Chef server & heartbleed


#1

It looks like openssl in the latest Chef server package for Ubuntu (haven’t checked EL) is vulnerable to the Heartbleed[1] exploit. Any word on when an update will be made available?

Thanks!

Daniel

[1] http://heartbleed.com/


#2

Cutting releases today. Full announcement soon.
On Apr 8, 2014 8:14 AM, “Daniel Givens” daniel.givens@rackspace.com wrote:

It looks like openssl in the latest Chef server package for Ubuntu
(haven’t checked EL) is vulnerable to the Heartbleed[1] exploit. Any word
on when an update will be made available?

Thanks!

Daniel

[1] http://heartbleed.com/


#3

Any update on this? The blog has chef client updates but I’ve yet to see
anything on server.

On Tue, Apr 8, 2014 at 8:15 AM, Adam Jacob adam@opscode.com wrote:

Cutting releases today. Full announcement soon.
On Apr 8, 2014 8:14 AM, “Daniel Givens” daniel.givens@rackspace.com
wrote:

It looks like openssl in the latest Chef server package for Ubuntu
(haven’t checked EL) is vulnerable to the Heartbleed[1] exploit. Any word
on when an update will be made available?

Thanks!

Daniel

[1] http://heartbleed.com/

–tucker


#4

Releases dropping soon - writing up upgrade and recovery instructions now.
On Apr 9, 2014 9:29 AM, “Tucker” junk@gmail.com wrote:

Any update on this? The blog has chef client updates but I’ve yet to see
anything on server.

On Tue, Apr 8, 2014 at 8:15 AM, Adam Jacob adam@opscode.com wrote:

Cutting releases today. Full announcement soon.
On Apr 8, 2014 8:14 AM, “Daniel Givens” daniel.givens@rackspace.com
wrote:

It looks like openssl in the latest Chef server package for Ubuntu
(haven’t checked EL) is vulnerable to the Heartbleed[1] exploit. Any word
on when an update will be made available?

Thanks!

Daniel

[1] http://heartbleed.com/

–tucker


#5

At our scrum this morning, our security person said that no RHEL official
version of OpenSSL contains the vulnerability. So unless someone compiled
it from source code, it should be good.

The bad news is that the latest Fedora installations do have it.

JOHN HASTY
Software as a Service - DevOps
Software Group

Phone: 1-512-804-9968 IBM
E-mail: jahasty@us.ibm.com
2407 S Congress Ave Ste E-350
Austin, TX 78704
United States

From: Tucker junk@gmail.com
To: "chef@lists.opscode.com" chef@lists.opscode.com,
Date: 04/09/2014 11:29 AM
Subject: [chef] Re: Re: Chef server & heartbleed

Any update on this? The blog has chef client updates but I’ve yet to see
anything on server.

On Tue, Apr 8, 2014 at 8:15 AM, Adam Jacob adam@opscode.com wrote:
Cutting releases today. Full announcement soon.

On Apr 8, 2014 8:14 AM, “Daniel Givens” daniel.givens@rackspace.com
wrote:
It looks like openssl in the latest Chef server package for Ubuntu
(haven’t checked EL) is vulnerable to the Heartbleed[1] exploit. Any
word on when an update will be made available?

Thanks!

Daniel

[1] http://heartbleed.com/

–tucker


#6

Just so no one is confused by this:

Updating the openssl package(s) on the system(s) running Chef server has no
bearing on this. Chef Server comes with an embedded copy of openssl and
that version is vulnerable. Anyone running an open source Chef server will
want to update once this has been released (or at least patch the embedded
openssl source files). This goes double for anyone who has a Chef public
on the interwebs.

On Wed, Apr 9, 2014 at 10:44 AM, JOHN HASTY jahasty@us.ibm.com wrote:

At our scrum this morning, our security person said that no RHEL official
version of OpenSSL contains the vulnerability. So unless someone compiled
it from source code, it should be good.

The bad news is that the latest Fedora installations do have it.

JOHN HASTY
Software as a Service - DevOps
Software Group

Phone: 1-512-804-9968

2407 S Congress Ave Ste E-350
Austin, TX 78704
United States

[image: Inactive hide details for Tucker —04/09/2014 11:29:30 AM—Any
update on this? The blog has chef client updates but I’ve yet]Tucker
—04/09/2014 11:29:30 AM—Any update on this? The blog has chef client
updates but I’ve yet to see anything on server.

From: Tucker junk@gmail.com
To: "chef@lists.opscode.com" chef@lists.opscode.com,
Date: 04/09/2014 11:29 AM
Subject: [chef] Re: Re: Chef server & heartbleed

Any update on this? The blog has chef client updates but I’ve yet to see
anything on server.

On Tue, Apr 8, 2014 at 8:15 AM, Adam Jacob <adam@opscode.comadam@opscode.com>
wrote:

Cutting releases today. Full announcement soon.

