We are delighted to announce the availability of version 14.3.14 of Chef Infra Server.
Security Improvements
TLS 1.2 Communication By Default
Chef Infra Server now defaults to supporting only TLS 1.2 for API communication. This new default may require upgrading older releases of Chef Infra Client, which do not support TLS 1.2. On Linux/Unix/macOS systems TLS 1.2 is supported in Chef Infra Client 10.16.4 and later. On Windows systems, TLS 1.2 is supported on Chef Infra Client 12.8 or later.
Bifrost No Longer Externally Exposed
The Bifrost service was previously exposed externally on port 9683
. This service is no longer required externally and is now only exposed to the local system to improve security.
HTTP Strict-Transport-Security (HSTS) Max Age Configuration
The HTTP Strict-Transport-Security (HSTS) max-age value for the default Chef Infra Server website can now be configured. Set the new node['private_chef']['nginx']['hsts_max_age']
to define the time in seconds the browser should remember that a site is only to be accessed using HTTPS. This configuration defaults to 31536000
(1 year) and accepts a maximum value of 63072000
(2 years).
Additional Security Headers Set on Default Website
The default website for the Chef Infra Server now sets Content-Security-Policy
and X-Frame-Options
headers to better secure this default website.
Ruby 2.6.7
We updated Ruby from 2.6.6 to 2.6.7 to resolve a large number of bugs as well as the following CVEs:
PostgreSQL 9.6.21
We updated Postgresql from 9.6.15 to 9.6.21 to resolve a large number of bugs as well as the following CVEs:
Platform Support Updates
- Packages are no longer produced for Ubuntu 16.04, which reaches End-of-Life status on April 30th. See our Platform End-of-Life Policy for additional information.
- Packages are now produced for Amazon Linux 2. See a complete list of platforms and versions we support at downloads.chef.io
- Ubuntu packages now support FIPS.
Other Improvements
Improved Reindexing
Reindexing will now gracefully fail if there is not 2.2x the current ElasticSearch data available on disk before attempting the reindex. This will prevent reindexing from resulting in non-functional server installs when disk space is low.
Improved Performance
The OpenResty engine that powers the Chef Infra Server API has been updated to the latest release (1.19.3.1). This release includes significant performance improvements, which may result in improved API performance under some conditions.
Get the Build
You can download binaries directly from downloads.chef.io.