Chef 13.12.14 Released!

Hey Everyone,

We're happy to announce the release of Chef 13.12.14! This release brings in a few bug fixes and some important security updates before Chef 13 goes end of life at the end of April.


  • The mount provider now properly adds blank lines between fstab entries on AIX
  • Ohai now reports itself as Ohai well communicating with GCE metadata endpoints
  • Property deprecations in custom resources no longer result in an error. Thanks for reporting this martinisoft
  • mixlib-archive has been updated to prevent corruption of archives on Windows systems

Updated Components

  • libxml2 2.9.7 -> 2.9.9
  • ca-certs updated to 2019-01-22 for new roots
  • nokogiri 1.8.5 -> 1.10.1

Security Updates


OpenSSL has been updated to 1.0.2r in order to resolve CVE-2019-1559 and CVE-2018-5407


RubyGems has been updated to 2.7.9 in order to resolve the following CVEs:

  • CVE-2019-8320: Delete directory using symlink when decompressing tar
  • CVE-2019-8321: Escape sequence injection vulnerability in verbose
  • CVE-2019-8322: Escape sequence injection vulnerability in gem owner
  • CVE-2019-8323: Escape sequence injection vulnerability in API response handling
  • CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
  • CVE-2019-8325: Escape sequence injection vulnerability in errors

Get the Build

As always, you can download binaries directly from or by using the mixlib-install command line utility:

$ mixlib-install download chef -v 13.12.14

Alternatively, you can install Chef using one of the following command options:

# In Shell
$ curl | sudo bash -s -- -P chef -v 13.12.14

# In Windows Powershell
. { iwr -useb } | iex; install -project chef -version 13.12.14

If you want to give this version a spin in Test Kitchen, create or add the following to your kitchen.yml file:

  product_name: chef
  product_version: 13.12.14