We have a release today for both the 11.x and 10.x Chef Client tracks. This release is compatible with the changes in the recent 1.7.7 release of the JSON gem that worked around a DoS vulnerability by disabling the create_additions option by default. Chef used this feature, so we had to make a few changes to make progress toward removing its use, which we’ve been planning for a while (CHEF-1330).
One consequence of this is that you will no longer get a Chef object returned from JSON.parse.
[sourcecode gutter="false"]
# Before JSON 1.7.7
chef > JSON.parse('{"json_class": "Chef::Node", "name": "bob", "run_list": []}').class
=> Chef::Node
# JSON 1.7.7+
chef > JSON.parse('{"json_class": "Chef::Node", "name": "bob", "run_list": []}').class
=> Hash
[/sourcecode]
If you were leveraging JSON.parse in your own code, we have a compatibility layer in Chef::JSONCompat. Also, you can still enable create\_additions in JSON 1.7.7, but it is no longer the default and whatever JSON you are parsing would be vulnerable to the DoS attack: JSON.parse(json\_string, :create_\additions => true)
### MVPs
Vaidas Jablonskis recently whipped up fedora packages for the Chef 11 Client, he’s our Chef 11.4.0 MVP!
Brian Bianco filed the first bug for the JSON issue and provided a patch that we took a bit further. Thanks Brian, you’re the Chef 10.22.0 MVP! Brian maintains the ‘redisio‘ cookbook, if you are a redis user you should go check it out.
### Gem Checksums
Chef 11.4.0: 45c3b69746c93dabcb33b253a830735a16cfc6a548e1e957ca952016d49ecfea
Chef 10.22.0: 80e285cef0f8668b13e51888cf763f537042e2b30e8b6f710b1e4d7248e433bc
### Release notes
Chef Client 11.4.0 + Chef 10.22.0 both include this bug-fix:
[CHEF-3863] – chef-client Failing When Dependent on JSON 1.7.7 Gem
Chef 10.22.0 also includes this fix which was previously released in Chef Client 11.0.0:
[CHEF-3467] – Permissions Not Inherited from Parent on Child Object cookbook_file (Windows)
