We’ve verified that for Windows platforms only, the Chef Client, Chef DK, and Push Jobs Client packages contain versions of the bash command interpreter that are affected by CVE-2014-6271, the “ShellShock” advisory. Chef Software has reviewed the advisory and does not believe that this presents a critical risk to users because the bash shell is […]
Read MoreCategory: security
Security Releases: Omnibus 2.0.2 and 3.2.2 (insecure file ownership in Omnibus-built Debian and Ubuntu packages)
Ohai everyone, We have released Omnibus 2.0.2 and Omnibus 3.2.2 to address an issue in which the contents of Omnibus-built Debian and Ubuntu packages are being installed with an arbitrary non-root UID and GID. This issue would allow a user with that UID and GID to replace the contents of the installed files and have […]
Read MoreSecurity Releases: Chef Server and Premium Features (insecure file ownership)
Today we are announcing security releases of all supported versions of the Chef Server, Enterprise Chef, and Chef Software-built premium features. These releases address package ownership issues on Debian-based platforms that result in Omnibus-built packages installing with contents owned by UID and GID 999 or 1001. This vulnerability allows a non-root attacker to modify or […]
Read MoreSecurity Releases: Chef Client and Related Products (insecure file ownership)
Today we are announcing security releases of all supported versions of the Chef Client, ChefDK, Chef Container and the Push Jobs client. These releases address package ownership issues on Debian-based platforms. Platforms Ubuntu Linux Debian Linux Description Chef products installed from Debian-style .deb packages created files under /opt/<install_dir> with ownership by UID 999 or other […]
Read MoreOpenSSL security advisory response: 6 Aug 2014
Chef Software has reviewed the following security advisory and does not believe that this represents a critical security risk to our users. OpenSSL Security Advisory The next planned release of all affected products will include an updated OpenSSL version; we will not have an exploit-specific release. If new information causes us to re-evaluate our position […]
Read MoreChef & Rails CVE-2014-3482
At 17:11 UTC, the Rails security team publicized CVE-2014-3482 and CVE-2014-3483. In short, this vulnerability is related to the PostgreSQL adapater in ActiveRecord. A bug in the SQL quoting code could allow an attacker to carefully craft a request and execute a SQL injection. Only applications which query against bitstring or range type columns were […]
Read MoreChef Server 11.1.3 Security Release
Enterprise Chef Server 11.1.3 is a security release to address a PostgreSQL configuration error. The defect allows any local user on the system hosting the Chef Server’s PostgreSQL components full access to databases. We advise all Chef Server users to update to this latest release which corrects the error.
Read MoreEnterprise Chef Server 1.4.13 Release
Enterprise Chef Server 1.4.3 is a security release to address a PostgreSQL configuration error. The defect allows any local user on the system hosting the Chef Server’s PostgreSQL components full access to databases. We advise all Chef Server users to update to this latest release which corrects the error.
Read MoreEnterprise Chef Server 11.1.8 Release
Enterprise Chef Server 11.1.8 is a security release to address a PostgreSQL configuration error. The defect allows any local user on the system hosting the Chef Server’s PostgreSQL components full access to databases. We advise all Chef Server users to update to this latest release which corrects the error.
Read MoreChef Client Windows Patches for OpenSSL CVE-2014-0224 Vulnerability
Ohai Chefs, We have just released Chef Client versions 11.12.8-2 and 10.32.2-3 which includes the mitigation for the recently reported OpenSSL vulnerability CVE-2014-0224. Note that after installing these builds, if you check the OpenSSL version using `OpenSSL::OPENSSL_VERSION` you will see `OpenSSL 1.0.0k 5 Feb 2013`. This is because we are using pre-compiled binaries for windows […]
Read More