Chef Server 12.0.6 Released

Today we’re pleased to announce that Chef Server 12.0.6 has been released. This update contains the latest OpenSSL 1.0.1m along with further bug fixes and API improvements.

### OpenSSL 1.0.1m

While the Chef Server and other Chef products that ship with OpenSSL are not vulnerable to CVE-2015-0291 (see our earlier blog post by Charles Johnson), we’ve included the latest version of the 1.0.1-series in today’s release. This update to OpenSSL includes the following security fixes:

* CVE-2015-0286: Segmentation fault in ASN1\_TYPE\_cmp
* CVE-2015-0287: ASN.1 structure reuse memory corruption
* CVE-2015-0289: PKCS7 NULL pointer dereferences
* CVE-2015-0293: DoS via reachable assert in SSLv2 servers
* CVE-2015-0209: Use After Free following d2i\_ECPrivatekey error
* CVE-2015-0288: X509\_to\_X509\_REQ NULL pointer deref

### Bug Fixes

The following bugs have been fixed since Chef Server 12.0.5:

* chef-server#119: LDAP users with special characters in their external\_authentication\_uid cannot log in
* chef-server#97: org-user-add -a flag does not give billing-admin rights
* chef-server#17: When you create a user via chef-server-ctl add-user with –filename pointed at invalid path, the user is created, but the key is not put on the filesystem
* opscode-omnibus#648: JMX security issues

### Key Rotation and Policyfiles

As with the last release, the Key Rotation and Policyfile features are still under heavy development and are being delivered incrementally. We’ll be providing more details on those features separately once certain milestones are hit, but you can follow along with the Chef Server CHANGELOG to see what’s been added since the last release.

Stephen Delano