Plan for CHEF-5358 Upgrade OpenSSL to 1.0.1h


#1

Hello,

is there a plan for fix CHEF-5358 Upgrade OpenSSL to 1.0.1h
https://tickets.opscode.com/browse/CHEF-5358 to fix the newly
announced SSL/TLS
MITM vulnerability https://www.openssl.org/news/secadv_20140605.txt and
deliver a new chef-server release? Do we have an ETA for it ? Our project
uses open source chef server and need to use the chef-server with the new
openssl 1.0.1h.

Thanks
​ in advance.​

Jesse Hu


#2

Yes, a status message was posted earlier today on twitter/tumblr. Releases are in-progress but AFAIK no ETA is available. Disclaimer: I don’t work for Opscode.

–Noah

On Jun 5, 2014, at 11:41 PM, Hui Hu huhui14@gmail.com wrote:

Hello,

is there a plan for fix CHEF-5358 Upgrade OpenSSL to 1.0.1h to fix the newly announced SSL/TLS MITM vulnerability and deliver a new chef-server release? Do we have an ETA for it ? Our project uses open source chef server and need to use the chef-server with the new openssl 1.0.1h.

Thanks​ in advance.​
Jesse Hu


#3

Hi Stephen, Noah,

Thanks a lot. So chef-11.12.4-1.el6.x86_64.rpm
https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-11.12.4-1.el6.x86_64.rpm
and chef-server-11.1.1-1.el5.x86_64.rpm
https://opscode-omnibus-packages.s3.amazonaws.com/el/5/x86_64/chef-server-11.1.1-1.el5.x86_64.rpm
contains the latest openssl 1.0.1h ?

Thanks
Jesse Hu, Project Serengeti http://www.projectserengeti.org/

2014-06-06 14:49 GMT+08:00 Noah Kantrowitz noah@coderanger.net:

Yes, a status message was posted earlier today on twitter/tumblr. Releases
are in-progress but AFAIK no ETA is available. Disclaimer: I don’t work for
Opscode.

–Noah

On Jun 5, 2014, at 11:41 PM, Hui Hu huhui14@gmail.com wrote:

Hello,

is there a plan for fix CHEF-5358 Upgrade OpenSSL to 1.0.1h to fix the
newly announced SSL/TLS MITM vulnerability and deliver a new chef-server
release? Do we have an ETA for it ? Our project uses open source chef
server and need to use the chef-server with the new openssl 1.0.1h.

Thanks​ in advance.​
Jesse Hu


#4

As far as I know, only the open source server build has made it to the
download site. The client should be coming in the morning pending some
further testing.

On Friday, June 6, 2014, Hui Hu huhui14@gmail.com wrote:

Hi Stephen, Noah,

Thanks a lot. So chef-11.12.4-1.el6.x86_64.rpm
https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-11.12.4-1.el6.x86_64.rpm
and chef-server-11.1.1-1.el5.x86_64.rpm
https://opscode-omnibus-packages.s3.amazonaws.com/el/5/x86_64/chef-server-11.1.1-1.el5.x86_64.rpm
contains the latest openssl 1.0.1h ?

Thanks
Jesse Hu, Project Serengeti http://www.projectserengeti.org/

2014-06-06 14:49 GMT+08:00 Noah Kantrowitz <noah@coderanger.net
<javascript:_e(%7B%7D,‘cvml’,‘noah@coderanger.net’);>>:

Yes, a status message was posted earlier today on twitter/tumblr.
Releases are in-progress but AFAIK no ETA is available. Disclaimer: I don’t
work for Opscode.

–Noah

On Jun 5, 2014, at 11:41 PM, Hui Hu <huhui14@gmail.com
<javascript:_e(%7B%7D,‘cvml’,‘huhui14@gmail.com’);>> wrote:

Hello,

is there a plan for fix CHEF-5358 Upgrade OpenSSL to 1.0.1h to fix the
newly announced SSL/TLS MITM vulnerability and deliver a new chef-server
release? Do we have an ETA for it ? Our project uses open source chef
server and need to use the chef-server with the new openssl 1.0.1h.

Thanks​ in advance.​
Jesse Hu


Stephen Delano
Software Development Engineer
Opscode, Inc.
1008 Western Avenue
Suite 601
Seattle, WA 98104


#5

The version of the client released to address this CVE will be 11.12.8

On Friday, June 6, 2014, Stephen Delano stephen@opscode.com wrote:

As far as I know, only the open source server build has made it to the
download site. The client should be coming in the morning pending some
further testing.

