This release includes a few important security fixes.
The default solr configuration has some tunables that are enabled for updating data and debugging that provide a remote attack surface. The configuration in this release disables those features.
Omnibus packaging makes this easy:
sudo chef-server-ctl reconfigureIf you have an existing Chef 10 Server installation, you’ll need to use the chef-solr-installer tool after installation to replace the configuration and then rebuild the search indexes.
[ruby]
sudo gem install chef-solr –no-rdoc –no-ri
sudo chef-solr-installer -c /etc/chef/solr.rb -u chef
sudo /etc/init.d/chef-solr restart
knife index rebuild
[/ruby]
If you’re on an older Chef Server 10 release and can’t upgrade, edit /var/lib/chef/solr/home/conf/solrconfig.xml with the changes detailed in CHEF-3984 and restart chef-solr. Do not run chef-solr-installer, as that will overwrite this file.
Multiple Rails related security fixes are included in the WebUI that were recently released in the Chef 10 WebUI. They are detailed in the release notes below.
Mike Javorski improved search on Chef 11 to be able to search for attributes with forward slashes.
Special thanks to Michael Della Bitta for responsibly disclosing the security issue related to the solr configuration. You’re the Chef Server 11.0.6 MVP for having our back.
Security concerns can always be raised with us directly by mailing security@opscode.com.
Because we’re already rebuilding the search indexes, we included an increase to the maxFieldLength setting in the solr configuration, which solves CHEF-2346 for most people.
A tip of the hat to famous Chef MVP Matthew Kent for his patch to the solr configuration to increase maxFieldLength.
We’d also like to give the Chef 10.24.0 MVP to Anthony Goddard. Anthony has been a Chef contributor and advocate for years, leading many others to Chef along the way. He most recent wrote knife-ghost, a tool for populating your /etc/hosts file from a knife search. Thanks Ant!