Enterprise Chef 11.1.1 Release

The following items are new for Enterprise Chef 11.1.1 and/or are changes from previous versions.

Provisional IPV6 Support
Support for running the Enterprise Chef server in an IPV6 infrastructure and with IPV6 clients.

Lua / Redis-based API Routing
We’ve heavily reworked the routing mechanisms used by the API proxy to allow for more dynamic and fine-tuned control over routing upstreams and feature flags. This work brings the API proxy in Enterprise Chef up to feature parity with Hosted Enterprise Chef.

Bookshelf Host Name Configuration
The host for the bookshelf (cookbook file storage) service is now configurable. Previous versions of Enterprise Chef directed bookshelf traffic directly to the backend host:port of the bookshelf service. Enterprise Chef 11.1.1 defaults to the Host header set by the incoming HTTP request, ensuring that bookshelf URLs generated from requests to the API front-end will be directed back to that front-end and be correctly proxied to the back-end service. This also ensures that all external bookshelf traffic travels over HTTPS.

Updated documentation on these changes, including the new configuration settings, is available at:

Bug Fixes

[opscode-bookshelf] Disable synchronous request logging to prevent failure during heavy load
[opscode-account] Allow non-admin users to leave an organization
[opscode-account] Don’t log password changes in plaintext
[opscode-account] /organizations API can’t show billing admins group
[opscode-account] 500s appear when updating a user ACL
[enterprise-chef-cookbooks] Banned/whitelist IP checking breaks IPV6 clients

Security Fixes

The following items are the set of security fixes that have been applied since Enterprise Chef 11.0.2:

[CVE-2013-6393] – ml_parser_scan_tag_uri function in scanner.c performs incorrect cast

[CVE-2013-4353] – allows remote TLS servers to cause a denial of service

Joseph Smith