Security Release: Chef Server 12.0.8 and Enterprise Chef 11.3.1

Ohai Chefs!

Chef Server 12.0.8 and Enterprise Chef 11.3.1 are available for immediate download. This release addresses the following vulnerabilities:

• CVE-2013-2028
• CVE-2013-4547
• CVE-2014-0088
• CVE-2014-0133
• CVE-2014-3556
• CVE-2014-3616

This corresponds to chef-server issue 142, “Update Embedded Openresty NGINX”.

Additional Changes

Chef Server 12.0.8 has been further updated as follows:

• The Chef Server 12.0.8 release is the first to enable Server API Versioning and sets the baseline API version at 0, while enabling versioned API behaviors for future releases. This is an internal update that has no outward effect on client or server beyond exposing a new endpoint as described in the RFC.
• opscode-omnibus issue 744 – chef-server-ctl password command has been fixed

There have been no additional changes to Enterprise Chef 11.3.1.

Release

To apply this security update, upgrade your existing Chef Server installation to the latest available version:

• Chef Server 12.0.8 – Upgrade Docs
• Enterprise Chef Server 11.3.1 – Upgrade Docs