Saturday, June 7, 2014

Chef Security Releases: 11.12.8 & 10.32.2-2 [feedly]

Chef Security Releases: 11.12.8 & 10.32.2-2
// Chef Blog

Ohai Chefs,

Today we are releasing Chef Client 11.12.8 & 10.32.2-2 which include an updated version of OpenSSL that patches CVE-2014-0224. All installs of Chef Client should be upgraded immediately. This bug permits an attacker to execute an undetectable MITM attack on an otherwise secure connection. As a result, the attacker could read or alter any traffic between the client and the server. This would include secret data such as usernames, passwords, node data, data bags, etc. The severity of this exploit cannot be overstated. Please follow the upgrade instructions below carefully to ensure that your Chef Client install is fully patched.

These releases do not contain the required security patches for Windows. OpenSSL binaries with the required fix were released after we've prepared our releases. We wanted to get the security patches for the platforms we have the fix as soon as possible. We are currently working on the windows builds with the same patch and we will release the updated packages as soon as they are ready.

Upgrade Instructions

As usual you can get these releases with our install script:

curl -L | sudo bash -s -- -v 10.32.2   curl -L | sudo bash -s -- -v 11.12.8

Extra Precautions

As an extra precaution, you may want to change any secrets (such as usernames, passwords, encrypted data bags) that may have been sent between the client and the server. If an attacker was executing this attack he/she would be able to see this data in "plain-text". Please reach out to us if you are having any troubles with these releases.


Shared via my feedly reader

Sent from my iPhone

No comments:

Post a Comment