diff options
| author | Tim Smith <tsmith84@gmail.com> | 2021-01-06 07:28:45 -0800 |
|---|---|---|
| committer | Tim Smith <tsmith84@gmail.com> | 2021-01-06 07:28:45 -0800 |
| commit | e8a8dadb8f8f1b124f7509fc6c2f6fa0be1f7e8d (patch) | |
| tree | 3998aa62fdf4fb917ee21f1e1b776d505701faca | |
| parent | 8192c115d38f2bef01b1c3d18d3edeff2985149a (diff) | |
| download | chef-e8a8dadb8f8f1b124f7509fc6c2f6fa0be1f7e8d.tar.gz | |
Add notes for 15.15 as well as previous releases
Move notes out of the branch and into master. Let's just track it all here and avoid the mess of 3 files.
Signed-off-by: Tim Smith <tsmith@chef.io>
| -rw-r--r-- | RELEASE_NOTES.md | 1021 |
1 files changed, 616 insertions, 405 deletions
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index 0952d8a5c3..e32d5535ec 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -1307,6 +1307,217 @@ Several legacy Windows helpers have been deprecated as they will always return t - Chef::Platform.supports_powershell_execution_bypass? - Chef::Platform.windows_nano_server? +# What's new in 15.15 + +## Chef InSpec 4.24.8 + +Chef InSpec has been updated from 4.22.22 to 4.24.8 with the following improvements: + +- An unset `HOME environment variable will not cause execution failures +- You can use wildcards in `platform-name` and `release` in InSpec profiles +- The support for arrays in the `WMI` resource, so it can return multiple objects +- The `package` resource on Windows properly escapes package names +- The `grub_conf` resource succeeds even if without a `menuentry` in the grub config +- Loaded plugins won't try to re-load themselves +- A new mechanism marks inputs as sensitive: true and replaces their values with `***`. +- Use the `--no-diff` CLI option to suppress diff output for textual tests. +- Control the order of controls in output, but not execution order, with the `--sort_results_by=none|control|file|random` CLI option. +- Disable caching of inputs with a cache_inputs: true setting. + +## Chef Vault 4.1 + +We've updated the release of `chef-vault` bundled with Chef Infra Client to 4.1. Chef Vault 4.1 properly handles escape strings in secrets and greatly improves performance for users with large numbers of secrets. Thanks for the performance work [@Annih](https://github.com/Annih)! + +## Resource Improvements + +### cron_d + +The `cron_d` resource now respects the use of the `sensitive` property. Thanks for this fix [@axl89](https://github.com/axl89)! + +### homebrew_cask + +The `homebrew_cask` resource has been updated to work with the latest command syntax requirements in the `brew` command. Thanks for reporting this issue [@bcg62](https://github.com/bcg62)! + +### locale + +The allowed execution time for the `locale-gen` command in the `locale` resource has been extended to 1800 seconds to make sure the Chef Infra Client run doesn't fail before the command completes on slower systems. Thanks for reporting this issue [@janskarvall](https://github.com/janskarvall)! + +### plist / macosx_service / osx_profile / macos_userdefaults + +Parsing of plist files has been improved in the `plist`, `macosx_service`, `osx_profile`, and `macos_userdefaults` resources thanks to updates to the plist gem by [@reitermarkus](https://github.com/reitermarkus) and [@tboyko](https://github.com/tboyko). + +## Security + +- The bundled Nokogiri Ruby gem has been updated to 1.11 resolve [CVE-2020-26247](https://nvd.nist.gov/vuln/detail/CVE-2020-26247). +- openSSL has been updated to 1.0.2x to resolve [CVE-2020-1971](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971). + +# What's New In 15.14 + +## Chef InSpec 4.22.22 + +Chef InSpec has been updated from 4.22.1 to 4.22.22. This new release includes the following improvements: + +- Fix mysql_session stdout, stderr and exit_status parameters. Thanks [@ramereth](https://github.com/ramereth)! +- Add new windows_firewall and windows_firewall_rule resources. Thanks [@tecracer-theinen](https://github.com/tecracer-theinen)! + +## Fixes and Improvements + +- The `knife ssh` command no longer hangs when connecting to Windows nodes over SSH. +- Resolved several failures that could occur in the included chef-vault gem. + +## Resource Updates + +### hostname + +The `hostname` resource has been updated to improve logging on Windows systems. + +### windows_feature + +The `windows_feature` resource has been updated to allow installing features that have been removed if a source location is provided. Thanks for reporting this [@stefanwb](https://github.com/stefanwb)! + +### windows_font + +The `windows_font` resource will no longer fail on newer releases of Windows if a font is already installed. Thanks for reporting this [@bmiller08](https://github.com/bmiller08)! + +## Platform Packages + +- We