ChefDK 3.9 Released!

Hey Everyone,

We're happy to announce the release of ChefDK 3.9, including the latest version of Chef as well as updated Kitchen and Knife plugins.

Updated Components and Tools

Chef 14.12.3

ChefDK now ships with Chef 14.12.3. See for more information on what's new.

InSpec 3.9.0

ChefDK now ships with Inspec 3.9.0. See for more information on what's new.

Ruby 2.5.5

Ruby has been updated from 2.5.3 to 2.5.5, which includes a large number of bug fixes.


kitchen-hyperv has been updated to 0.5.3 which now automatically disables snapshots on the VMs and properly waits for the IP to be set.


kitchen-vagrant has been updated to 1.5.1 which adds support for using the new bento/amazonlinux-2 box when setting the platform to amazonlinux-2.


kitchen-ec2 has been updated to 2.5.0 with support for Amazon Linux 2.0 image searching using the platform 'amazon2'. This release also adds supports Windows Server 1709 and 1803 image searching.


knife-vsphere has been updated to 2.1.3, which adds support for knife's bootstrap_template flag and removes the legacy distro and template_file flags.

Push Jobs Client

Push Jobs Client has been updated to 2.5.6 which includes a significant optimizations and minor bug fixes.

Security Updates

Rubygems 2.7.9

Rubygems has been updated from 2.7.8 to 2.7.9 to resolves the following CVEs:

  • CVE-2019-8320: Delete directory using symlink when decompressing tar
  • CVE-2019-8321: Escape sequence injection vulnerability in verbose
  • CVE-2019-8322: Escape sequence injection vulnerability in gem owner
  • CVE-2019-8323: Escape sequence injection vulnerability in API response handling
  • CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
  • CVE-2019-8325: Escape sequence injection vulnerability in errors