Available for immediate download are Chef Server 12.0.1 and Enterprise Chef Server 11.2.6.
This release addresses CVE-2014-8144, a CSRF vulnerability found in doorkeeper, a gem used by the oc-id service that ships with the Chef Server. This release updates oc-id to the latest version, 0.4.4, which contains the patched doorkeeper gem.
Open Source Chef Server 11 is not affected by this vulnerability, as it does not include the oc-id service.
These releases do contain some minor code updates that do not affect user functionality. If you are curious, the full changelog for Chef Server 12.0.1 can be found here and the full changelog for Enterprise Chef Server 11.2.6 can be found here.
Releases
The fix can be applied by upgrading your existing Chef Server to the latest version.
Chef Server 12.0.1 – Upgrade Docs
Enterprise Chef Server 11.2.6 – Upgrade Docs
Should you have any issues or concerns, please reach out to Chef Support, file an issue against the chef-server repo, or seek out help in the #chef IRC room.