Chef Infra Server 14.10.23 Released!

Hey folks,

It's been a busy day for releases at Chef. This time it's Chef Infra Server with the release of 14.10.23. This release includes a pile of security improvements along with new API capabilities for Policyfiles users. Be sure to check it out.

New Features

Policy Revisions API now includes Policy Groups

We've added Policy Groups to the Policy Revisions API, which means that you can now get a complete list of Policy Groups that use a specific version of a Policy. When you make an API call to /organizations/[organization_id]/policies/[policy_name]/revisions/[revision_id], the response includes a policy_group_list array.

For example:

GET organizations/4thcafe/policies/some_policy_name/revisions/909c26701e291510eacdc6c06d626b9fa5350d25


    "revision_id": "909c26701e291510eacdc6c06d626b9fa5350d25",
    "name": "some_policy_name",
    "run_list": [
    "cookbook_locks": {
    "policyfile_demo": {
        "identifier": "f04cc40faf628253fe7d9566d66a1733fb1afbe9",
        "version": "1.2.3"
    "policy_group_list": ["some_policy_group"]


  • Improved logging in chef-server-ctl reconfigure.

Bug Fixes

  • Fixed a failure to install server add-ons on Amazon Linux 2.


Ubuntu 16.04

Ubuntu 16.04 was only mostly EOL. Now that Ubunto 16.04 is no longer EOL, we are once again producing Chef Infra Server packages for it.


nginx Process As Non-Root User

The Chef Infra Server nginx process can now be run as a non-root user for improved security. To enable this set default['private_chef']['nginx']['nginx_no_root'] to true.

x-ops-api-info Header Disabled by Default

We disabled the x-ops-api-info header by default because included information on the running release of Chef Infra Server, which could aid attackers in determining potential vulnerabilities. You can enable this header in your configuration with the new option: default['private_chef']['opscode-erchef']['include_x_ops_api_info'].

Email Changes via OC-ID

User email changes via the OC-ID API now send confirmation e-mails to ensure the user owns the e-mail.

PostgreSQL 13.4

The embedded PostgreSQL install has been updated from 13.3 to 13.4. This new release improves reliability and resolves the following CVEs:

  • CVE-2021-3677
  • CVE-2021-3449

Nokogiri 1.12.5

Nokogiri has been updated from 1.11.7 to 1.12.5 in order to resolve CVE-2021-41098. This CVE only impacted users of JRuby, which Chef Infra Server does not use, but the older release would show up on vulnerability scanners as an issue to resolve.

OpenSSL 1.0.2zb

OpenSSL has been updated from 1.0.2za to 1.0.2zb to resolve issues with Let's Encrypt certificates.


The cacerts bundle has been updated to the 2021-07-25 release. This update removes older expired root certificates and adds the following new root certificates:

  • GlobalSign Root R46
  • GlobalSign Root E46
  • ANF Secure Server Root CA
  • Certum EC-384 CA
  • Certum Trusted Root CA

Get the Build

You can download binaries directly from