On Friday, June 6, 2014, Hui Hu <huhui14@gmail.com
<javascript:_e(%7B%7D,‘cvml’,‘huhui14@gmail.com’);>> wrote:

Hi Stephen, Noah,

Thanks a lot. So chef-11.12.4-1.el6.x86_64.rpm
https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-11.12.4-1.el6.x86_64.rpm
and chef-server-11.1.1-1.el5.x86_64.rpm
https://opscode-omnibus-packages.s3.amazonaws.com/el/5/x86_64/chef-server-11.1.1-1.el5.x86_64.rpm
contains the latest openssl 1.0.1h ?

Thanks
Jesse Hu, Project Serengeti http://www.projectserengeti.org/

2014-06-06 14:49 GMT+08:00 Noah Kantrowitz noah@coderanger.net:

Yes, a status message was posted earlier today on twitter/tumblr.
Releases are in-progress but AFAIK no ETA is available. Disclaimer: I don’t
work for Opscode.

–Noah

On Jun 5, 2014, at 11:41 PM, Hui Hu huhui14@gmail.com wrote:

Hello,

is there a plan for fix CHEF-5358 Upgrade OpenSSL to 1.0.1h to fix the
newly announced SSL/TLS MITM vulnerability and deliver a new chef-server
release? Do we have an ETA for it ? Our project uses open source chef
server and need to use the chef-server with the new openssl 1.0.1h.

Thanks​ in advance.​
Jesse Hu


Stephen Delano
Software Development Engineer
Opscode, Inc.
1008 Western Avenue
Suite 601
Seattle, WA 98104


Stephen Delano
Software Development Engineer
Opscode, Inc.
1008 Western Avenue
Suite 601
Seattle, WA 98104


#6

Thanks a lot Stephen. Will wait for the chef-client 11.12.8.

Jesse Hu

2014-06-06 15:37 GMT+08:00 Stephen Delano stephen@opscode.com:

The version of the client released to address this CVE will be 11.12.8

On Friday, June 6, 2014, Stephen Delano stephen@opscode.com wrote:

As far as I know, only the open source server build has made it to the
download site. The client should be coming in the morning pending some
further testing.

On Friday, June 6, 2014, Hui Hu huhui14@gmail.com wrote:

Hi Stephen, Noah,

Thanks a lot. So chef-11.12.4-1.el6.x86_64.rpm
https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-11.12.4-1.el6.x86_64.rpm
and chef-server-11.1.1-1.el5.x86_64.rpm
https://opscode-omnibus-packages.s3.amazonaws.com/el/5/x86_64/chef-server-11.1.1-1.el5.x86_64.rpm
contains the latest openssl 1.0.1h ?

Thanks
Jesse Hu, Project Serengeti http://www.projectserengeti.org/

2014-06-06 14:49 GMT+08:00 Noah Kantrowitz noah@coderanger.net:

Yes, a status message was posted earlier today on twitter/tumblr.
Releases are in-progress but AFAIK no ETA is available. Disclaimer: I don’t
work for Opscode.

–Noah

On Jun 5, 2014, at 11:41 PM, Hui Hu huhui14@gmail.com wrote:

Hello,

is there a plan for fix CHEF-5358 Upgrade OpenSSL to 1.0.1h to fix
the newly announced SSL/TLS MITM vulnerability and deliver a new
chef-server release? Do we have an ETA for it ? Our project uses open
source chef server and need to use the chef-server with the new openssl
1.0.1h.

Thanks​ in advance.​
Jesse Hu


Stephen Delano
Software Development Engineer
Opscode, Inc.
1008 Western Avenue
Suite 601
Seattle, WA 98104


Stephen Delano
Software Development Engineer
Opscode, Inc.
1008 Western Avenue
Suite 601
Seattle, WA 98104


#7

Hi Hui,

Just published 11.12.8 to omnitruck and rubygems now.

We will communicate more widely with a blog post once we publish 10.32.2-2
later today.

Thanks,
– Serdar

On Fri, Jun 6, 2014 at 12:47 AM, Hui Hu huhui14@gmail.com wrote:

Thanks a lot Stephen. Will wait for the chef-client 11.12.8.

Jesse Hu

2014-06-06 15:37 GMT+08:00 Stephen Delano stephen@opscode.com:

The version of the client released to address this CVE will be 11.12.8

On Friday, June 6, 2014, Stephen Delano stephen@opscode.com wrote:

As far as I know, only the open source server build has made it to the
download site. The client should be coming in the morning pending some
further testing.

