We’ve released an update to ChefDK 1 today. This contains only dependency updates, some including security fixes.
Ruby upgraded to 2.3.5 to fix a number of CVEs:
- CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
- CVE-2017-10784: Escape sequence injection vulnerability in the Basic authentication of WEBrick
- CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 docod
- CVE-2017-14064: Heap exposure in generating JSON
Chef Client upgraded to 12.21.26
Push Jobs Client upgraded to 2.4.5
And a few other bundled gem updates.
If you’re still running ChefDK 1, you should upgrade to this version. Also keep in mind that it will be EOL April 2018 with the release of ChefDK 3, so plan upgrading and testing soon.