On Apr 8, 2014 8:14 AM, “Daniel Givens” <daniel.givens@rackspace.comdaniel.givens@rackspace.com>
wrote:
It looks like openssl in the latest Chef server package for Ubuntu
(haven’t checked EL) is vulnerable to the Heartbleed[1] exploit. Any word
on when an update will be made available?

  Thanks!

  Daniel

  [1] *http://heartbleed.com/* <http://heartbleed.com/>

–tucker

–tucker


#7

That’s not the case. RHEL OpenSSL was certainly affected. We received errata and had to patch.

Sent from my iPhone

On Apr 9, 2014, at 10:44 AM, JOHN HASTY jahasty@us.ibm.com wrote:

At our scrum this morning, our security person said that no RHEL official version of OpenSSL contains the vulnerability. So unless someone compiled it from source code, it should be good.

The bad news is that the latest Fedora installations do have it.

JOHN HASTY
Software as a Service - DevOps
Software Group

Phone: 1-512-804-9968
E-mail: jahasty@us.ibm.com
<32787972.gif>

2407 S Congress Ave Ste E-350
Austin, TX 78704
United States

<graycol.gif>Tucker —04/09/2014 11:29:30 AM—Any update on this? The blog has chef client updates but I’ve yet to see anything on server.

From: Tucker junk@gmail.com
To: "chef@lists.opscode.com" chef@lists.opscode.com,
Date: 04/09/2014 11:29 AM
Subject: [chef] Re: Re: Chef server & heartbleed

Any update on this? The blog has chef client updates but I’ve yet to see anything on server.

On Tue, Apr 8, 2014 at 8:15 AM, Adam Jacob adam@opscode.com wrote:
Cutting releases today. Full announcement soon.
On Apr 8, 2014 8:14 AM, “Daniel Givens” daniel.givens@rackspace.com wrote:

It looks like openssl in the latest Chef server package for Ubuntu (haven’t checked EL) is vulnerable to the Heartbleed[1] exploit. Any word on when an update will be made available?

Thanks!

Daniel

[1] http://heartbleed.com/

–tucker


#8

Let me clarify. RHEL 6 only. 6.4 or .5 and above. RHEL5 is fine

Sent from my iPhone

On Apr 9, 2014, at 1:19 PM, Michael Glenney mike.glenney@gmail.com wrote:

That’s not the case. RHEL OpenSSL was certainly affected. We received errata and had to patch.

Sent from my iPhone

On Apr 9, 2014, at 10:44 AM, JOHN HASTY jahasty@us.ibm.com wrote:

At our scrum this morning, our security person said that no RHEL official version of OpenSSL contains the vulnerability. So unless someone compiled it from source code, it should be good.

The bad news is that the latest Fedora installations do have it.

JOHN HASTY
Software as a Service - DevOps
Software Group

Phone: 1-512-804-9968
E-mail: jahasty@us.ibm.com
<32787972.gif>

2407 S Congress Ave Ste E-350
Austin, TX 78704
United States

<graycol.gif>Tucker —04/09/2014 11:29:30 AM—Any update on this? The blog has chef client updates but I’ve yet to see anything on server.

From: Tucker junk@gmail.com
To: "chef@lists.opscode.com" chef@lists.opscode.com,
Date: 04/09/2014 11:29 AM
Subject: [chef] Re: Re: Chef server & heartbleed

Any update on this? The blog has chef client updates but I’ve yet to see anything on server.

On Tue, Apr 8, 2014 at 8:15 AM, Adam Jacob adam@opscode.com wrote:
Cutting releases today. Full announcement soon.
On Apr 8, 2014 8:14 AM, “Daniel Givens” daniel.givens@rackspace.com wrote:

It looks like openssl in the latest Chef server package for Ubuntu (haven’t checked EL) is vulnerable to the Heartbleed[1] exploit. Any word on when an update will be made available?

Thanks!

Daniel

[1] http://heartbleed.com/

–tucker


#9

Builds of the Open Source Chef Server are ready to download now. They
should be available via http://getchef.com/chef/install. I’ll be posting a
blog post for all the server releases in a just a few minutes. Cheers!

On Wed, Apr 9, 2014 at 1:21 PM, Michael Glenney mike.glenney@gmail.comwrote:

Let me clarify. RHEL 6 only. 6.4 or .5 and above. RHEL5 is fine

Sent from my iPhone

On Apr 9, 2014, at 1:19 PM, Michael Glenney mike.glenney@gmail.com
wrote:

That’s not the case. RHEL OpenSSL was certainly affected. We received
errata and had to patch.

Sent from my iPhone

On Apr 9, 2014, at 10:44 AM, JOHN HASTY jahasty@us.ibm.com wrote:

At our scrum this morning, our security person said that no RHEL official
version of OpenSSL contains the vulnerability. So unless someone compiled
it from source code, it should be good.

The bad news is that the latest Fedora installations do have it.

JOHN HASTY
Software as a Service - DevOps
Software Group

Phone: 1-512-804-9968

2407 S Congress Ave Ste E-350
Austin, TX 78704
United States

<graycol.gif>Tucker —04/09/2014 11:29:30 AM—Any update on this? The
blog has chef client updates but I’ve yet to see anything on server.

