chef - [chef] Chef Server 11.0.8 Released

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Chef Server 11.0.8 Released

From: Seth Falcon < >
To: " " < >
Subject: [chef] Chef Server 11.0.8 Released
Date: Tue, 23 Apr 2013 21:50:56 +0000
Accept-language: en-US

Greetings Chefs!

We are happy to announce the release of Chef Server 11.0.8 containing
a number of security and bug fixes as detailed below.

The MVP for this release is **Joe Breu**
( (https://twitter.com/rackerjoe))
who contributed a fix
for [CHEF-3889](http://tickets.opscode.com/browse/CHEF-3889) to
correct PostgreSQL tuning to allow Chef Server to be installed on
systems with more than 64GB of RAM.

## Updated Components:

### chef-server-webui 11.0.4

This release contains an updated Rails version of 3.2.13 which contains
security fixes for the following vulnerabilities:

* [CVE-2013-1854] Symbol DoS vulnerability in Active Record
* [CVE-2013-1855] XSS vulnerability in sanitize_css in Action Pack
* [CVE-2013-1856] XML Parsing Vulnerability affecting JRuby users
* [CVE-2013-1857] XSS Vulnerability in the sanitize helper of Rails

This fixes the following issues:

* [CHEF-4059](http://tickets.opscode.com/browse/CHEF-4059) update Rails
version
  to 3.2.13 for security issues

### PostgreSQL 9.2.4

This version fixes the following vulnerabilities:

* [CVE-2013-1899] - makes it possible for a connection request
  containing a database name that begins with "-" to be crafted that can
  damage or destroy files within a server's data directory. Anyone with
  access to the port the PostgreSQL server listens on can initiate this
  request.
* [CVE-2013-1900] - wherein random numbers generated by contrib/pgcrypto
  functions may be easy for another database user to guess
* [CVE-2013-1901] - which mistakenly allows an unprivileged user to run
  commands that could interfere with in-progress backups.

These issues are also addressed but only affect the graphical installers
for Linux and Mac OS X (note used by chef-server):

* [CVE-2013-1902] - the use of predictable filenames in /tmp
* [CVE-2013-1903] - insecure passing of superuser passwords to a script

More details in the PostgreSQL release announcement:
http://www.postgresql.org/about/news/1456/

This fixes the following issues:

* [CHEF-4060](http://tickets.opscode.com/browse/CHEF-4060) Upgrade PostgreSQL
  9.2.4

## Bug Fixes:

### don't override user provided nginx url

If the user did not provide a value for the nginx `url` we will
construct one, taking the value passed into `ssl_port` into account.

This fixes the following issues:

* [CHEF-4029](http://tickets.opscode.com/browse/CHEF-4029) configurable
bookshelf
  url & nginx ssl port issue

### ensure the `enable_non_ssl` nginx attribute works

Currently trying to enable non-ssl mode has no effect. This commit
ensures we render a both an HTTP and HTTPS version of the Chef API lb
config. This behavior now also matches Private Chef.

This fixes the following issues:

* [CHEF-4029](http://tickets.opscode.com/browse/CHEF-4029) configurable
bookshelf
  url & nginx ssl port issue

### Ensure Nginx config respects configured ports.

This patch makes Nginx's rewrite and proxy_set_header directives respect
the configured SSL port (`node['chef_server']['nginx']['ssl_port']`).

This fixes the following issues:

* [CHEF-3849](http://tickets.opscode.com/browse/CHEF-3849) redirect for login
  for webui ignores `ssl_port`

### Add configurable bookshelf url attribute.

This new attribute will default to the value of the Nginx url which is
built from the configured `api_fqdn` and Nginx ssl port.

Values set in the `/etc/chef-server/chef-server.rb` file always take
precedence so it is still possible to change the bookshelf vip to
something like "https://s3.amazonaws.com" if S3 is being used as the
backend cookbook store.

This fixes the following issues:

* [CHEF-3853](http://tickets.opscode.com/browse/CHEF-3853) checksum URLs
  generated by POST /sandboxes do not respect configured load balancer port

### Build Erchef url off configured values for listen + port.

The default attribute value for `node['chef_server']['erchef']['url']`
is out of date the instant a user configures alternate values for
`listen` or `port`. We'll remove this misleading attribute and just
compute a url when we need it using the following format:

  http://ERCHEF_LISTEN:ERCHEF_PORT

This fixes the following issue:

* [CHEF-3887](http://tickets.opscode.com/browse/CHEF-3887) Cannot change port
  of erchef

### Build webui url off configured values for listen + port

The default attribute value for
`node['chef_server']['chef-server-webui']['url']` is out of date the
instant a user configures alternate values for `listen` or `port`. We'll
remove this misleading attribute and just compute a url when we need it
using the following format:

  http://WEBUI_LISTEN:WEBUI_PORT

`node['chef_server']['chef-server-webui']['listen']` has also been
updated to match the idioms of other components `listen` attribute.

### Build solr url off configured values for ip_address + port.

The default attribute value for `node['chef_server']['chef-solr']['url']`
is out of date the instant a user configures alternate values for
`ip_address ` or `port`. We'll remove this misleading attribute and just
compute a url when we need it using the following format:

  http://SOLR_IP:SOLR_PORT

### stop `runit_service` supervise/ok race condition

Currently we wait 10 seconds for a runit service's supervise/ok named
pipe. On slower systems (*cough* CentOS 5.x) this 10 second wait is not
long enough.  This commit updates the embedded runit cookbook that ships
in omnibus-chef to match the indefinite block used in the current
version of community cookbook:

https://github.com/opscode-cookbooks/runit/blob/1.1.0/libraries/provider_runit_service.rb#L151-L153

## Improvements:

### Maximum on PostgreSQL shared_pages on machines where installed RAM/4
exceeds the size of shmmax of 14GB

On machines with installed RAM > 64GB the postgresql `shared_buffers`
configuration
would exceed shmmax.  This change places a maximum on `shared_pages` on
machines where
Installed RAM / 4 exceeds the size of shmmax of 14GB

This does not solve the case where you have a 32bit installation and more
than 16GB
of RAM.

This resolves the following issue:

* [CHEF-3889](http://tickets.opscode.com/browse/CHEF-3889) tunables for
  postgresql in chef server 11 do not work when system has more than 64GB of
  RAM

Thanks for the contribution Joe Breu (@rackerjoe)!

### Packaging code (Omnibus) improvements

* The Omnibus-related packaging code has been moved to it's own repository at:
  https://github.com/opscode/omnibus-chef-server
* Chef Server Omnibus project has been updated to support the newly released
  Omnibus 1.0.
* `opscode-runsvdir -> chef-server-runsvdir` - For consistency (and
  sanity), the upstart system job configuration should match the
  Omnibus project name.

[chef] Chef Server 11.0.8 Released, Seth Falcon, 04/23/2013
- [chef] Re: [chef-dev] Chef Server 11.0.8 Released, Jesse Nelson, 04/23/2013
- [chef] Re: [chef-dev] Chef Server 11.0.8 Released, Chris Burroughs, 04/25/2013
  - [chef] Re: Re: [chef-dev] Chef Server 11.0.8 Released, Daniel DeLeo, 04/25/2013
    - [chef] Re: Re: [chef-dev] Chef Server 11.0.8 Released, Daniel DeLeo, 04/25/2013