Chef Client Windows Patches for OpenSSL CVE-2014-0224 Vulnerability

Ohai Chefs,

We have just released Chef Client versions 11.12.8-2 and 10.32.2-3 which includes the mitigation for the recently reported OpenSSL vulnerability CVE-2014-0224.

Note that after installing these builds, if you check the OpenSSL version using `OpenSSL::OPENSSL_VERSION` you will see `OpenSSL 1.0.0k 5 Feb 2013`. This is because we are using pre-compiled binaries for windows packages and OpenSSL version is set during the compile time.

You can verify that you have the right version of OpenSSL on your windows nodes by checking the properties of `libeay32.dll` & `ssleay32.dll` files under `C:\opscode\chef\embedded\bin` directory. You should see `1.0.0m` as the `Product Version` in `Details` tab. See the screenshot below as an example:

Screen Shot 2014-06-10 at 12.39.18 PM

As usual you can get these releases for non-windows platforms using commands below:

curl -L | sudo bash -s — -v 10.32.2
curl -L | sudo bash -s — -v 11.12.8

For Windows releases you can use these links:


Posted in:

Serdar Sutay