Chef Confirms No Products Affected by Backdoored RubyGems

At Chef, we have a cross-functional security team who evaluates and responds to potential security incidents. Because a significant portion of our code uses Ruby and Ruby libraries (known as “gems”), we have been paying close attention to the reports of malicious code insertion into several gems. Shortly after the news of the compromise became […]

Read More

Supermarket 2.3.2 Security Release

Supermarket 2.3.2* is now available. This release contains bug fixes, minor enhancements, and security updates. Supermarket version 2.3.2 is a recommended update for all users running their own instances of Supermarket. Packages are available in the stable repository. Upgrading to this version can be as simple as a chef-client run on your hosts—if you’ve left […]

Read More

Security Releases: Chef Server 12, Enterprise Chef 11, Chef Manage

Ohai Chefs! Today we have releases of Chef Server 12.1.0, Enterprise Chef Server 11.3.2, and Chef Manage 1.17.0 which contain the following security updates: Redis 2.8.21 This update addresses CVE-2015-4335, a remote code execution vulnerability in Redis. We recommend that users of Chef Manage and of Chef Server in HA or Tiered topologies update as […]

Read More

Security Release: Chef Server 12.0.1 and Enterprise Chef Server 11.2.6

Available for immediate download are Chef Server 12.0.1 and Enterprise Chef Server 11.2.6. This release addresses CVE-2014-8144, a CSRF vulnerability found in doorkeeper, a gem used by the oc-id service that ships with the Chef Server. This release updates oc-id to the latest version, 0.4.4, which contains the patched doorkeeper gem. Open Source Chef Server 11 […]

Read More

Chef Client Windows Patches for OpenSSL CVE-2014-0224 Vulnerability

Ohai Chefs, We have just released Chef Client versions 11.12.8-2 and 10.32.2-3 which includes the mitigation for the recently reported OpenSSL vulnerability [CVE-2014-0224](https://www.openssl.org/news/secadv_20140605.txt). Note that after installing these builds, if you check the OpenSSL version using `OpenSSL::OPENSSL_VERSION` you will see `OpenSSL 1.0.0k 5 Feb 2013`. This is because we are using pre-compiled binaries for windows […]

Read More