[chef-dev] Security Releases - Omnibus, Chef Server, Chef Client, ChefDK, and Premium Features

[Stephen Delano < >]

Ohai Chefs,

This morning, in conjunction with GitLab [1], we're releasing a new version of the Omnibus library as well as Omnibus-built packages of all the software we ship. These releases address package ownership issues on Debian-based platforms that result in Omnibus-built packages installing with contents owned by UID and GID 999 or 1001.

Details of the Omnibus issue: https://www.getchef.com/blog/2014/09/19/security-releases-omnibus-2-0-2-and-3-2-2-insecure-file-ownership-in-omnibus-built-debian-and-ubuntu-packages/

Chef Server / Premium Feature Releases: https://www.getchef.com/blog/2014/09/19/security-releases-chef-server-and-premium-features-insecure-file-ownership/

Chef Client Product Releases: https://www.getchef.com/blog/2014/09/19/security-releases-chef-client-and-related-products-insecure-file-ownership/

If you are running Chef on Debian-based systems, it is recommended that you upgrade your packages as soon as possible, or apply the mitigation steps that are listed in the respective blog posts.

Please reach out to "> if you have any further questions or concerns.

[1] GitLab Announcement: https://about.gitlab.com/2014/09/19/gitlab-7-dot-2-2-security-release/

--
Stephen Delano
Engineering Lead - Chef Server

Chef Software, Inc.
1008 Western Avenue
Suite 601
Seattle, WA 98104