Chef Server Security Updates

This morning we released Enterprise Chef Server 11.0.2 and Chef Server 11.0.10. We recommend all users upgrade to these new versions to pick up the following security fixes:

  • Nginx [CVE-2013-4547] – security restriction bypass flaw due to whitespace parsing
  • Solr [CHEF-4792] – Disable insecure JMX settings leading to potential remote code execution
  • Rails [CVE-2013-4389] – Possible DoS Vulnerability in Action Mailer
  • Ruby 1.9.2 [CVE-2013-4164] – Heap Overflow in Floating Point Parsing

A special thanks goes to James Ogden of Technophobia for alerting us to the JMX vulnerability.

  • Conrad Heiney

    Any release notes for client 11.8.2?

    • Bryan McLellan

      Coming shortly, along with a 10.30.0 release.

      • Conrad Heiney

        Cool thanks.

  • Michael Stucki

    I’m wondering, why is 11.0.8 still the highest ranked version in the download list? (I assume it uses alphabetical sorting, but that’s obviously wrong…)

    I also think that it makes no sense to list outdated versions on the main download page. Instead, I suggest to move them to a separate page, like MariaDB has done it:

    • Guest

      Should be updated now.

      • Michael Stucki

        No, still looks the same like before.

  • Mathieu Sauve-Frankel

    Do these builds contain the gecode-based depsolver ?

    • Seth Chisamore

      These builds are security/hotfix releases that only fix the vulnerabilities listed above.

      That being said, Enterprise Chef has used the gecode-based depsolver since version 11.0.0. The forthcoming version of Chef Server will also begin using gecode for depsolving.