Attribute files and other non-recipe files are not loaded in a guaranteed, deterministic order. In many places, attribute files are loaded in alphabetical order. Further our documentation specifies that attribute files are loaded alphabetically. However, this behavior is not enforced. Rather, it is dependent on the implementation of Hash within Ruby. Patches such as the security fix implemented in http://rhn.redhat.com/errata/RHSA-2012-0069.html can change the order of attribute loading and make it non-deterministic on systems with this patch.
While Chef provides the `include_attribute` function to enforce particular orderings, providing a consistent ordering is important for users. Currently, the following possibilities have been identified:
1. Restore alphabetical ordering to attribute loading. This is relatively easy to implement.
2. Enforce a lexical ordering.
3. Attempt to make attribute files (and potentially other non-recipe files) load in an order that more closely resembles the run_list ordering. Namely, load all attribute files (default.rb, then lexical order) for cookbooks in the order of the expanded run_list, then load all attribute files in the same manner from remaining cookbooks in lexical order of cookbooks. Specifying include_attribute would still cause an attribute file to be read immediately if it has not already been seen.
Tracking CVE progress in Debian: http://security-tracker.debian.org/tracker/CVE-2011-4815