Chef 0.10.2 and 0.9.18 released!


#1

Chef 0.10.2 and 0.9.18 have been released on RubyGems. This is a critical
security update to Chef Server and it is recommended that all open-source Chef
Server users upgrade as soon as possible. Users of Opscode’s Hosted Chef and
Private Chef are not affected. For those unable to upgrade the patch is
available on GitHub: https://github.com/opscode/chef/commit/a4ea6edab2fecb922f999cffb0daa04eeeec7a26#diff-0.

The issue being patched is that non-admin clients in the open-source server were
able to upload and delete cookbooks. This could potentially allow privilege
escalation in an already compromised network. No known exploits exist at this
time.

Chef 0.10.2 contains only the relevant security fix. Chef 0.9.18 contains the
security fix as well as the following bug fixes:

  • CHEF-2234: dpkg package provider ignores ~ in versions
  • CHEF-2129: Old zypper versions will crash because they don’t know the commandline arguments
  • CHEF-2367: Support multiple lines in DAEMONS list in rc.conf on Arch linux
  • CHEF-2274: Shef does not seem to include the chef libraries

#2

Anything besides “gem install chef-server chef” required for 0.10.0 install?

-J

On Wed, Jun 29, 2011 at 1:51 PM, Noah Kantrowitz noah@coderanger.netwrote:

Chef 0.10.2 and 0.9.18 have been released on RubyGems. This is a critical
security update to Chef Server and it is recommended that all open-source
Chef
Server users upgrade as soon as possible. Users of Opscode’s Hosted Chef
and
Private Chef are not affected. For those unable to upgrade the patch is
available on GitHub:
https://github.com/opscode/chef/commit/a4ea6edab2fecb922f999cffb0daa04eeeec7a26#diff-0
.

The issue being patched is that non-admin clients in the open-source server
were
able to upload and delete cookbooks. This could potentially allow privilege
escalation in an already compromised network. No known exploits exist at
this
time.

Chef 0.10.2 contains only the relevant security fix. Chef 0.9.18 contains
the
security fix as well as the following bug fixes:

  • CHEF-2234: dpkg package provider ignores ~ in versions
  • CHEF-2129: Old zypper versions will crash because they don’t know the
    commandline arguments
  • CHEF-2367: Support multiple lines in DAEMONS list in rc.conf on Arch
    linux
  • CHEF-2274: Shef does not seem to include the chef libraries

#3

On Wednesday, June 29, 2011 at 1:07 PM, Jason J. W. Williams wrote:

Anything besides “gem install chef-server chef” required for 0.10.0 install?

-J
If you’ve installed from gems, gem install chef-server plus a reboot of chef-server should do it.

We’ll get apt packages out as soon as we can.


Dan DeLeo

On Wed, Jun 29, 2011 at 1:51 PM, Noah Kantrowitz <noah@coderanger.net (mailto:noah@coderanger.net)> wrote:

Chef 0.10.2 and 0.9.18 have been released on RubyGems. This is a critical
security update to Chef Server and it is recommended that all open-source Chef
Server users upgrade as soon as possible. Users of Opscode’s Hosted Chef and
Private Chef are not affected. For those unable to upgrade the patch is
available on GitHub: https://github.com/opscode/chef/commit/a4ea6edab2fecb922f999cffb0daa04eeeec7a26#diff-0.

The issue being patched is that non-admin clients in the open-source server were
able to upload and delete cookbooks. This could potentially allow privilege
escalation in an already compromised network. No known exploits exist at this
time.

Chef 0.10.2 contains only the relevant security fix. Chef 0.9.18 contains the
security fix as well as the following bug fixes:

  • CHEF-2234: dpkg package provider ignores ~ in versions
  • CHEF-2129: Old zypper versions will crash because they don’t know the commandline arguments
  • CHEF-2367: Support multiple lines in DAEMONS list in rc.conf on Arch linux
  • CHEF-2274: Shef does not seem to include the chef libraries

#4

Did that but the WebUI still reads 0.10.0 so I was curious.

-J

On Wed, Jun 29, 2011 at 2:09 PM, Daniel DeLeo dan@kallistec.com wrote:

On Wednesday, June 29, 2011 at 1:07 PM, Jason J. W. Williams wrote:

Anything besides “gem install chef-server chef” required for 0.10.0
install?

-J
If you’ve installed from gems, gem install chef-server plus a reboot of
chef-server should do it.

We’ll get apt packages out as soon as we can.


Dan DeLeo

On Wed, Jun 29, 2011 at 1:51 PM, Noah Kantrowitz <noah@coderanger.net(mailto:
noah@coderanger.net)> wrote:

Chef 0.10.2 and 0.9.18 have been released on RubyGems. This is a
critical

security update to Chef Server and it is recommended that all
open-source Chef

Server users upgrade as soon as possible. Users of Opscode’s Hosted
Chef and

Private Chef are not affected. For those unable to upgrade the patch
is

available on GitHub:
https://github.com/opscode/chef/commit/a4ea6edab2fecb922f999cffb0daa04eeeec7a26#diff-0
.

