We have just released version 10.16.6 of Chef.
The only change in this release is an updated dependency on the extlib library. This fixes a potentially serious security vulnerability similar to the one recently found and fixed in rails.
Note that chef-server and chef-server-webui are the only components affected. Chef client itself does not use this library.
If you are running your own open source chef-server, you should upgrade immediately. To upgrade:
If installed via gems (including chef-solo bootstrap)
gem install chef-server chef-expander chef-solr
gem install extlib
And then restart chef-server and chef-server-webui
If installed via apt:
First ensure you have the opscode apt repo enabled, then upgrade as normal:
sudo apt-get update sudo apt-get upgrade
Note that we’ve not yet released 10.16.6 packages for chef and chef-server, but we have released an updated version of the extlib library. Updating extlib will fix the security vulnerability.
The release announcement is on our blog:
If you have any questions or need help upgrading, please ask here or on IRC.