Chef Server Security Updates

This morning we released Enterprise Chef Server 11.0.2 and Chef Server 11.0.10. We recommend all users upgrade to these new versions to pick up the following security fixes:

  • Nginx [CVE-2013-4547] – security restriction bypass flaw due to whitespace parsing
  • Solr [CHEF-4792] – Disable insecure JMX settings leading to potential remote code execution
  • Rails [CVE-2013-4389] – Possible DoS Vulnerability in Action Mailer
  • Ruby 1.9.2 [CVE-2013-4164] – Heap Overflow in Floating Point Parsing

A special thanks goes to James Ogden of Technophobia for alerting us to the JMX vulnerability.

Kevin Smith