-
Notifications
You must be signed in to change notification settings - Fork 170
Updating OpenSSL to 1.0.2p #1654
Conversation
You need to bundle update omnibus or this will fail since it requires the updated omnibus-software. |
Resolves: Client DoS due to large DH parameter (CVE-2018-0732) Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) Following chef/chef#7546 Signed-off-by: tyler-ball <tball@chef.io>
Okay! Finally got the deps updated. Got rid of the |
@@ -18,6 +18,3 @@ group :development do | |||
gem "kitchen-vagrant" | |||
gem "winrm-elevated" | |||
end | |||
|
|||
# TODO remove this when we update Chef to use the new api exposed in 3.5.1 | |||
gem "rspec-core", "= 3.4.4" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
???
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah. Apparently I added that 2 years ago in d11e563 - I see no reason to keep it pinned in the omnibus build since it is no longer pinned in the main Gemfile, and master is using 3.7.0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is our rspec installation used directly by customers, or do we only build it for self-testing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Neither. This would be rspec if it was used to test omnibus or omnibus-software (or anything in the chef-dk/omnibus
folder). This version pin doesn't determine what is used to test the main ChefDK source, or the produced ChefDK omnibus package. I have no idea why we would want to keep this
Let's cross our fingers for chef 14 omnibus builds!!!! |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Description
Resolves:
Client DoS due to large DH parameter (CVE-2018-0732)
Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)
Issues Resolved
N/A
Check List
Signed-off-by: tyler-ball tball@chef.io