Security Releases: Omnibus 2.0.2 and 3.2.2 (insecure file ownership in Omnibus-built Debian and Ubuntu packages)

Ohai everyone, We have released Omnibus 2.0.2 and Omnibus 3.2.2 to address an issue in which the contents of Omnibus-built Debian and Ubuntu packages are being installed with an arbitrary non-root UID and GID. This issue would allow a user with that UID and GID to replace the contents of the installed files and have […]

Read More

Security Releases: Chef Server and Premium Features (insecure file ownership)

Today we are announcing security releases of all supported versions of the Chef Server, Enterprise Chef, and Chef Software-built premium features. These releases address package ownership issues on Debian-based platforms that result in Omnibus-built packages installing with contents owned by UID and GID 999 or 1001. This vulnerability allows a non-root attacker to modify or […]

Read More

Security Releases: Chef Client and Related Products (insecure file ownership)

Today we are announcing security releases of all supported versions of the Chef Client, ChefDK, Chef Container and the Push Jobs client. These releases address package ownership issues on Debian-based platforms. Platforms Ubuntu Linux Debian Linux Description Chef products installed from Debian-style .deb packages created files under /opt/<install_dir> with ownership by UID 999 or other […]

Read More

Chef & Rails CVE-2014-3482

At 17:11 UTC, the Rails security team publicized CVE-2014-3482 and CVE-2014-3483. In short, this vulnerability is related to the PostgreSQL adapater in ActiveRecord. A bug in the SQL quoting code could allow an attacker to carefully craft a request and execute a SQL injection. Only applications which query against bitstring or range type columns were […]

Read More

Chef Client Windows Patches for OpenSSL CVE-2014-0224 Vulnerability

Ohai Chefs, We have just released Chef Client versions 11.12.8-2 and 10.32.2-3 which includes the mitigation for the recently reported OpenSSL vulnerability [CVE-2014-0224](https://www.openssl.org/news/secadv_20140605.txt). Note that after installing these builds, if you check the OpenSSL version using `OpenSSL::OPENSSL_VERSION` you will see `OpenSSL 1.0.0k 5 Feb 2013`. This is because we are using pre-compiled binaries for windows […]

Read More