From: Tucker junk@gmail.com
To: "chef@lists.opscode.com" chef@lists.opscode.com,
Date: 04/09/2014 11:29 AM
Subject: [chef] Re: Re: Chef server & heartbleed

Any update on this? The blog has chef client updates but I’ve yet to see
anything on server.

On Tue, Apr 8, 2014 at 8:15 AM, Adam Jacob <adam@opscode.comadam@opscode.com>
wrote:

Cutting releases today. Full announcement soon.

On Apr 8, 2014 8:14 AM, “Daniel Givens” <daniel.givens@rackspace.comdaniel.givens@rackspace.com>
wrote:
It looks like openssl in the latest Chef server package for Ubuntu
(haven’t checked EL) is vulnerable to the Heartbleed[1] exploit. Any word
on when an update will be made available?

  Thanks!

  Daniel

  [1] *http://heartbleed.com/* <http://heartbleed.com/>

–tucker


Stephen Delano
Software Development Engineer
Opscode, Inc.
1008 Western Avenue
Suite 601
Seattle, WA 98104


#10

Perhaps I’m crazy but I’ve tested this on two servers and the package looks
bad:

yum install

https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-server-11.0.12-1.el6.x86_64.rpm
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Setting up Install Process
chef-server-11.0.12-1.el6.x86_64.rpm

                                             | 197 MB     00:16

Examining /var/tmp/yum-root-abmR0f/chef-server-11.0.12-1.el6.x86_64.rpm:
chef-server-11.0.12-1.el6.x86_64
Cannot install package chef-server-11.0.12-1.el6.x86_64. It is obsoleted by
installed package chef-server-11.0.10-1.el6.x86_64
Error: Nothing to do

On Wed, Apr 9, 2014 at 1:56 PM, Stephen Delano stephen@opscode.com wrote:

Builds of the Open Source Chef Server are ready to download now. They
should be available via http://getchef.com/chef/install. I’ll be posting
a blog post for all the server releases in a just a few minutes. Cheers!

On Wed, Apr 9, 2014 at 1:21 PM, Michael Glenney mike.glenney@gmail.comwrote:

Let me clarify. RHEL 6 only. 6.4 or .5 and above. RHEL5 is fine

Sent from my iPhone

On Apr 9, 2014, at 1:19 PM, Michael Glenney mike.glenney@gmail.com
wrote:

That’s not the case. RHEL OpenSSL was certainly affected. We received
errata and had to patch.

Sent from my iPhone

On Apr 9, 2014, at 10:44 AM, JOHN HASTY jahasty@us.ibm.com wrote:

At our scrum this morning, our security person said that no RHEL official
version of OpenSSL contains the vulnerability. So unless someone compiled
it from source code, it should be good.

The bad news is that the latest Fedora installations do have it.

JOHN HASTY
Software as a Service - DevOps
Software Group

Phone: 1-512-804-9968

2407 S Congress Ave Ste E-350
Austin, TX 78704
United States

<graycol.gif>Tucker —04/09/2014 11:29:30 AM—Any update on this? The
blog has chef client updates but I’ve yet to see anything on server.

From: Tucker junk@gmail.com
To: "chef@lists.opscode.com" chef@lists.opscode.com,
Date: 04/09/2014 11:29 AM
Subject: [chef] Re: Re: Chef server & heartbleed

Any update on this? The blog has chef client updates but I’ve yet to see
anything on server.

On Tue, Apr 8, 2014 at 8:15 AM, Adam Jacob <adam@opscode.comadam@opscode.com>
wrote:

Cutting releases today. Full announcement soon.

On Apr 8, 2014 8:14 AM, “Daniel Givens” <daniel.givens@rackspace.comdaniel.givens@rackspace.com>
wrote:
It looks like openssl in the latest Chef server package for Ubuntu
(haven’t checked EL) is vulnerable to the Heartbleed[1] exploit. Any word
on when an update will be made available?

  Thanks!

  Daniel

  [1] *http://heartbleed.com/* <http://heartbleed.com/>

–tucker


Stephen Delano
Software Development Engineer
Opscode, Inc.
1008 Western Avenue
Suite 601
Seattle, WA 98104

–tucker


#11

Installing using rpm works but that makes yum sad.

On Wed, Apr 9, 2014 at 3:08 PM, Tucker junk@gmail.com wrote:

Perhaps I’m crazy but I’ve tested this on two servers and the package
looks bad:

yum install

https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-server-11.0.12-1.el6.x86_64.rpm
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Setting up Install Process
chef-server-11.0.12-1.el6.x86_64.rpm

                                             | 197 MB     00:16

Examining /var/tmp/yum-root-abmR0f/chef-server-11.0.12-1.el6.x86_64.rpm:
chef-server-11.0.12-1.el6.x86_64
Cannot install package chef-server-11.0.12-1.el6.x86_64. It is obsoleted
by installed package chef-server-11.0.10-1.el6.x86_64
Error: Nothing to do

On Wed, Apr 9, 2014 at 1:56 PM, Stephen Delano stephen@opscode.comwrote:

Builds of the Open Source Chef Server are ready to download now. They
should be available via http://getchef.com/chef/install. I’ll be posting
a blog post for all the server releases in a just a few minutes. Cheers!