On Friday, June 6, 2014, Hui Hu huhui14@gmail.com wrote:

Hi Stephen, Noah,

Thanks a lot. So chef-11.12.4-1.el6.x86_64.rpm
https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-11.12.4-1.el6.x86_64.rpm
and chef-server-11.1.1-1.el5.x86_64.rpm
https://opscode-omnibus-packages.s3.amazonaws.com/el/5/x86_64/chef-server-11.1.1-1.el5.x86_64.rpm
contains the latest openssl 1.0.1h ?

Thanks
Jesse Hu, Project Serengeti http://www.projectserengeti.org/

2014-06-06 14:49 GMT+08:00 Noah Kantrowitz noah@coderanger.net:

Yes, a status message was posted earlier today on twitter/tumblr.
Releases are in-progress but AFAIK no ETA is available. Disclaimer: I don’t
work for Opscode.

–Noah

On Jun 5, 2014, at 11:41 PM, Hui Hu huhui14@gmail.com wrote:

Hello,

is there a plan for fix CHEF-5358 Upgrade OpenSSL to 1.0.1h to fix
the newly announced SSL/TLS MITM vulnerability and deliver a new
chef-server release? Do we have an ETA for it ? Our project uses open
source chef server and need to use the chef-server with the new openssl
1.0.1h.

Thanks​ in advance.​
Jesse Hu


Stephen Delano
Software Development Engineer
Opscode, Inc.
1008 Western Avenue
Suite 601
Seattle, WA 98104


Stephen Delano
Software Development Engineer
Opscode, Inc.
1008 Western Avenue
Suite 601
Seattle, WA 98104


#8

Thanks Serdar. I have downloaded from
https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-11.12.8-1.el6.x86_64.rpm

Thanks
Jesse Hu, Project Serengeti http://www.projectserengeti.org/

2014-06-07 7:54 GMT+08:00 Serdar Sutay serdar@getchef.com:

Hi Hui,

Just published 11.12.8 to omnitruck and rubygems now.

We will communicate more widely with a blog post once we publish 10.32.2-2
later today.

Thanks,
– Serdar

On Fri, Jun 6, 2014 at 12:47 AM, Hui Hu huhui14@gmail.com wrote:

Thanks a lot Stephen. Will wait for the chef-client 11.12.8.

Jesse Hu

2014-06-06 15:37 GMT+08:00 Stephen Delano stephen@opscode.com:

The version of the client released to address this CVE will be 11.12.8

On Friday, June 6, 2014, Stephen Delano stephen@opscode.com wrote:

As far as I know, only the open source server build has made it to the
download site. The client should be coming in the morning pending some
further testing.

On Friday, June 6, 2014, Hui Hu huhui14@gmail.com wrote:

Hi Stephen, Noah,

Thanks a lot. So chef-11.12.4-1.el6.x86_64.rpm
https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-11.12.4-1.el6.x86_64.rpm
and chef-server-11.1.1-1.el5.x86_64.rpm
https://opscode-omnibus-packages.s3.amazonaws.com/el/5/x86_64/chef-server-11.1.1-1.el5.x86_64.rpm
contains the latest openssl 1.0.1h ?

Thanks
Jesse Hu, Project Serengeti http://www.projectserengeti.org/

2014-06-06 14:49 GMT+08:00 Noah Kantrowitz noah@coderanger.net:

Yes, a status message was posted earlier today on twitter/tumblr.
Releases are in-progress but AFAIK no ETA is available. Disclaimer: I don’t
work for Opscode.

–Noah

On Jun 5, 2014, at 11:41 PM, Hui Hu huhui14@gmail.com wrote:

Hello,

is there a plan for fix CHEF-5358 Upgrade OpenSSL to 1.0.1h to fix
the newly announced SSL/TLS MITM vulnerability and deliver a new
chef-server release? Do we have an ETA for it ? Our project uses open
source chef server and need to use the chef-server with the new openssl
1.0.1h.

Thanks​ in advance.​
Jesse Hu


Stephen Delano
Software Development Engineer
Opscode, Inc.
1008 Western Avenue
Suite 601
Seattle, WA 98104


Stephen Delano
Software Development Engineer
Opscode, Inc.
1008 Western Avenue
Suite 601
Seattle, WA 98104