Ohai Chefs!
In response to a security incident with mixlib-archive, a component used by ChefDK, we have release ChefDK 1.2.22.
Release Highlights
This is a hotfix release to address a security vulnerability exposed through mixlib-archive which allowed a berkshelf or chef install to overwrite local files by giving them a malicious tarball that was specially crafted.
Notable Updated Gems
- berkshelf 5.2.0 -> 5.6.0
- cookbook-omnifetch 0.5.0 -> 0.5.1
- foodcritic 8.2.0 -> 9.0.0
- inspec 1.10.0 -> 1.11.0
- knife-windows 1.8.0 -> 1.9.0
- mixlib-archive 0.3.0 -> 0.4.1
- mixlib-install 2.1.10 -> 2.1.11
Please see the CHANGELOG for the complete list of changes.
Get the Build
As always, you can download binaries directly from downloads.chef.io or by using the new mixlib-install
command line utility available in ChefDK 0.19.6 or greater.
$ mixlib-install download chefdk -v 1.2.22
Alternatively, you can install ChefDK using one of the following command options:
# In Shell
$ curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P chefdk -v 1.2.22
# In Windows Powershell
. { iwr -useb https://omnitruck.chef.io/install.ps1 } | iex; install -project chefdk -version 1.2.22
If you want to give this version a spin in Test Kitchen, create or add the following to a .kitchen.local.yml
file:
provisioner:
product_name: chefdk
product_version: 1.2.22