On Wed, Apr 9, 2014 at 1:21 PM, Michael Glenney mike.glenney@gmail.comwrote:

Let me clarify. RHEL 6 only. 6.4 or .5 and above. RHEL5 is fine

Sent from my iPhone

On Apr 9, 2014, at 1:19 PM, Michael Glenney mike.glenney@gmail.com
wrote:

That’s not the case. RHEL OpenSSL was certainly affected. We received
errata and had to patch.

Sent from my iPhone

On Apr 9, 2014, at 10:44 AM, JOHN HASTY jahasty@us.ibm.com wrote:

At our scrum this morning, our security person said that no RHEL
official version of OpenSSL contains the vulnerability. So unless someone
compiled it from source code, it should be good.

The bad news is that the latest Fedora installations do have it.

JOHN HASTY
Software as a Service - DevOps
Software Group

Phone: 1-512-804-9968

2407 S Congress Ave Ste E-350
Austin, TX 78704
United States

<graycol.gif>Tucker —04/09/2014 11:29:30 AM—Any update on this?
The blog has chef client updates but I’ve yet to see anything on server.

From: Tucker junk@gmail.com
To: "chef@lists.opscode.com" chef@lists.opscode.com,
Date: 04/09/2014 11:29 AM
Subject: [chef] Re: Re: Chef server & heartbleed

Any update on this? The blog has chef client updates but I’ve yet to
see anything on server.

On Tue, Apr 8, 2014 at 8:15 AM, Adam Jacob <adam@opscode.comadam@opscode.com>
wrote:

Cutting releases today. Full announcement soon.

On Apr 8, 2014 8:14 AM, “Daniel Givens” <
daniel.givens@rackspace.com daniel.givens@rackspace.com> wrote:
It looks like openssl in the latest Chef server package for Ubuntu
(haven’t checked EL) is vulnerable to the Heartbleed[1] exploit. Any word
on when an update will be made available?

  Thanks!

  Daniel

  [1] *http://heartbleed.com/* <http://heartbleed.com/>

–tucker


Stephen Delano
Software Development Engineer
Opscode, Inc.
1008 Western Avenue
Suite 601
Seattle, WA 98104

–tucker

–tucker


#12

Two more comments and then I’m done, I swear:

  • “chef-server-ctl reconfigure” doesn’t reload the openssl libs. You have
    to do a restart. The blog post should mention that.
  • Confirmed fixed after a restart.

Thanks!

On Wed, Apr 9, 2014 at 3:13 PM, Tucker junk@gmail.com wrote:

Installing using rpm works but that makes yum sad.

On Wed, Apr 9, 2014 at 3:08 PM, Tucker junk@gmail.com wrote:

Perhaps I’m crazy but I’ve tested this on two servers and the package
looks bad:

yum install

https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-server-11.0.12-1.el6.x86_64.rpm
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Setting up Install Process
chef-server-11.0.12-1.el6.x86_64.rpm

                                               | 197 MB     00:16

Examining /var/tmp/yum-root-abmR0f/chef-server-11.0.12-1.el6.x86_64.rpm:
chef-server-11.0.12-1.el6.x86_64
Cannot install package chef-server-11.0.12-1.el6.x86_64. It is obsoleted
by installed package chef-server-11.0.10-1.el6.x86_64
Error: Nothing to do

On Wed, Apr 9, 2014 at 1:56 PM, Stephen Delano stephen@opscode.comwrote:

Builds of the Open Source Chef Server are ready to download now. They
should be available via http://getchef.com/chef/install. I’ll be
posting a blog post for all the server releases in a just a few minutes.
Cheers!

On Wed, Apr 9, 2014 at 1:21 PM, Michael Glenney mike.glenney@gmail.comwrote:

Let me clarify. RHEL 6 only. 6.4 or .5 and above. RHEL5 is fine

Sent from my iPhone

On Apr 9, 2014, at 1:19 PM, Michael Glenney mike.glenney@gmail.com
wrote:

That’s not the case. RHEL OpenSSL was certainly affected. We received
errata and had to patch.

Sent from my iPhone

On Apr 9, 2014, at 10:44 AM, JOHN HASTY jahasty@us.ibm.com wrote:

At our scrum this morning, our security person said that no RHEL
official version of OpenSSL contains the vulnerability. So unless someone
compiled it from source code, it should be good.

The bad news is that the latest Fedora installations do have it.

JOHN HASTY
Software as a Service - DevOps
Software Group

Phone: 1-512-804-9968

2407 S Congress Ave Ste E-350
Austin, TX 78704
United States

<graycol.gif>Tucker —04/09/2014 11:29:30 AM—Any update on this?
The blog has chef client updates but I’ve yet to see anything on server.

