ChefDK 1.2.22 (hotfix) Released

Chef Release Announcements
1

Ohai Chefs!

In response to a security incident with mixlib-archive, a component used by ChefDK, we have release ChefDK 1.2.22.

Release Highlights

This is a hotfix release to address a security vulnerability exposed through mixlib-archive which allowed a berkshelf or chef install to overwrite local files by giving them a malicious tarball that was specially crafted.

Notable Updated Gems

  • berkshelf 5.2.0 -> 5.6.0
  • cookbook-omnifetch 0.5.0 -> 0.5.1
  • foodcritic 8.2.0 -> 9.0.0
  • inspec 1.10.0 -> 1.11.0
  • knife-windows 1.8.0 -> 1.9.0
  • mixlib-archive 0.3.0 -> 0.4.1
  • mixlib-install 2.1.10 -> 2.1.11

Please see the CHANGELOG for the complete list of changes.

Get the Build

As always, you can download binaries directly from downloads.chef.io or by using the new mixlib-install command line utility available in ChefDK 0.19.6 or greater.

$ mixlib-install download chefdk -v 1.2.22

Alternatively, you can install ChefDK using one of the following command options:

# In Shell
$ curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P chefdk -v 1.2.22

# In Windows Powershell
. { iwr -useb https://omnitruck.chef.io/install.ps1 } | iex; install -project chefdk -version 1.2.22

If you want to give this version a spin in Test Kitchen, create or add the following to a .kitchen.local.yml file:

provisioner:
  product_name: chefdk
  product_version: 1.2.22