Blog-Icon_2_100x385

Chef Client 11.4.0 + 10.22.0 Released!

We have a release today for both the 11.x and 10.x Chef Client tracks. This release is compatible with the changes in the recent 1.7.7 release of the JSON gem that worked around a DoS vulnerability by disabling the create_additions option by default. Chef used this feature, so we had to make a few changes to make progress toward removing its use, which we’ve been planning for a while (CHEF-1330).

One consequence of this is that you will no longer get a Chef object returned from JSON.parse.

[sourcecode gutter="false"]
# Before JSON 1.7.7
chef > JSON.parse('{"json_class": "Chef::Node", "name": "bob", "run_list": []}').class
 => Chef::Node 

# JSON 1.7.7+
chef > JSON.parse('{"json_class": "Chef::Node", "name": "bob", "run_list": []}').class
 => Hash 
[/sourcecode]

If you were leveraging JSON.parse in your own code, we have a compatibility layer in Chef::JSONCompat. Also, you can still enable create\_additions in JSON 1.7.7, but it is no longer the default and whatever JSON you are parsing would be vulnerable to the DoS attack: JSON.parse(json\_string, :create_\additions => true)

### MVPs
Vaidas Jablonskis recently whipped up fedora packages for the Chef 11 Client, he’s our Chef 11.4.0 MVP!

Brian Bianco filed the first bug for the JSON issue and provided a patch that we took a bit further. Thanks Brian, you’re the Chef 10.22.0 MVP! Brian maintains the ‘redisio‘ cookbook, if you are a redis user you should go check it out.

### Gem Checksums

Chef 11.4.0: 45c3b69746c93dabcb33b253a830735a16cfc6a548e1e957ca952016d49ecfea
Chef 10.22.0: 80e285cef0f8668b13e51888cf763f537042e2b30e8b6f710b1e4d7248e433bc

### Release notes
Chef Client 11.4.0 + Chef 10.22.0 both include this bug-fix:
[CHEF-3863] – chef-client Failing When Dependent on JSON 1.7.7 Gem

Chef 10.22.0 also includes this fix which was previously released in Chef Client 11.0.0:
[CHEF-3467] – Permissions Not Inherited from Parent on Child Object cookbook_file (Windows)

Bryan McLellan