Chef Supermarket 4.0.21 Released!

We are delighted to announce the availability of version 4.0.21 of Chef Supermarket.

Breaking Changes

• Removed links to EOL Chef Provisioning drivers from the Tools tab. If you have existing Chef Provisioning Tools uploaded to Supermarket, they are no longer visible.
• Removed CCLA and ICLA management through Supermarket. The supermarket-ctl upgrade command will drop any existing CLA-related PostgreSQL tables.
• Removed Publish Metric from the Cookbook quality metric. Cookbooks no longer get a baseline quality score just for being published.

Bug Fixes

• Updated the Octokit gem for interacting with GitHub to avoid deprecation e-mails from GitHub and failures running cookbook quality metrics after September 8th, 2021.
• Fixed the dead links in Supermarket.
• Removed links to the long-EOL'd botbotirc service.
• Fixed incorrect user profile rendering with large numbers of cookbooks.
• Fix search rendering on mobile browsers.

Enhancements

• Updated the product names in Supermarket to match current product names.
• Adjusted the search algorithm so deprecated cookbooks are at the bottom of search results.
• Improved error messages, with more work coming to add messages for all required S3 environmental variables.
• Curated the list of platforms in the search filter to show common platforms.
• Added a prompt that requires users to confirm the action before removing themselves as collaborators from cookbooks.
• Removed references to EOL ChefDK and Chef Provisioning products.
• Set headers in the Automated release notification e-mails from Supermarket to avoid "Out of Office" replies from cookbook authors.

Packaging

Ubuntu 16.04 Removal

We no longer make Supermarket packages for Ubuntu 16.04, which went EOL April 2021.

RPM Package Digests

The file digest in Chef Infra Server RPM packages has been updated from MD5 to SHA256 to prevent installation failures on some FIPS-enabled systems.

Ubuntu FIPS Support

Ubuntu packages are now FIPS compliant for all your FedRAMP needs.

RHEL 8 Packages

RHEL 8 packages now have additional RHEL 8 optimizations and EL8 in the filename.

SLES Packages

We now produce Supermarket packages for SLES 12 and 15.

Security

TLS 1.0 and 1.1 Disabled By Default

TLS 1.2 is now the sole default for the node['supermarket']['ssl']['protocols'] configuration attribute. The previous default was 1.0, 1.1, and 1.2. This change provides a more secure setup out of the box. It may cause failures on very old operating systems or ChefDK releases.

Content Security Policy

We added Content Security Policy HTTP response headers to improve Supermarket security and reduce the chance of cross-site scripting attacks.

Server Header Removal

We removed the HTTP 'Server' header from responses to prevent identification of the underlying web server.

Redirection Improvements

We improved validation within URL redirects to avoid potential spoofing.

Rails 6.1.4

The Rails engine that powers Supermarket has been updated from 5.2.4.4 to 6.1.4. This new release adds significant new capabilities to Rails that will enable future development work. It also resolves the following CVEs:

• CVE-2021-22903
• CVE-2021-22902
• CVE-2021-22904
• CVE-2021-22885
• CVE-2021-22881
• CVE-2021-22880
• CVE-2020-8166

Ruby 2.7.4

Ruby has been updated from 2.6.6 to 2.7.4 to improve performance and resolve the following CVEs:

• CVE-2020-25613
• CVE-2021-28965
• CVE-2021-31810
• CVE-2021-32066
• CVE-2021-31799

PostgreSQL 9.3.25

PostgreSQL has been updated from 9.3.18 to 9.3.25 to resolve a large number of bugs, as well as the following CVEs:

• CVE-2018-10915
• CVE-2018-1058
• CVE-2018-1053
• CVE-2017-15098
• CVE-2017-12172

OpenResty 1.19.9.1

Supermarket's Nginx 1.18 web server has been replaced with OpenResty 1.19.9.1. OpenResty is an Nginx-based web server that offers additional modules and is used by the Chef Infra Server. This new release includes significant performance improvements, bug fixes, and a fix for CVE-2021-23017.

Curl 7.79

Curl has been updated from 7.75 to 7.79 to resolve the following CVEs:

• CVE-2021-22897
• CVE-2021-22898
• CVE-2021-22901
• CVE-2021-22922
• CVE-2021-22923
• CVE-2021-22924
• CVE-2021-22925
• CVE-2021-22926
• CVE-2021-22945
• CVE-2021-22946
• CVE-2021-22947

Omniauth 2.0.4

The omniauth gem used by Supermarket has been updated from 1.9.1 to 2.0.4 to resolve CVE-2015-9284.

Redis 6.2.5

Redis has been updated from 3.0.7 to 6.2.5. This new release includes significant new capabilities and resolves the following CVEs:

• CVE-2021-32761
• CVE-2021-3470
• CVE-2020-14147
• CVE-2019-10193
• CVE-2019-10192
• CVE-2018-12453
• CVE-2018-12326
• CVE-2018-11219
• CVE-2018-11218
• CVE-2016-10517

OpenSSL 1.0.2za

OpenSSL has been updated from 1.0.2y to 1.0.2za to resolve CVE-2021-3712.

NodeJS Runtime Removal

Supermarket has switched from a full installation of EOL NodeJS 0.10.35 to an embedded release bundled within Ruby. This resolves a large number of CVEs and improves security by reducing the overall attack surface.

Python Runtime Removal

Removing NodeJS runtime from Supermarket made bundling Python 2.7 as part of Supermarket unnecessary. Removing Python 2.7 also resolves multiple CVEs and improves security by reducing the overall attack surface.

---

Get the Build

You can download binaries directly from downloads.chef.io.