From: Tucker junk@gmail.com
To: "chef@lists.opscode.com" chef@lists.opscode.com,
Date: 04/09/2014 11:29 AM
Subject: [chef] Re: Re: Chef server & heartbleed

Any update on this? The blog has chef client updates but I’ve yet to
see anything on server.

On Tue, Apr 8, 2014 at 8:15 AM, Adam Jacob <adam@opscode.comadam@opscode.com>
wrote:

Cutting releases today. Full announcement soon.

On Apr 8, 2014 8:14 AM, “Daniel Givens” <
daniel.givens@rackspace.com daniel.givens@rackspace.com> wrote:
It looks like openssl in the latest Chef server package for Ubuntu
(haven’t checked EL) is vulnerable to the Heartbleed[1] exploit. Any word
on when an update will be made available?

  Thanks!

  Daniel

  [1] *http://heartbleed.com/* <http://heartbleed.com/>

–tucker


Stephen Delano
Software Development Engineer
Opscode, Inc.
1008 Western Avenue
Suite 601
Seattle, WA 98104

–tucker

–tucker

–tucker


#13

The upgrade instructions now linked in the blog post at
http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/ mention
that a restart is required after the upgrade. Thanks for pointing this out.

Here are the instructions if you don’t want to be clicking around:
http://docs.opscode.com/upgrade_server_open_source.html#upgrade-to-newer-versions-of-chef-server-11

Cheers,
Stephen

On Wed, Apr 9, 2014 at 3:17 PM, Tucker junk@gmail.com wrote:

Two more comments and then I’m done, I swear:

  • “chef-server-ctl reconfigure” doesn’t reload the openssl libs. You have
    to do a restart. The blog post should mention that.
  • Confirmed fixed after a restart.

Thanks!

On Wed, Apr 9, 2014 at 3:13 PM, Tucker junk@gmail.com wrote:

Installing using rpm works but that makes yum sad.

On Wed, Apr 9, 2014 at 3:08 PM, Tucker junk@gmail.com wrote:

Perhaps I’m crazy but I’ve tested this on two servers and the package
looks bad:

yum install

https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-server-11.0.12-1.el6.x86_64.rpm
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Setting up Install Process
chef-server-11.0.12-1.el6.x86_64.rpm

                                               | 197 MB     00:16

Examining /var/tmp/yum-root-abmR0f/chef-server-11.0.12-1.el6.x86_64.rpm:
chef-server-11.0.12-1.el6.x86_64
Cannot install package chef-server-11.0.12-1.el6.x86_64. It is obsoleted
by installed package chef-server-11.0.10-1.el6.x86_64
Error: Nothing to do

On Wed, Apr 9, 2014 at 1:56 PM, Stephen Delano stephen@opscode.comwrote:

Builds of the Open Source Chef Server are ready to download now. They
should be available via http://getchef.com/chef/install. I’ll be
posting a blog post for all the server releases in a just a few minutes.
Cheers!

On Wed, Apr 9, 2014 at 1:21 PM, Michael Glenney <mike.glenney@gmail.com

wrote:

Let me clarify. RHEL 6 only. 6.4 or .5 and above. RHEL5 is fine

Sent from my iPhone

On Apr 9, 2014, at 1:19 PM, Michael Glenney mike.glenney@gmail.com
wrote:

That’s not the case. RHEL OpenSSL was certainly affected. We received
errata and had to patch.

Sent from my iPhone

On Apr 9, 2014, at 10:44 AM, JOHN HASTY jahasty@us.ibm.com wrote:

At our scrum this morning, our security person said that no RHEL
official version of OpenSSL contains the vulnerability. So unless someone
compiled it from source code, it should be good.

The bad news is that the latest Fedora installations do have it.

JOHN HASTY
Software as a Service - DevOps
Software Group

Phone: 1-512-804-9968

2407 S Congress Ave Ste E-350
Austin, TX 78704
United States

<graycol.gif>Tucker —04/09/2014 11:29:30 AM—Any update on this?
The blog has chef client updates but I’ve yet to see anything on server.

From: Tucker junk@gmail.com
To: "chef@lists.opscode.com" chef@lists.opscode.com,
Date: 04/09/2014 11:29 AM
Subject: [chef] Re: Re: Chef server & heartbleed

Any update on this? The blog has chef client updates but I’ve yet to
see anything on server.

On Tue, Apr 8, 2014 at 8:15 AM, Adam Jacob <adam@opscode.comadam@opscode.com>
wrote:

Cutting releases today. Full announcement soon.

On Apr 8, 2014 8:14 AM, “Daniel Givens” <
daniel.givens@rackspace.com daniel.givens@rackspace.com> wrote:
It looks like openssl in the latest Chef server package for Ubuntu
(haven’t checked EL) is vulnerable to the Heartbleed[1] exploit. Any word
on when an update will be made available?

  Thanks!

