Chef Backend 2.3.16 Released!

Chef Release Announcements
1

Hello Chefs!

Chef Backend 2.3.16 is now released and available on the downloads site.

Fixes

  • Chef Infra Client, which is used in the chef-backend-ctl reconfigure command, has been updated from 15.x to 16.17 to resolve EOL warnings when running.

Enhancements

  • chef-backend-ctl backup no longer backs up the Elasticsearch cluster to speed up backup times. Users restoring a backed-up cluster can instead run chef-server-ctl reindex --all from a frontend node to generate new data in Elasticsearch.

Packaging

Newly Supported Platforms

We now produce Chef Backend packages for SLES 15, Amazon Linux 2, and Ubuntu 20.04.

Deprecated Platforms

Chef Backend packages are no longer produced for RHEL 6, as this platform is now end-of-life.

RPM Package Digests

Updated the file digest in Chef Backend RPM packages from MD5 to SHA256 to prevent failures from installing on some FIPS-enabled systems.

Security

Log4j Mitigation

We mitigated the Log4j vulnerability outlined in CVE-2021-44228 by disabling message formatting within logging. Chef Backend is not vulnerable to this CVE in Log4j, but this avoids security concerns with this CVE.

Ruby 2.7.5

Updated Ruby from 2.6.5 to 2.7.5 for improved performance and to resolve the following CVEs:

  • CVE-2021-41817
  • CVE-2021-41819
  • CVE-2021-31810
  • CVE-2021-32066
  • CVE-2021-31799
  • CVE-2020-25613
  • CVE-2021-28965
  • CVE-2020-10663
  • CVE-2020-10933

OpenSSL 1.0.2zb

Updated OpenSSL from 1.0.2v to 1.0.2zb to resolve issues with Let's Encrypt certificates and to resolve the following CVEs:

  • CVE-2021-3712
  • CVE-2021-23841
  • CVE-2021-23840
  • CVE-2021-23839
  • CVE-2020-1971
  • CVE-2020-1968

OpenJDK 11.0.13+8

Updated OpenJDK from 11.0.7+10 to 11.0.13+8 to resolve the following CVEs:

  • CVE-2021-35550
  • CVE-2021-35565
  • CVE-2021-35556
  • CVE-2021-35559
  • CVE-2021-35561
  • CVE-2021-35564
  • CVE-2021-35567
  • CVE-2021-35578
  • CVE-2021-35586
  • CVE-2021-35603
  • CVE-2021-2341
  • CVE-2021-2369
  • CVE-2021-2388
  • CVE-2021-2163
  • CVE-2021-2161
  • CVE-2020-14779
  • CVE-2020-14781
  • CVE-2020-14782
  • CVE-2020-14792
  • CVE-2020-14796
  • CVE-2020-14797
  • CVE-2020-14798
  • CVE-2020-14803

PostgreSQL 9.5.25

Updated PostgreSQL from 9.5.19 to 9.5.25 to resolve the following CVEs:

  • CVE-2020-14350
  • CVE-2020-25695
  • CVE-2020-25694
  • CVE-2020-25696