Today we’ve released two new versions of Chef Client; 11.10.2 and 10.30.4. These releases include the fix for the recently reported security vulnerability in libyaml that is explained here. We strongly recommend to upgrade to the new releases especially if you are using YAML files to create or update Chef objects or if you are parsing YAML files in your recipes.
In addition to the security fix, 11.10.2 includes fixes for the recently reported issues of CHEF-5011 and CHEF-5018. Similarly the fix for CHEF-4363 is back ported to 10.30.4.
One other bug we’ve considered for 11.10.2 release was CHEF-5016 which impacted fresh bootstrapping of nodes for some users who were using
-o / --override-run-list feature. Discussing with Christopher and Eric who have reported this issue, we’ve decided to fix this issue the right way in the next minor release for Chef Client. Thanks to Christopher and Eric for bringing this issue to our attention and working with us on this.
Here is a detailed background and the next steps about this issue:
In Chef 11.10.0, we included a patch to address CHEF-3506/CHEF-3964. The issue reported in CHEF-3506 is that when using the
-o / --override-run-list feature,
chef-client still saves the node object at the conclusion of a successful run. This behavior was surprising to many users, and after a discussion on the mailing list, we decided that Chef shouldn’t save the node at the end of an override run.
There were unfortunately a few issues with the way we handled this patch. One, we implemented it as a “fix” for a regression we caught during the RC phase of the release cycle, so the community didn’t get a good opportunity to test it. Two, we didn’t update the list of tickets included in the release when we published the release announcement, so this ticket was not listed in the release notes.
But most importantly, we were not aware of an edge case in the override run list feature, where overriding the run list on a node with an empty run list would cause that run list to be saved to the node permanently. A handful of users had discovered that behavior and were using it to set the run list on freshly bootstrapped nodes, and this patch broke their automation.
Here’s what we’re doing about the situation:
- We’ve already improved our documentation around unattended bootstraps.
- We’re going to add a
-r RUN_LISTflag to
chef-clientto allow users to bootstrap nodes without creating a JSON file. This fix will be included in the next feature release of Chef client.
- We’re going to do manual verification of complex changes earlier in the release process so there will be fewer changes during RC cycles.
- We’re going to improve our release process to make sure that all the changes in the release are reflected in the release notes.
We’d like to apologize to everyone affected by this and thank to Christopher and Eric who brought this issue into our attention. Our goal is that all breaking changes are always documented and always released in major version upgrades and we’re sorry we didn’t meet that standard this time.
As usual we’re available any time for your issues, questions or comments.