Chef Server 12.5.0 is released. It contains several security updates, as well as some new features. Chef Server is open source and can be downloaded here.
Security Updates
Several libraries were updated to fix bugs that existed in previous versions.
- OpenSSL
- Updated to 1.0.1s to mitigate CVE-2016-0800 (aka DROWN).
- NodeJS
- Updated to 0.10.35 to mitigate CVE-2013-4450.
- Ruby On Rails
- Updated to 4.2.5.2 to mitigate CVE-2016-2097 and CVE-2016-2098.
Updates To The Keys API GET Endpoints
A new group called public_key_read_access was added to organizations. This group now controls who has read permissions on organization scoped key endpoints. Also, a new organization scoped keys endpoint was added for users within an organization. Therefore, public_key_read_access controls read permissions for:
GET /organizations/:org/clients/:client/keys
GET /organizations/:org/clients/:client/keys/:key
GET /organizations/:org/users/:user/keys
GET /organizations/:org/users/:user/keys/:key
Membership on public_key_read_access defaults to the users and clients groups, so by default, users and clients will be able to read the public keys of other users and clients within the same organization. Organization admins can change this by modifying the membership of this group, controlling read access to the public keys of users and clients within the same organization. This results in greater flexibility when it comes to key management in a variety of scenarios and also allows for more restrictive permissions around public keys if desired.
Note that all permissions besides read permissions are unchanged, and the /users/:users/keys endpoint remains unchanged entirely.
Chef Analytics And Chef Server
For long server names, it is required to run version 1.3.1 of Chef Analytics with Chef Server 12.5.0. EC2 tends to make long server names, so if you are running in EC2, you will likely need to upgrade both products to these versions. See the updated Chef Analytics upgrade process here.