On July 9th, 2015, the OpenSSL team released a new high severity security advisory. This advisory details an issue that affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
After reviewing the vulnerability described in this security advisory, the team at CHEF has determined that Chef products are not at immediate risk as a result of the OpenSSL vulnerability disclosed today.
Recommendation to users
Because the OpenSSL versions listed are the only versions of OpenSSL vulnerable to the exploit described in CVE-2015-1793, Chef users do not need to take immediate action in response to this disclosure, because Chef products do not include any vulnerable version of OpenSSL.
Chef Response Plan
Though there is no immediate danger, Chef will include the newly-released patches to OpenSSL in future releases on the previously planned product release schedule.
Chef users do not need to take any immediate action in response to the newly published OpenSSL high severity security advisory. Chef products are not vulnerable to CVE-2015-1793, and there is no change to the Chef product release schedule in response to this advisory. Future releases of Chef products will include the newly-released patches to OpenSSL.