Hey Everyone,

It turns out that sometimes automation is hard. For those that got the error in the last e-mail here's the correct release announcement content:

We are delighted to announce the availability of version 4.0.21 of Chef Supermarket.

Breaking Changes

• Removed links to EOL Chef Provisioning drivers from the Tools tab. If you have existing Chef Provisioning Tools uploaded to Supermarket, they are no longer visible.
• Removed CCLA and ICLA management through Supermarket. The supermarket-ctl upgrade command will drop any existing CLA-related PostgreSQL tables.
• Removed Publish Metric from the Cookbook quality metric. Cookbooks no longer get a baseline quality score just for being published.

Bug Fixes

• Updated the Octokit gem for interacting with GitHub to avoid deprecation e-mails from GitHub and failures running cookbook quality metrics after September 8th, 2021.
• Fixed the dead links in Supermarket.
• Removed links to the long-EOL'd botbotirc service.
• Fixed incorrect user profile rendering with large numbers of cookbooks.
• Fix search rendering on mobile browsers.

Enhancements

• Updated the product names in Supermarket to match current product names.
• Adjusted the search algorithm so deprecated cookbooks are at the bottom of search results.
• Improved error messages, with more work coming to add messages for all required S3 environmental variables.
• Curated the list of platforms in the search filter to show common platforms.
• Added a prompt that requires users to confirm the action before removing themselves as collaborators from cookbooks.
• Removed references to EOL ChefDK and Chef Provisioning products.
• Set headers in the Automated release notification e-mails from Supermarket to avoid "Out of Office" replies from cookbook authors.

Packaging

Ubuntu 16.04 Removal

We no longer make Supermarket packages for Ubuntu 16.04, which went EOL April 2021.

RPM Package Digests

The file digest in Chef Infra Server RPM packages has been updated from MD5 to SHA256 to prevent installation failures on some FIPS-enabled systems.

Ubuntu FIPS Support

Ubuntu packages are now FIPS compliant for all your FedRAMP needs.

RHEL 8 Packages

RHEL 8 packages now have additional RHEL 8 optimizations and EL8 in the filename.

SLES Packages

We now produce Supermarket packages for SLES 12 and 15.

Security

TLS 1.0 and 1.1 Disabled By Default

TLS 1.2 is now the sole default for the node['supermarket']['ssl']['protocols'] configuration attribute. The previous default was 1.0, 1.1, and 1.2. This change provides a more secure setup out of the box. It may cause failures on very old operating systems or ChefDK releases.

Content Security Policy

We added Content Security Policy HTTP response headers to improve Supermarket security and reduce the chance of cross-site scripting attacks.

Server Header Removal

We removed the HTTP 'Server' header from responses to prevent identification of the underlying web server.

Redirection Improvements

We improved validation within URL redirects to avoid potential spoofing.

Rails 6.1.4

The Rails engine that powers Supermarket has been updated from 5.2.4.4 to 6.1.4. This new release adds significant new capabilities to Rails that will enable future development work. It also resolves the following CVEs:

• CVE-2021-22903
• CVE-2021-22902
• CVE-2021-22904
• CVE-2021-22885
• CVE-2021-22881
• CVE-2021-22880
• CVE-2020-8166

Ruby 2.7.4

Ruby has been updated from 2.6.6 to 2.7.4 to improve performance and resolve the following CVEs:

• CVE-2020-25613
• CVE-2021-28965
• CVE-2021-31810
• CVE-2021-32066
• CVE-2021-31799

PostgreSQL 9.3.25

PostgreSQL has been updated from 9.3.18 to 9.3.25 to resolve a large number of bugs, as well as the following CVEs:

• CVE-2018-10915
• CVE-2018-1058
• CVE-2018-1053
• CVE-2017-15098
• CVE-2017-12172

OpenResty 1.19.9.1

Supermarket's Nginx 1.18 web server has been replaced with OpenResty 1.19.9.1. OpenResty is an Nginx-based web server that offers additional modules and is used by the Chef Infra Server. This new release includes significant performance improvements, bug fixes, and a fix for CVE-2021-23017.

Curl 7.79

Curl has been updated from 7.75 to 7.79 to resolve the following CVEs:

• CVE-2021-22897
• CVE-2021-22898
• CVE-2021-22901
• CVE-2021-22922
• CVE-2021-22923
• CVE-2021-22924
• CVE-2021-22925
• CVE-2021-22926
• CVE-2021-22945
• CVE-2021-22946
• CVE-2021-22947

Omniauth 2.0.4

The omniauth gem used by Supermarket has been updated from 1.9.1 to 2.0.4 to resolve CVE-2015-9284.

Redis 6.2.5

Redis has been updated from 3.0.7 to 6.2.5. This new release includes significant new capabilities and resolves the following CVEs:

• CVE-2021-32761
• CVE-2021-3470
• CVE-2020-14147
• CVE-2019-10193
• CVE-2019-10192
• CVE-2018-12453
• CVE-2018-12326
• CVE-2018-11219
• CVE-2018-11218
• CVE-2016-10517

OpenSSL 1.0.2za

OpenSSL has been updated from 1.0.2y to 1.0.2za to resolve CVE-2021-3712.

NodeJS Runtime Removal

Supermarket has switched from a full installation of EOL NodeJS 0.10.35 to an embedded release bundled within Ruby. This resolves a large number of CVEs and improves security by reducing the overall attack surface.

Python Runtime Removal

Removing NodeJS runtime from Supermarket made bundling Python 2.7 as part of Supermarket unnecessary. Removing Python 2.7 also resolves multiple CVEs and improves security by reducing the overall attack surface.

---

Get the Build

You can download binaries directly from downloads.chef.io.