  Daniel

  [1] *http://heartbleed.com/* <http://heartbleed.com/>

–tucker


Stephen Delano
Software Development Engineer
Opscode, Inc.
1008 Western Avenue
Suite 601
Seattle, WA 98104

–tucker

–tucker

–tucker


Stephen Delano
Software Development Engineer
Opscode, Inc.
1008 Western Avenue
Suite 601
Seattle, WA 98104


#14

Thanks Stephen and team! I’ve upgraded and filippo.io/Heartbleed claims I’m good.

One question, your blog post states that "Chef does authentication and authorization by signing each request, so you don’t have to worry about regenerating your client credentials”. Does that mean the client.pem files that are generated for each client are safe and do not need to be regenerated?

thanks
mike


Michael Hart
Arctic Wolf Networks
M: 226-388-4773

On Apr 9, 2014, at 6:41 PM, Stephen Delano <stephen@opscode.commailto:stephen@opscode.com> wrote:

The upgrade instructions now linked in the blog post at http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/ mention that a restart is required after the upgrade. Thanks for pointing this out.

Here are the instructions if you don’t want to be clicking around: http://docs.opscode.com/upgrade_server_open_source.html#upgrade-to-newer-versions-of-chef-server-11

Cheers,
Stephen

On Wed, Apr 9, 2014 at 3:17 PM, Tucker <junk@gmail.commailto:junk@gmail.com> wrote:
Two more comments and then I’m done, I swear:

  • “chef-server-ctl reconfigure” doesn’t reload the openssl libs. You have to do a restart. The blog post should mention that.
  • Confirmed fixed after a restart.

Thanks!

On Wed, Apr 9, 2014 at 3:13 PM, Tucker <junk@gmail.commailto:junk@gmail.com> wrote:
Installing using rpm works but that makes yum sad.

On Wed, Apr 9, 2014 at 3:08 PM, Tucker <junk@gmail.commailto:junk@gmail.com> wrote:
Perhaps I’m crazy but I’ve tested this on two servers and the package looks bad:

yum install https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-server-11.0.12-1.el6.x86_64.rpm

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Setting up Install Process
chef-server-11.0.12-1.el6.x86_64.rpm | 197 MB 00:16
Examining /var/tmp/yum-root-abmR0f/chef-server-11.0.12-1.el6.x86_64.rpm: chef-server-11.0.12-1.el6.x86_64
Cannot install package chef-server-11.0.12-1.el6.x86_64. It is obsoleted by installed package chef-server-11.0.10-1.el6.x86_64
Error: Nothing to do

On Wed, Apr 9, 2014 at 1:56 PM, Stephen Delano <stephen@opscode.commailto:stephen@opscode.com> wrote:
Builds of the Open Source Chef Server are ready to download now. They should be available via http://getchef.com/chef/install. I’ll be posting a blog post for all the server releases in a just a few minutes. Cheers!

On Wed, Apr 9, 2014 at 1:21 PM, Michael Glenney <mike.glenney@gmail.commailto:mike.glenney@gmail.com> wrote:
Let me clarify. RHEL 6 only. 6.4 or .5 and above. RHEL5 is fine

Sent from my iPhone

On Apr 9, 2014, at 1:19 PM, Michael Glenney <mike.glenney@gmail.commailto:mike.glenney@gmail.com> wrote:

That’s not the case. RHEL OpenSSL was certainly affected. We received errata and had to patch.

Sent from my iPhone

On Apr 9, 2014, at 10:44 AM, JOHN HASTY <jahasty@us.ibm.commailto:jahasty@us.ibm.com> wrote:

At our scrum this morning, our security person said that no RHEL official version of OpenSSL contains the vulnerability. So unless someone compiled it from source code, it should be good.

The bad news is that the latest Fedora installations do have it.

JOHN HASTY
Software as a Service - DevOps
Software Group


Phone: 1-512-804-9968tel:1-512-804-9968
E-mail: jahasty@us.ibm.commailto:jahasty@us.ibm.com
<32787972.gif>

2407 S Congress Ave Ste E-350
Austin, TX 78704
United States

<graycol.gif>Tucker —04/09/2014 11:29:30 AM—Any update on this? The blog has chef client updates but I’ve yet to see anything on server.

From: Tucker <junk@gmail.commailto:junk@gmail.com>
To: "chef@lists.opscode.commailto:chef@lists.opscode.com" <chef@lists.opscode.commailto:chef@lists.opscode.com>,
Date: 04/09/2014 11:29 AM
Subject: [chef] Re: Re: Chef server & heartbleed


Any update on this? The blog has chef client updates but I’ve yet to see anything on server.

On Tue, Apr 8, 2014 at 8:15 AM, Adam Jacob <adam@opscode.commailto:adam@opscode.com> wrote:

Cutting releases today. Full announcement soon.

On Apr 8, 2014 8:14 AM, “Daniel Givens” <daniel.givens@rackspace.commailto:daniel.givens@rackspace.com> wrote:

It looks like openssl in the latest Chef server package for Ubuntu (haven’t checked EL) is vulnerable to the Heartbleed[1] exploit. Any word on when an update will be made available?

