Security Release 10.16.6


Hi Chefs,

We have just released version 10.16.6 of Chef.

The only change in this release is an updated dependency on the extlib library. This fixes a potentially serious security vulnerability similar to the one recently found and fixed in rails.

Note that chef-server and chef-server-webui are the only components affected. Chef client itself does not use this library.

If you are running your own open source chef-server, you should upgrade immediately. To upgrade:

If installed via gems (including chef-solo bootstrap)

gem install chef-server chef-expander chef-solr


gem install extlib

And then restart chef-server and chef-server-webui

If installed via apt:

First ensure you have the opscode apt repo enabled, then upgrade as normal:

sudo apt-get update
sudo apt-get upgrade

Note that we’ve not yet released 10.16.6 packages for chef and chef-server, but we have released an updated version of the extlib library. Updating extlib will fix the security vulnerability.

The release announcement is on our blog:

If you have any questions or need help upgrading, please ask here or on IRC.

Daniel DeLeo