----
Chef Server 12.0.6 Released
// Chef Blog
Today we're pleased to announce that Chef Server 12.0.6 has been released. This update contains the latest OpenSSL 1.0.1m along with further bug fixes and API improvements.
OpenSSL 1.0.1m
While the Chef Server and other Chef products that ship with OpenSSL are not vulnerable to CVE-2015-0291 (see our earlier blog post by Charles Johnson), we've included the latest version of the 1.0.1-series in today's release. This update to OpenSSL includes the following security fixes:
- CVE-2015-0286: Segmentation fault in ASN1_TYPE_cmp
- CVE-2015-0287: ASN.1 structure reuse memory corruption
- CVE-2015-0289: PKCS7 NULL pointer dereferences
- CVE-2015-0293: DoS via reachable assert in SSLv2 servers
- CVE-2015-0209: Use After Free following d2i_ECPrivatekey error
- CVE-2015-0288: X509_to_X509_REQ NULL pointer deref
Bug Fixes
The following bugs have been fixed since Chef Server 12.0.5:
- chef-server#119: LDAP users with special characters in their external_authentication_uid cannot log in
- chef-server#97: org-user-add -a flag does not give billing-admin rights
- chef-server#17: When you create a user via chef-server-ctl add-user with –filename pointed at invalid path, the user is created, but the key is not put on the filesystem
- opscode-omnibus#648: JMX security issues
Key Rotation and Policyfiles
As with the last release, the Key Rotation and Policyfile features are still under heavy development and are being delivered incrementally. We'll be providing more details on those features separately once certain milestones are hit, but you can follow along with the Chef Server CHANGELOG to see what's been added since the last release.
----
Shared via my feedly reader
Sent from my iPhone
No comments:
Post a Comment