This morning we released Enterprise Chef Server 11.0.2 and Chef Server 11.0.10. We recommend all users upgrade to these new versions to pick up the following security fixes:
- Nginx [CVE-2013-4547] – security restriction bypass flaw due to whitespace parsing
- Solr [CHEF-4792] – Disable insecure JMX settings leading to potential remote code execution
- Rails [CVE-2013-4389] – Possible DoS Vulnerability in Action Mailer
- Ruby 1.9.2 [CVE-2013-4164] – Heap Overflow in Floating Point Parsing
A special thanks goes to James Ogden of Technophobia for alerting us to the JMX vulnerability.