1.2. BMC

  • Redfish power operation fails due to certificate authentication error with FQDN - #38972

3.1.3. Development tools

  • dev docs - Patternfly 3 to Patternfly 5 guidance - #39166

3.1.4. Host registration

  • redhat_register snippet still has references to Spacewalk and auto attach - #39272

3.1.5. Inventory

  • Accessing new host index page without view hosts permission displays the page with a 403 error - #39103

  • Host status is not recalculated on new All Hosts page, leading to stale values possibly being displayed - #39068

  • New All Hosts - Change Hostgroup modal has bad UX while hostgroups are loading - #38760

3.1.6. JavaScript stack

  • JS lint in plugins fails if package is only defined in core - #39063

3.1.7. Notifications

  • Notifications title is cut by the header when instance title is set - #39069

3.1.8. Orchestration

  • Compute orchestration methods setCompute and delCompute run on unmanaged hosts - #39142

3.1.9. Packaging

  • CVE-2026-33176: Active Support Denial of Service via large scientific notation strings - #39190

  • Install libffi-devel to be able to build fiddle - #39124

3.1.10. Reporting

  • Cloning a locked report template via Hammer creates a locked clone - #39173

3.1.11. Security

  • CVE-2026-1961: Remote Code Execution via command injection in WebSocket proxy - #39121

3.1.12. Templates

  • Can't clone locked Partition table in API - #39176

  • All communication should happen only over https during global registration execution - #39131

  • db:seed should report failing template - #35316

  • iPXE bootstrap and global handling is incorrect - #32563

3.1.13. Tests

  • Allow plugins to import core js test config - #39144

3.1.14. Unattended installations

  • openSUSE Leap 15 provisioning not working - #36947

3.1.15. VM management

  • VMware - Normalize firmware type in clone args - #39310

3.1.16. Web Interface

  • AutocompleteInput doesn't allow to select typed value - #39311

  • prevent global override of radio position - #39275

  • Add helper method for handling bulk modal states after removal of ForemanModal - #39134

  • Update Area Chart to PatternFly5 - #39070

  • Update PageLayout to use PF5 - #39059

  • Update BarChart to Patternfly5 - #38879

3.2. Hammer CLI - Foreman

  • Provide empty provider_vm_specific_fields in cr::base - #39126

  • Always print vm data, even if the provider is absent - #39125

3.3. Installer

  • Registration command generation via REST API fails on Smart Proxy servers in isolated networks - #39119

3.3.1. Foreman modules

  • Add Apache config support for `/pypi` in puppet-pulpcore - #39242

  • Configure container gateway DB max connections and pool timeout - #39093

3.4. Packaging

3.4.1. Debian/Ubuntu

  • Migrate Foreman DEB packaging to use consolidated cron entrypoints - #39161

3.4.2. RPMs

  • Migrate Foreman RPM packaging to use consolidated cron entrypoints - #39089

  • lodash: Bump from 4.17.21 to 4.17.23 due to CVE-2025-13465 - #39081

3.5. Smart Proxy

  • Boot order cannot be changed to PXE via Redfish (ETag required but not handled) - #38914

3.5.1. BMC

  • IP address not retrieved when using SSH API of BMC - #38973

3.5.2. Tests

  • smart-proxy test failures due to rake 13.4.2 breaking ci_reporter_test_unit - #39315

4. Katello 4.21.0

You can find the complete list of changes on Redmine.

4.1. Katello

  • Fix typos and scan issues for rubygem-katello - #39136

  • Structured APT migration rake task not marked as applied if there are no deb repos during upgrade - #39091

  • Remove remainder of entitlement mode code - #39078

  • Add warning for Change Content Source - #39072

4.1.1. Activation Key

  • API call to list the activation keys associated with a specific lifecycle environment returns all activation keys in the organization - #39252

  • Remove activation key in host group does not work in Web UI - #38928

4.1.2. Alternate Content Sources

  • Add Alternate Content Source for Deb Repositories - #38905

4.1.3. Bootable Containers

  • Sanitize order input bootc_images - #39306

4.1.4. Container

  • Repository update ID parameter in hammer command in docker repos is failing - #39186

4.1.5. Content Credentials

  • Missing validation to prevent CC deletion when used by ACS - #39309

  • Content credentials - new details page - #39197

  • New Content Credentials Page - Index page - #39140

  • Content Credentials - set up initial infrastructure in React - #39139

4.1.6. Content Views

  • Issue when creating filter in content view using openssl package - #39217

  • Incremental update of content view version should throw error when no content is added - #39214

  • Unable to delete empty CCV - #39155

  • Replace DeleteLatestContentViewVersion with execution plan callback - #39150

  • CV create lacks useful information in task list view - #39082

  • Composite content view auto publish will be triggered while other component content views are still publishing - #38856

4.1.7. Foreman Proxy Content

  • n-1/2 Smart Proxy syncs with publication-less Python-type repositories on Pulp 3.105+ - #39289