The issue being patched is that non-admin clients in the open-source
server were

able to upload and delete cookbooks. This could potentially allow
privilege

escalation in an already compromised network. No known exploits exist
at this

time.

Chef 0.10.2 contains only the relevant security fix. Chef 0.9.18
contains the

security fix as well as the following bug fixes:

  • CHEF-2234: dpkg package provider ignores ~ in versions
  • CHEF-2129: Old zypper versions will crash because they don’t know
    the commandline arguments
  • CHEF-2367: Support multiple lines in DAEMONS list in rc.conf on Arch
    linux
  • CHEF-2274: Shef does not seem to include the chef libraries

#5

Issue a sudo /etc/init.d/chef-server-webui restart and it should correct it.

On Wed, Jun 29, 2011 at 3:10 PM, Jason J. W. Williams <
jasonjwwilliams@gmail.com> wrote:

Did that but the WebUI still reads 0.10.0 so I was curious.

-J

On Wed, Jun 29, 2011 at 2:09 PM, Daniel DeLeo dan@kallistec.com wrote:

On Wednesday, June 29, 2011 at 1:07 PM, Jason J. W. Williams wrote:

Anything besides “gem install chef-server chef” required for 0.10.0
install?

-J
If you’ve installed from gems, gem install chef-server plus a reboot of
chef-server should do it.

We’ll get apt packages out as soon as we can.


Dan DeLeo

On Wed, Jun 29, 2011 at 1:51 PM, Noah Kantrowitz <noah@coderanger.net(mailto:
noah@coderanger.net)> wrote:

Chef 0.10.2 and 0.9.18 have been released on RubyGems. This is a
critical

security update to Chef Server and it is recommended that all
open-source Chef

Server users upgrade as soon as possible. Users of Opscode’s Hosted
Chef and

Private Chef are not affected. For those unable to upgrade the patch
is

available on GitHub:
https://github.com/opscode/chef/commit/a4ea6edab2fecb922f999cffb0daa04eeeec7a26#diff-0
.

The issue being patched is that non-admin clients in the open-source
server were

able to upload and delete cookbooks. This could potentially allow
privilege

escalation in an already compromised network. No known exploits exist
at this

time.

Chef 0.10.2 contains only the relevant security fix. Chef 0.9.18
contains the

security fix as well as the following bug fixes:

  • CHEF-2234: dpkg package provider ignores ~ in versions
  • CHEF-2129: Old zypper versions will crash because they don’t know
    the commandline arguments
  • CHEF-2367: Support multiple lines in DAEMONS list in rc.conf on
    Arch linux
  • CHEF-2274: Shef does not seem to include the chef libraries

#6

Already did that. Not an idiot. :slight_smile:

-J

On Wed, Jun 29, 2011 at 3:31 PM, Bryan Brandau agent462@gmail.com wrote:

Issue a sudo /etc/init.d/chef-server-webui restart and it should correct
it.

On Wed, Jun 29, 2011 at 3:10 PM, Jason J. W. Williams <
jasonjwwilliams@gmail.com> wrote:

Did that but the WebUI still reads 0.10.0 so I was curious.

-J

On Wed, Jun 29, 2011 at 2:09 PM, Daniel DeLeo dan@kallistec.com wrote:

On Wednesday, June 29, 2011 at 1:07 PM, Jason J. W. Williams wrote:

Anything besides “gem install chef-server chef” required for 0.10.0
install?

-J
If you’ve installed from gems, gem install chef-server plus a reboot of
chef-server should do it.

We’ll get apt packages out as soon as we can.


Dan DeLeo

On Wed, Jun 29, 2011 at 1:51 PM, Noah Kantrowitz <noah@coderanger.net(mailto:
noah@coderanger.net)> wrote:

Chef 0.10.2 and 0.9.18 have been released on RubyGems. This is a
critical

security update to Chef Server and it is recommended that all
open-source Chef

Server users upgrade as soon as possible. Users of Opscode’s Hosted
Chef and

Private Chef are not affected. For those unable to upgrade the patch
is

available on GitHub:
https://github.com/opscode/chef/commit/a4ea6edab2fecb922f999cffb0daa04eeeec7a26#diff-0
.

The issue being patched is that non-admin clients in the open-source
server were

able to upload and delete cookbooks. This could potentially allow
privilege

escalation in an already compromised network. No known exploits
exist at this

time.

Chef 0.10.2 contains only the relevant security fix. Chef 0.9.18
contains the

security fix as well as the following bug fixes:

  • CHEF-2234: dpkg package provider ignores ~ in versions
  • CHEF-2129: Old zypper versions will crash because they don’t know
    the commandline arguments
  • CHEF-2367: Support multiple lines in DAEMONS list in rc.conf on
    Arch linux
  • CHEF-2274: Shef does not seem to include the chef libraries