[chef-dev] Re: Omnibus Ruby Version

[Thom May < >]

Hey Ryan,

thanks for the note. The short answer is that we don't feel it's a particularly bad bug; there's a very limited set of circumstances that would enable someone to exploit this. The longer answer is that we should have updated for 12.3.0, but I didn't realise we weren't up to date until it went out. 

I've just created https://github.com/chef/omnibus-chef/pull/381 to update to 2.1.6, and we'll pick this up for chef in 12.4.0 (or 12.3.1 if there's a need to do a point release) in a couple of weeks.

Thanks again,

-Thom

On Thu, Apr 30, 2015 at 7:19 AM, Ryan Hass < " target="_blank"> > wrote:

Does anyone know if the ruby version in the omnibus installers is going to be upgraded to 2.1.6? I am not sure how big of an issue this is: https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/

I would like to submit a PR for this, but I am not really sure what to change and in which repos -- any information would be appreciated.

-Ryan H.