Release for security updates needed

[btm]

We need to review at least our security releases for other products since, but maybe a manifest of software in OSS Server 11, to determine necessary security updates.

• OpenSSL Last release had 1.0.1j, there are at least 14 fixed CVEs between 1.0.1j and 1.0.1m.
• PostgreSQL Last bump was 9.2.9, there are five CVEs fixed in 9.2.10.
• Ruby The Gemfile points to https://github.com/chef/omnibus-software/commit/a08918d84cb4ae31d4c749167def662350aa6235, which has ruby 1.9.3-p484 from 2013-11-22. There are surely countless CVEs fixed since then. Ruby 1.9.3-p551 appears to be the latest
• Nginx The Gemfile points to https://github.com/chef/omnibus-software/commit/a08918d84cb4ae31d4c749167def662350aa6235, which has nginx 1.4.4. The 1.4 changelog shows 1 CVE fixed in 1.4.7 which was released on 2014-03-18. I don't see a statement about 1.4 being EOL, but it looks like they've stopped shipping it. Ngingx 1.6 has a couple CVE fixes since then. I don't see any subsequent security fixes in Nginx 1.8. We did recently release Chef Server 12.0.8 which included what looks like 8 Nginx security fixes.

  Potential issues:

• This wasn't building in October? https://github.com/chef/omnibus-chef-server/issues/99
• The Gemfile refers to http://www.github.com/opscode/omnibus-ruby, which is gone?
• Ruby 1.9.3 is EOL. In the 11.x client we chose to not to upgrade to a newer ruby for CVE-2015-1855 because it would be a lot of work and that CVE isn't a big deal

[marcparadise]

Thanks for the details & legwork @btm

@jessehu we're looking into this internally and should have further news in the next day or so.

[jessehu]

@marcparadise many thanks . Looking forward to the good news!

[thommay]

I don't think the arguments for not upgrading ruby in the 11.x client apply in the same way here, fwiw. Our concern there was that users' code might break given the upgrade from 1.9 to 2.1.

[adamedx]

@thommay, @mp, can we just use the current channel of our apt / yum repos to distribute a version with a new openssl in the short term?

[marcparadise]

We can get a build out on packagecloud with the updated openssl in short order. I've got that in flight now and will update here when it's available.

@jesshu This will not be a formal release, but will contain the fix you need to unblock your deployment.

Is upgrading to Chef Server 12 is an option for you instead? Aside from new features, it has newer versions of many base components (such as solr 4 instead of 1.4 - which is out of support and has unpatched security issues).

If you already have Chef Server 11.1.x or later installed, the upgrade path is relatively straightforward:

http://docs.chef.io/upgrade_server.html#from-chef-server-osc

With additional information here:

https://docs.chef.io/upgrade_server_open_source_notes.html

There are two things to ensure before an upgrade:

• Chef Server 11.1.0 (or later) to CS12 is the only supported upgrade path - if you're on a CS 11.0.x, you would first need to upgrade to 11.1.6
• All cookbooks must have the 'name' attribute set in metadata.rb.

[marcparadise]

The change has been completed and passed CI. Once the next nightly is available with this update, I'll post a link. Here's the PR: https://github.com/chef/omnibus-chef-server/pull/105

[jessehu]

Thanks @marcparadise a lot. Can the postgresql 9.2.9 be updated to 9.2.10 ? It also a critical security issue for us.

[jessehu]

@marcparadise, one of our engineers tried to upgrade to Chef Server 12 but met some issue. So we decided to stick to Chef Server 11, and Chef Server 12 might be the last choice. Since OpenSSL 1.0.1m and postgresql 9.2.10 can be packaged in new Chef Server 11, we will still use Chef Server 11.

[rhass-r7]

I am :+1: for upgrading ruby to a non-eol version (2.x?) EOL means no security fixes, and managing the risk of that seems far easier to handle in a non-emergency time than when a high risk issue drops. That's my two cents worth if anyone cared to hear it.

[jessehu]

Hi @marcparadise, where can I get the nightly build which contains the openssl 1.0.1m and postgresql 9.2.10 ?

[stevendanna]

@jessehu Apologies for yet another round of questioning, but when reading through this thread, it occurred to me: Are you targeting Open Source Chef Server 11 or Enterprise Chef Server 11?

Nightlies of the open source build with the upgraded nginx and postgresql can now be found on package cloud. Here is the package from ubuntu:

https://packagecloud.io/chef/current/packages/ubuntu/precise/chef-server_11.1.6+20150508104619.git.8.373c970-1_amd64.deb

[jessehu]

Thanks @stevendanna, I want Open Source Chef Server 11 for Redhat RHEL 5 x86_64. What's the download URL?

[jessehu]

I find it on https://packagecloud.io/chef/current . Will test it in my env. When will the formal release 11.1.7 annouced and avaible for download ?

[jessehu]

Hi @marcparadise , I'm now using chef-12.4.1-1.el6.x86_64 and found the following files. I'm a little confused whether /opt/chef/embedded/lib/libssl.so.1.0.0 is the openssl 1.0.1m. BTW, will a new Chef Client 12 version which contains openssl 1.0.1p delivered in 1 or 2 weeks ?

$ ll /opt/chef/embedded/lib/libssl* -rw-r--r-- 1 root root 749714 Jul 7 14:40 /opt/chef/embedded/lib/libssl.a lrwxrwxrwx 1 root root 15 Sep 9 11:01 /opt/chef/embedded/lib/libssl.so -> libssl.so.1.0.0 -r-xr-xr-x 1 root root 483887 Jul 7 14:40 /opt/chef/embedded/lib/libssl.so.1.0.0

$ grep openssl /opt/chef/version-manifest.txt openssl 1.0.1m md5:d143d1555d842a069cb7cc34ba745a06 openssl-customization 12.4.1

[jessehu]

The latest chef-12.4.3-1.el6.x86_64 released last week contains OpenSSL 1.0.1p. Thank you all.