Chef Server 12.5.0 Released

Chef Server 12.5.0 is released. It contains several security updates, as well as some new features. Chef Server is open source and can be downloaded here.

Security Updates

Several libraries were updated to fix bugs that existed in previous versions.

  • OpenSSL
    • Updated to 1.0.1s to mitigate CVE-2016-0800 (aka DROWN).
  • NodeJS
    • Updated to 0.10.35 to mitigate CVE-2013-4450.
  • Ruby On Rails
    • Updated to to mitigate CVE-2016-2097 and CVE-2016-2098.

Updates To The Keys API GET Endpoints

A new group called public_key_read_access was added to organizations. This group now controls who has read permissions on organization scoped key endpoints. Also, a new organization scoped keys endpoint was added for users within an organization. Therefore, public_key_read_access controls read permissions for:

GET /organizations/:org/clients/:client/keys
GET /organizations/:org/clients/:client/keys/:key
GET /organizations/:org/users/:user/keys 
GET /organizations/:org/users/:user/keys/:key

Membership on public_key_read_access defaults to the users and clients groups, so by default, users and clients will be able to read the public keys of other users and clients within the same organization. Organization admins can change this by modifying the membership of this group, controlling read access to the public keys of users and clients within the same organization. This results in greater flexibility when it comes to key management in a variety of scenarios and also allows for more restrictive permissions around public keys if desired.

Note that all permissions besides read permissions are unchanged, and the /users/:users/keys endpoint remains unchanged entirely.

Chef Analytics And Chef Server

For long server names, it is required to run version 1.3.1 of Chef Analytics with Chef Server 12.5.0. EC2 tends to make long server names, so if you are running in EC2, you will likely need to upgrade both products to these versions. See the updated Chef Analytics upgrade process here.