Thanks!

Daniel

[1] http://heartbleed.com/

–tucker


Stephen Delano
Software Development Engineer
Opscode, Inc.
1008 Western Avenue
Suite 601
Seattle, WA 98104

–tucker

–tucker

–tucker


Stephen Delano
Software Development Engineer
Opscode, Inc.
1008 Western Avenue
Suite 601
Seattle, WA 98104


#15

We’ve been discussing this and reading up about more results from researchers investigating heartbleed, and we now think your client keys could be exposed via the following scenario:

  • client registers with the validation key, server generates private key and returns it.
  • attacker leaks memory from last request and pieces together the key

We will update our blog posts with this information and instructions on ways to rekey your clients tomorrow.

By the way, chef-client 11.12 includes the ability for clients to generate private keys on their own, by setting local_key_generation to true in client.rb. This will eventually be the default setting, but for now you have to opt-in. This would have prevented the need to rekey all your clients.


Daniel DeLeo

On Wednesday, April 9, 2014 at 5:01 PM, Michael Hart wrote:

Thanks Stephen and team! I’ve upgraded and filippo.io/Heartbleed (http://filippo.io/Heartbleed) claims I’m good.

One question, your blog post states that "Chef does authentication and authorization by signing each request, so you don’t have to worry about regenerating your client credentials”. Does that mean the client.pem files that are generated for each client are safe and do not need to be regenerated?

thanks
mike


Michael Hart
Arctic Wolf Networks
M: 226-388-4773

On Apr 9, 2014, at 6:41 PM, Stephen Delano <stephen@opscode.com (mailto:stephen@opscode.com)> wrote:

The upgrade instructions now linked in the blog post at http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/ mention that a restart is required after the upgrade. Thanks for pointing this out.

Here are the instructions if you don’t want to be clicking around: http://docs.opscode.com/upgrade_server_open_source.html#upgrade-to-newer-versions-of-chef-server-11

Cheers,
Stephen

On Wed, Apr 9, 2014 at 3:17 PM, Tucker <junk@gmail.com (mailto:junk@gmail.com)> wrote:

Two more comments and then I’m done, I swear:

  • “chef-server-ctl reconfigure” doesn’t reload the openssl libs. You have to do a restart. The blog post should mention that.
  • Confirmed fixed after a restart.

Thanks!

On Wed, Apr 9, 2014 at 3:13 PM, Tucker <junk@gmail.com (mailto:junk@gmail.com)> wrote:

Installing using rpm works but that makes yum sad.

On Wed, Apr 9, 2014 at 3:08 PM, Tucker <junk@gmail.com (mailto:junk@gmail.com)> wrote:

Perhaps I’m crazy but I’ve tested this on two servers and the package looks bad:

yum install https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-server-11.0.12-1.el6.x86_64.rpm

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Setting up Install Process
chef-server-11.0.12-1.el6.x86_64.rpm | 197 MB 00:16
Examining /var/tmp/yum-root-abmR0f/chef-server-11.0.12-1.el6.x86_64.rpm: chef-server-11.0.12-1.el6.x86_64
Cannot install package chef-server-11.0.12-1.el6.x86_64. It is obsoleted by installed package chef-server-11.0.10-1.el6.x86_64
Error: Nothing to do

On Wed, Apr 9, 2014 at 1:56 PM, Stephen Delano <stephen@opscode.com (mailto:stephen@opscode.com)> wrote:

Builds of the Open Source Chef Server are ready to download now. They should be available via http://getchef.com/chef/install. I’ll be posting a blog post for all the server releases in a just a few minutes. Cheers!

On Wed, Apr 9, 2014 at 1:21 PM, Michael Glenney <mike.glenney@gmail.com (mailto:mike.glenney@gmail.com)> wrote:

Let me clarify. RHEL 6 only. 6.4 or .5 and above. RHEL5 is fine

Sent from my iPhone

On Apr 9, 2014, at 1:19 PM, Michael Glenney <mike.glenney@gmail.com (mailto:mike.glenney@gmail.com)> wrote:

That’s not the case. RHEL OpenSSL was certainly affected. We received errata and had to patch.

Sent from my iPhone

On Apr 9, 2014, at 10:44 AM, JOHN HASTY <jahasty@us.ibm.com (mailto:jahasty@us.ibm.com)> wrote:

At our scrum this morning, our security person said that no RHEL official version of OpenSSL contains the vulnerability. So unless someone compiled it from source code, it should be good.

The bad news is that the latest Fedora installations do have it.

JOHN HASTY
Software as a Service - DevOps
Software Group

Phone: 1-512-804-9968 (tel:1-512-804-9968)
E-mail: jahasty@us.ibm.com (mailto:jahasty@us.ibm.com)
<32787972.gif>

2407 S Congress Ave Ste E-350
Austin, TX 78704
United States

<graycol.gif>Tucker —04/09/2014 11:29:30 AM—Any update on this? The blog has chef client updates but I’ve yet to see anything on server.

