Security Release: Chef Server and Analytics (POODLE and OpenSSL Vulnerabilites) [feedly]

----
Security Release: Chef Server and Analytics (POODLE and OpenSSL Vulnerabilites)
// Chef Blog

Today we are announcing security releases of all supported versions of Chef Server, Enterprise Chef, and Chef Analytics.

These releases address two separate issues:

• POODLE SSLv3 attack, which allows allow a remote attacker to extract plaintext of targeted data within an SSL connection
• CVE-2014-3513 and CVE-2014-3567, which expose a potential DoS attack vector.

Chef Server, Enterprise Chef, and Chef Analytics have been updated to disable SSLv3 by default, and they include the latest OpenSSL library security update. While it remains possible to configure your Chef Server installation to support SSLv3, this is considered deprecated within the Chef family of products. SSLv3 support will be completely removed in future releases.

If you are unable to perform this upgrade immediately, we strongly recommend that you apply the remediation posted in our earlier post.

Releases

Chef Server / Enterprise Chef

If you have set nginx['enable_non_ssl'] = true as outlined in the mitigation steps for Enterprise Chef 11.2, please remove that option from private-chef.rb after applying this update. You may also remove the setting for nginx['ssl_protocols'] if you added it for purposes of remediation.

• Chef Server 12.0.0-rc.5 – Upgrade Docs
• Chef Server 11.1.6 – Upgrade Docs
• Enterprise Chef 11.2.3 – Upgrade Docs
• Enterprise Chef 1.4.15 – Upgrade Docs

Premium Features

If you have Premium Feature packages installed you must perform a reconfigure of each after updating Chef Server/Enterprise Chef. Details can be found in the install procedures documented here.

Of the supported Chef Premium Features, only Analytics requires a package update:

• Analytics 1.0.4

----

Shared via my feedly reader

Sent from my iPad