  • Incorrect smart proxy Sync Status after failure - #39203

  • orphan cleanup triggers CapsuleContent::UpdateContentCounts regardless of automatic_content_count_updates setting - #39112

4.1.8. Host Collections

  • Need to add flow for bulk-assigning Host Collections when there are no HCs in the system - #38843

4.1.9. Hosts

  • Activation Keys tab is blank when creating/editing HostGroup - #39284

  • Applicable/Installable toggle is hidden for hosts assigned to rolling content views - #39282

  • Unable to save host configuration due to missing variant_repos method - #39258

  • Hosts end up with a nil content source when registered to a foremanctl setup - #39257

  • Hostgroup::ContentFacet should have 1:1 relationship to Content View Environment - #39223

  • As an external Smart Proxy user, the web UI allows me to change hosts' content source and preserve multi-environment hosts - #39216

  • Remove redundant Candlepin pre-flight check and cache /rhsm/status response - #39204

  • Installable updates column has no space between icon and number of updates - #39170

  • Replace JS snapshot tests – Registration Commands - #39168

  • Host links from Packages Details page open Legacy UI instead of new Web UI - #39147

  • Update import of useBulkModal in Katello - #39138

  • bootc information is nullified after Ansible facts upload - #39135

  • MultiCV will get reset after editing a host - #39122

  • Katello:clean_backend_object takes a long time to complete - #38997

4.1.10. Orchestration

  • Integrate Katello recurring tasks with Foreman::Cron#11633 - #39114

4.1.11. Organizations and Locations

  • Migrate SetOrganization from pf3 to pf5 - #39307

  • Organization delete fails with HasManyThroughNestedAssociationsAreReadonly on environment destroy - #39280

  • API docs for organizations still show taxonomy params - #39084

4.1.12. Repositories

  • Some Pulp tasks not tracked due to change in Pulp update APIs - #39305

  • Replace JS snapshot tests - Misc components - #39215

  • Stop using Python publications with pulp_python 3.27 - #39205

  • Replace JS snapshot tests - PF3 components - #39201

  • Replace JS snapshot tests – OrganizationProducts - #39179

  • Replace JS snapshot tests - Content Details - #39178

  • Custom repository sync does not work without the upstream password - #39172

  • Importing content from an URL generates repositories with download_policy on-demand - #39162

  • Add extensions repo to Recommended Repositories - #39157

  • Protected Content should be excluded from Orphan Cleanup - #39116

  • Bump pulp-deb bindings to 3.8 - #39032

  • Migrate sync status page to React - #38901

4.1.13. Subscriptions

  • Error on Subscriptions UI page - #39295

  • Refactor manifest import so Katello no longer consumes Candlepin events - #38953

4.1.14. Tooling

  • Move theforeman-rubocop dependency to Gemfile - #39270

4.1.15. Upgrades

  • Create upgrade job to remove publications for all Python repositories in Pulp database - #39241

  • Update gemspec for Pulp 3.105 bindings - #39145

4.1.16. Web UI

  • Migrate Module Streams to Generic UI and update from PF3 to PF5 - #39267

Appendix A: Foreman contributors

We’d like to thank the following people who contributed to the Foreman 3.19 release:

Adam Lazik, Adam Růžička, Alexander Olofsson, Andrei Lakatos, Archana Kumari, Bastian Blank, Bernhard Suttner, Christian Paruzel, Cole Higgins, Danny Synk, Dirk Götz, Evgeni Golov, Ewoud Kohl van Wijngaarden, Gene Liverman, Jakub Duchek, Jeremy Lenz, Jonathon Turel, Karolina Malyjurkova, Ladislav Vasina, Leos Stejskal, Lucy Fu, Lukas Hellebrandt, Lukas Jezek, Lukáš Ježek, Marek Hulán, Maria Agaphontzev, Markus Bucher, Nadja Heitmann, Nofar Alfassi, Odilon Sousa, Oleh Fedorenko, Ondřej Gajdušek, Pablo Méndez Hernández, Pavan Soma Shekar, Peter Ondrejka, Shubham Ganar, Susumu Sakamoto, Tim Meusel, Vanou Ishii, Yury Bushmelev, Yusuke Hirota, Zach Huntington-Meath, andreilakatos, rvasikarla, tlabaj

As well as all users who helped test releases, report bugs and provide feedback on the project.

Appendix B: Katello contributors

Adam Lazik Aiden Fine Bernhard Suttner Eric Helms Ian Ballou Jeremy Lenz Jonathon Turel Ladislav Vašina Lucy Fu Lukáš Ježek Nofar Alfasi Oleh Fedorenko Pablo Méndez Hernández Pavan Soma Shekar Quinn James Samir Jha Samuel Bible Tobias Grigo Vijaykumar Sawant Vladimir Sedmik Zach Huntington-Meath

Pre-release version Report issue