Chef plugs Ruby vulns with Server release
Always something else you can throw in the pot
Chef pushed version 12.4.0 of its Server out the door this week, and plugged a number of security vulns in the process.
The Mary Berry of config management software vendors said it had updated the version of Ruby on Rails in its oc-id authentication to fix a range of CVEs.
The same update apples to its Management Console, which also gets a security release.
It also announced v1 of Server Admins, which will allow “non-superusers to perform creation, deletion, editing, and listing on all users (except the superuser) in a Chef Server, granting great flexibility around user management.”
Server 12.4.0 also implements Check Authentication Signing Protocol v1.3, which will free users from the tyranny of SHA1 when it comes to digital signatures. Instead it will use SHA256 as the hashing algorithm, which will make it easier to use the platform within certain US government requirements.
You can get the full run-down of changes here.
In a separate posting, Chef noted Open SSL had issued a high severity security advisory, in conjunction with fixes, covering OpenSSL 1.0.2. It said no action was needed, as no Chef products used OpenSSL 1.0.2. ®