Chef Blogs

Security Release: Chef Server 12.0.1 and Enterprise Chef Server 11.2.6

Mark Mzyk | Posted on | release | Releases

Available for immediate download are Chef Server 12.0.1 and Enterprise Chef Server 11.2.6.

This release addresses CVE-2014-8144, a CSRF vulnerability found in doorkeeper, a gem used by the oc-id service that ships with the Chef Server. This release updates oc-id to the latest version, 0.4.4, which contains the patched doorkeeper gem.

Open Source Chef Server 11 is not affected by this vulnerability, as it does not include the oc-id service.

These releases do contain some minor code updates that do not affect user functionality. If you are curious, the full changelog for Chef Server 12.0.1 can be found here and the full changelog for Enterprise Chef Server 11.2.6 can be found here.

Releases

The fix can be applied by upgrading your existing Chef Server to the latest version.

Chef Server 12.0.1Upgrade Docs

Enterprise Chef Server 11.2.6Upgrade Docs

Should you have any issues or concerns, please reach out to Chef Support, file an issue against the chef-server repo, or seek out help in the #chef IRC room.

Tags