From: Tucker <junk@gmail.com (mailto:junk@gmail.com)>
To: "chef@lists.opscode.com (mailto:chef@lists.opscode.com)" <chef@lists.opscode.com (mailto:chef@lists.opscode.com)>,
Date: 04/09/2014 11:29 AM
Subject: [chef] Re: Re: Chef server & heartbleed

Any update on this? The blog has chef client updates but I’ve yet to see anything on server.

On Tue, Apr 8, 2014 at 8:15 AM, Adam Jacob <adam@opscode.com (mailto:adam@opscode.com)> wrote:
Cutting releases today. Full announcement soon.
On Apr 8, 2014 8:14 AM, “Daniel Givens” <daniel.givens@rackspace.com (mailto:daniel.givens@rackspace.com)> wrote:
It looks like openssl in the latest Chef server package for Ubuntu (haven’t checked EL) is vulnerable to the Heartbleed[1] exploit. Any word on when an update will be made available?

Thanks!

Daniel

[1] http://heartbleed.com/

–tucker


Stephen Delano
Software Development Engineer
Opscode, Inc.
1008 Western Avenue
Suite 601
Seattle, WA 98104

–tucker

–tucker

–tucker


Stephen Delano
Software Development Engineer
Opscode, Inc.
1008 Western Avenue
Suite 601
Seattle, WA 98104


#16

Yum clients work fine provided 11.0.12-1 is in a yum repo. yum install
$path_to_rpm does error, squawking about obsoletes.

On Wed, Apr 9, 2014 at 5:13 PM, Tucker junk@gmail.com wrote:

Installing using rpm works but that makes yum sad.

On Wed, Apr 9, 2014 at 3:08 PM, Tucker junk@gmail.com wrote:

Perhaps I’m crazy but I’ve tested this on two servers and the package
looks bad:

yum install

https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-server-11.0.12-1.el6.x86_64.rpm
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Setting up Install Process
chef-server-11.0.12-1.el6.x86_64.rpm

                                               | 197 MB     00:16

Examining /var/tmp/yum-root-abmR0f/chef-server-11.0.12-1.el6.x86_64.rpm:
chef-server-11.0.12-1.el6.x86_64
Cannot install package chef-server-11.0.12-1.el6.x86_64. It is obsoleted
by installed package chef-server-11.0.10-1.el6.x86_64
Error: Nothing to do

On Wed, Apr 9, 2014 at 1:56 PM, Stephen Delano stephen@opscode.comwrote:

Builds of the Open Source Chef Server are ready to download now. They
should be available via http://getchef.com/chef/install. I’ll be
posting a blog post for all the server releases in a just a few minutes.
Cheers!

On Wed, Apr 9, 2014 at 1:21 PM, Michael Glenney mike.glenney@gmail.comwrote:

Let me clarify. RHEL 6 only. 6.4 or .5 and above. RHEL5 is fine

Sent from my iPhone

On Apr 9, 2014, at 1:19 PM, Michael Glenney mike.glenney@gmail.com
wrote:

That’s not the case. RHEL OpenSSL was certainly affected. We received
errata and had to patch.

Sent from my iPhone

On Apr 9, 2014, at 10:44 AM, JOHN HASTY jahasty@us.ibm.com wrote:

At our scrum this morning, our security person said that no RHEL
official version of OpenSSL contains the vulnerability. So unless someone
compiled it from source code, it should be good.

The bad news is that the latest Fedora installations do have it.

JOHN HASTY
Software as a Service - DevOps
Software Group

Phone: 1-512-804-9968

2407 S Congress Ave Ste E-350
Austin, TX 78704
United States

<graycol.gif>Tucker —04/09/2014 11:29:30 AM—Any update on this?
The blog has chef client updates but I’ve yet to see anything on server.

From: Tucker junk@gmail.com
To: "chef@lists.opscode.com" chef@lists.opscode.com,
Date: 04/09/2014 11:29 AM
Subject: [chef] Re: Re: Chef server & heartbleed

Any update on this? The blog has chef client updates but I’ve yet to
see anything on server.

On Tue, Apr 8, 2014 at 8:15 AM, Adam Jacob <adam@opscode.comadam@opscode.com>
wrote:

Cutting releases today. Full announcement soon.

On Apr 8, 2014 8:14 AM, “Daniel Givens” <
daniel.givens@rackspace.com daniel.givens@rackspace.com> wrote:
It looks like openssl in the latest Chef server package for Ubuntu
(haven’t checked EL) is vulnerable to the Heartbleed[1] exploit. Any word
on when an update will be made available?

  Thanks!

  Daniel

  [1] *http://heartbleed.com/* <http://heartbleed.com/>

–tucker


Stephen Delano
Software Development Engineer
Opscode, Inc.
1008 Western Avenue
Suite 601
Seattle, WA 98104

–tucker

–tucker