[chef] Re: Re: Re: Rack vulnerabilities in chef-server-webui in Chef Server 11


Chronological Thread 
  • From: Senthilvel Rangaswamy < >
  • To:
  • Subject: [chef] Re: Re: Re: Rack vulnerabilities in chef-server-webui in Chef Server 11
  • Date: Sat, 9 Feb 2013 10:58:16 -0800

I agree with Joshua. If there was no UI, we wouldn't have gone with chef. Granted, we use UI less
and less everyday, but without it, we wouldn't have started with chef.


On Sat, Feb 9, 2013 at 10:12 AM, Joshua Miller < " target="_blank"> > wrote:
This seems like a odd idea to me given the only time I used the webui was when I was first playing with chef.  It allows a new user who is unsure to verify his actions in a friendly ui.

Someone who has explored the benefits of chef are more likely to become a paying member.  This is even more true given the recent announcement of commercial support for the open source platform.



Joshua



On Feb 9, 2013, at 9:53 AM, Jesse Campbell < " target="_blank"> > wrote:

Is the intention that starting with chef 12 server, the webui will be a value add of the hosted/private offerings?


On Sat, Feb 9, 2013 at 11:40 AM, Bryan McLellan < " target="_blank"> > wrote:
We believe that the chef-server-webui in Chef Server 11 is vulnerable to recently announced security vulnerabilities in Rack [1]. The Chef 10 webui does not run on rails. We recommend that Chef 11 Server users shut down the webui to prevent any expoitation.

To do so, create '/etc/chef-server/chef-server.rb' and add this line to it:

webui_enable false

Then run 'sudo chef-server-ctl reconfigure'

On Monday we will release a new Chef Server 11 package that upgrades Rack to 1.4.5 to resolve this issue. The webui will be configured to not start by default in Monday's release and subsequent releases and we are deprecating it. The chef-server-webui will not be included in the Chef 12 Server open-source release.

---
Bryan McLellan | opscode | technical program manager, open source
(c) 206.607.7108 | (t) @btmspox | (b) http://blog.loftninjas.org

[1] http://rack.github.com/





--
..Senthil

"If there's anything more important than my ego around, I want it
 caught and shot now."
                                                    - Douglas Adams.



Archive powered by MHonArc 2.6.16.

§