Chef Infra Server 14.10.23 Released!

tas50 · October 21, 2021, 11:14pm

Hey folks,

It's been a busy day for releases at Chef. This time it's Chef Infra Server with the release of 14.10.23. This release includes a pile of security improvements along with new API capabilities for Policyfiles users. Be sure to check it out.

New Features

Policy Revisions API now includes Policy Groups

We've added Policy Groups to the Policy Revisions API, which means that you can now get a complete list of Policy Groups that use a specific version of a Policy. When you make an API call to /organizations/[organization_id]/policies/[policy_name]/revisions/[revision_id], the response includes a policy_group_list array.

For example:

GET organizations/4thcafe/policies/some_policy_name/revisions/909c26701e291510eacdc6c06d626b9fa5350d25

returns:

{
    "revision_id": "909c26701e291510eacdc6c06d626b9fa5350d25",
    "name": "some_policy_name",
    "run_list": [
    "recipe[policyfile_demo::default]"
    ],
    "cookbook_locks": {
    "policyfile_demo": {
        "identifier": "f04cc40faf628253fe7d9566d66a1733fb1afbe9",
        "version": "1.2.3"
    }
    },
    "policy_group_list": ["some_policy_group"]
}

Improvements

Improved logging in chef-server-ctl reconfigure.

Bug Fixes

Fixed a failure to install server add-ons on Amazon Linux 2.

Packaging

Ubuntu 16.04

Ubuntu 16.04 was only mostly EOL. Now that Ubunto 16.04 is no longer EOL, we are once again producing Chef Infra Server packages for it.

Security

nginx Process As Non-Root User

The Chef Infra Server nginx process can now be run as a non-root user for improved security. To enable this set default['private_chef']['nginx']['nginx_no_root'] to true.

x-ops-api-info Header Disabled by Default

We disabled the x-ops-api-info header by default because included information on the running release of Chef Infra Server, which could aid attackers in determining potential vulnerabilities. You can enable this header in your configuration with the new option: default['private_chef']['opscode-erchef']['include_x_ops_api_info'].

Email Changes via OC-ID

User email changes via the OC-ID API now send confirmation e-mails to ensure the user owns the e-mail.

PostgreSQL 13.4

The embedded PostgreSQL install has been updated from 13.3 to 13.4. This new release improves reliability and resolves the following CVEs:

CVE-2021-3677
CVE-2021-3449

Nokogiri 1.12.5

Nokogiri has been updated from 1.11.7 to 1.12.5 in order to resolve CVE-2021-41098. This CVE only impacted users of JRuby, which Chef Infra Server does not use, but the older release would show up on vulnerability scanners as an issue to resolve.

OpenSSL 1.0.2zb

OpenSSL has been updated from 1.0.2za to 1.0.2zb to resolve issues with Let's Encrypt certificates.

cacerts

The cacerts bundle has been updated to the 2021-07-25 release. This update removes older expired root certificates and adds the following new root certificates:

AC RAIZ FNMT-RCM SERVIDORES SEGUROS
GlobalSign Root R46
GlobalSign Root E46
GLOBALTRUST 2020
ANF Secure Server Root CA
Certum EC-384 CA
Certum Trusted Root CA

Get the Build

You can download binaries directly from downloads.chef.io.

Topic		Replies	Views
Chef Infra Client 17.3 Released! Chef Release Announcements	0	1513	July 21, 2021
Chef Workstation 21.2.259 Released! Chef Release Announcements	0	482	February 6, 2021
Automate 2 version 20210907035717 Released! Chef Release Announcements	0	434	September 13, 2021
Chef Infra Client 15.10.12 Released! Chef Release Announcements	1	713	April 23, 2020
Chef Workstation 21.7.524 Released! Chef Release Announcements	0	372	July 6, 2021