Chef 0.10.2 and 0.9.18 released!

Posted on June 29, 2011 by Noah Kantrowitz No Comments ↓

Chef 0.10.2 and 0.9.18 have been released on RubyGems. This is a critical security update to Chef Server and it is recommended that all open-source Chef Server users upgrade as soon as possible. Users of Opscode’s Hosted Chef and Private Chef are not affected. For those unable to upgrade the patch is available on GitHub.

The issue (CHEF-2436) being patched is that non-admin clients in the open-source server were able to upload and delete cookbooks. This could potentially allow privilege escalation in an already compromised network. No known exploits exist at this time.

Chef 0.10.2 contains only the relevant security fix. Chef 0.9.18 contains the security fix as well as the following bug fixes:

  • CHEF-2234: dpkg package provider ignores ~ in versions
  • CHEF-2129: Old zypper versions will crash because they don’t know the command line arguments
  • CHEF-2367: Support multiple lines in DAEMONS list in rc.conf on Arch linux
  • CHEF-2274: Shef does not seem to include the chef libraries

Archives
Events
View All Events