summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTim Smith <tsmith84@gmail.com>2021-01-06 15:39:04 -0800
committerTim Smith <tsmith84@gmail.com>2021-01-06 15:39:04 -0800
commit306e8069936cc26e1c3407e617a4e9f14d810153 (patch)
treeaa589789f86ecf79e13abfe07466f85603d0f6a8
parent8a2cf9fc95b25147e2d264f90e8b78b6db43d6c5 (diff)
downloadchef-306e8069936cc26e1c3407e617a4e9f14d810153.tar.gz
Move security to the standard area in the end of 13.9
Signed-off-by: Tim Smith <tsmith@chef.io>
-rw-r--r--RELEASE_NOTES.md42
1 files changed, 21 insertions, 21 deletions
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index 0c6e1f7479..4394a1d284 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -4327,26 +4327,6 @@ Ruby has been updated to from 2.4.4 to 2.4.5 to resolve multiple CVEs as well as
# What's New in 13.9.4
-## Security Updates
-
-Ruby has been updated to 2.4.4
-
-- CVE-2017-17742: HTTP response splitting in WEBrick
-- CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
-- CVE-2018-8777: DoS by large request in WEBrick
-- CVE-2018-8778: Buffer under-read in String#unpack
-- CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket
-- CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
-- Multiple vulnerabilities in RubyGems
-
-Nokogiri has been updated to 1.8.2
-
-- [MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem).
-
-OpenSSL has been updated to 1.0.2o
-
-- CVE-2018-0739: Constructed ASN.1 types with a recursive definition could exceed the stack.
-
## Platform Updates
As Debian 7 is now end of life we will no longer produce Debian 7 chef-client packages.
@@ -4369,7 +4349,27 @@ The whitelist of DMI IDs is now user configurable using the `additional_dmi_ids`
The Filesystem2 functionality has been backported to BSD systems to provide a consistent filesystem format.
-# What's New in 13.9.1:
+## Security Updates
+
+### Ruby updated to 2.4.4
+
+- CVE-2017-17742: HTTP response splitting in WEBrick
+- CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
+- CVE-2018-8777: DoS by large request in WEBrick
+- CVE-2018-8778: Buffer under-read in String#unpack
+- CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket
+- CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
+- Multiple vulnerabilities in RubyGems
+
+### Nokogiri updated to 1.8.2
+
+- Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem).
+
+### OpenSSL updated to 1.0.2o
+
+- CVE-2018-0739: Constructed ASN.1 types with a recursive definition could exceed the stack.
+
+# What's New in 13.9.1
## Platform Additions