are once again building Chef Infra Client packages for RHEL 7 / SLES 12 on the S390x architecture. In addition to these packages, we've also added S390x packages for SLES 15. +- We now produce packages for Apple's upcoming macOS 11 Big Sur release. + +## Security + +### OpenSSL + +OpenSSL has been updated to 1.0.2w which includes a fix for [CVE-2020-1968](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1968). + +### CA Root Certificates + +The included `cacerts` bundle in Chef Infra Client has been updated to the 7-22-2020 release. This new release removes 4 legacy root certificates and adds 4 additional root certificates. + +# What's New In 15.13 + +## Chef InSpec 4.22.1 + +Chef InSpec has been updated from 4.20.6 to 4.22.1. This new release includes the following improvements: + +- `apt-cdrom` repositories are now skipped when parsing out the list of apt repositories +- Faulty profiles are now reported instead of causing a crash +- Errors are no longer logged to stdout with the `html2` reporter +- macOS Big Sur is now correctly identified as macOS +- macOS/BSD support added to the interface resource along with new `ipv4_address`, `ipv4_addresses`, `ipv4_addresses_netmask`, `ipv4_cidrs`, `ipv6_addresses`, and `ipv6_cidrs` properties + +## Fixes and Improvements + +- Support for legacy DSA host keys has been restored in `knife ssh` and `knife bootstrap` commands. +- The collision warning error message when a cookbook includes a resource that now ships in Chef Infra Client has been improved to better explain the issue. +- Package sizes have been reduced with fewer installed files on disk. +- The `archive_file` resource now supports `pzstd` compressed files. + +## New Deprecations + +Chef Infra Client 16.2 and later require `provides` when assigning a name to a custom resource. In order to prepare for Chef Infra Client 16, make sure to include both `resource_name` and `provides` in resources when specifying a custom name. + +# What's New In 15.12 + +## Chef InSpec 4.20.6 + +Chef InSpec has been updated from 4.18.114 to 4.20.6. This new release includes the following improvements: + +- Develop your own Chef InSpec Reporter plugins to control how Chef InSpec will report result data. +- The `inspec archive` command packs your profile into a `tar.gz` file that includes the profile in JSON form as the inspec.json file. +- Certain substrings within a `.toml` file no longer cause unexpected crashes. +- Accurate InSpec CLI input parsing for numeric values and structured data, which were previously treated as strings. Numeric values are cast to an `integer` or `float` and `YAML` or `JSON` structures are converted to a hash or an array. +- Suppress deprecation warnings on `inspec exec` with the `--silence-deprecations` option. + +## Resource Updates + +### archive_file + +The `archive_file` resource has been updated with two important fixes. The resource will no longer fail with uninitialized constant errors under some scenarios. Additionally, the behavior of the `mode` property has been improved to prevent incorrect file modes from being applied to the decompressed files. Due to how file modes and Integer values are processed in Ruby, this resource will now produce a deprecation warning if integer values are passed. Using string values lets us accurately pass values such as '644' or '0644' without ambiguity as to the user's intent. Thanks for reporting these issues [@sfiggins](http://github.com/sfiggins) and [@hammerhead](http://github.com/hammerhead). + +### cron_access + +The `cron_access` resource has been updated to support Solaris and AIX systems. Thanks [@aklyachkin](http://github.com/aklyachkin). + +### msu_package resource improvements + +The `msu_package` resource has been improved to work better with Microsoft's cumulative update packages. Newer releases of these cumulative update packages will not correctly install over the previous versions. We also extended the default timeout for installing MSU packages to 60 minutes. Thanks for reporting the timeout issue [@danielfloyd](https://github.com/danielfloyd). + +### powershell_package + +The `powershell_package` resource has been updated to use TLS 1.2 when communicating with the PowerShell Gallery on Windows Server 2012-2016. Previously, this resource used the system default cipher suite which did not include TLS 1.2. The PowerShell Gallery now requires TLS 1.2 for all communication, which caused failures on Windows Server 2012-2016. Thanks for reporting this issue [@Xorima](http://github.com/Xorima). + +### snap_package + +Multiple issues with the `snap_package` resource have been resolved, including an infinite wait that occurred and issues with specifying the package version or channel. Thanks [@jaymzh](http://github.com/jaymzh). + +### zypper_repository + +The `zypper_repository` resource has been updated to work with the newer release of GPG in openSUSE 15 and SLES 15. This prevents failures when importing GPG keys in the resource. + +## Knife bootstrap updates + +- Knife bootstrap will now warn when bootstrapping a system using a validation key. Users should instead use `validatorless bootstrapping` with `knife bootstrap` which generates node and client keys using the client key of the user bootstrapping the node. This method is far more secure as an org-wide validation key does not not need to be distributed or rotated. Users can switch to `validatorless bootstrapping` by removing any `validation_key` entries in their `config.rb (knife.rb)` file. +- Resolved an error bootstrapping Linux nodes from Windows hosts +- Improved information messages during the bootstrap process + +## SSH Improvements + +The `net-ssh` library used by the `knife ssh` and `knife bootstrap` commands has been updated bringing improvements to SSH connectivity: + +- Support for additional key exchange and transport algorithms +- Support algorithm subtraction syntax in the `ssh_config` file +- Support empty lines and comments in `known_hosts` file + +## Initial macOS Big Sur Support + +Chef Infra Client now correctly detects macOS Big Sur (11.0) beta as being platform "mac_os_x". Chef Infra Client 15.12 has not been fully qualified for macOS Big Sur, but we will continue to validate against this release and provide any additional support updates. + +## Platform Packages + +- Debian 8 packages are no longer being produced as Debian 8 is now end-of-life. +- We now produce Windows 8 packages + +# What's New In 15.11 + +## Bootstrapping Bugfixes + +This release of Chef Infra Client resolves multiple issues when using `knife bootstrap` to bootstrap new nodes to a Chef Infra Server: + +- Bootstrapping from a Windows host to a Linux host with an ED25519 ssh key no longer fails +- Resolved failures in the Windows bootstrap script +- Incorrect paths when bootstrapping Windows nodes have been resolved + +## Chef InSpec 4.18.114 + +Chef InSpec was updated from 4.18.104 to 4.18.114 with the following improvements: + +- Added new `--reporter_message_truncation` and `--reporter_backtrace_inclusion` reporter options to truncate messages and suppress backtraces. +- Fixed a warning when an input is provided +- Inputs and controls can now have the same name + +## Resource Improvements + +### windows_firewall + +The `windows_firewall` resource has been updated to support firewall rules that are associated with more than one profile. Thanks [@tecracer-theinen](https://github.com/tecracer-theinen). + +### chocolatey_package + +The `chocolatey_package` resource has been updated to properly handle quotes within the `options` property. Thanks for reporting this issue [@dave-q](https://github.com/dave-q). + +## Platform Support + +### Additional aarch64 Builds + +Chef Infra Client is now tested on Debian 10, SLES 15, and Ubuntu 20.04 on the aarch64 architecture with packages available on the [Chef Downloads Page](https://downloads.chef.io/chef). + +## Security Updates + +### openSSL + +openSSL has been updated from 1.0.2u to 1.0.2v which does not address any particular CVEs, but includes multiple security hardening updates. + # What's New in 15.10 ## Improvements @@ -1758,18 +1969,18 @@ Chef Infra Client will now take into account any `default` values specified in c Several improvements have been made to the `knife bootstrap` command to make it more reliable and secure: -* File creation is now wrapped in a umask to avoid potential race conditions -* `NameError` and `RuntimeError` failures during bootstrap have been resolved -* `Undefined method 'empty?' for nil:NilClass` during bootstrap have been resolved -* Single quotes in attributes during bootstrap no longer result in bootstrap failures -* The bootstrap command no longer appears in PS on the host while bootstrapping is running +- File creation is now wrapped in a umask to avoid potential race conditions +- `NameError` and `RuntimeError` failures during bootstrap have been resolved +- `Undefined method 'empty?' for nil:NilClass` during bootstrap have been resolved +- Single quotes in attributes during bootstrap no longer result in bootstrap failures +- The bootstrap command no longer appears in PS on the host while bootstrapping is running ## knife supermarket list Improvements The `knife supermarket list` command now includes two new options: -* `--sort-by [recently_updated recently_added most_downloaded most_followed]`: Sort cookbooks returned from the Supermarket API -* `--owned_by`: Limit returned cookbooks to a particular owner +- `--sort-by [recently_updated recently_added most_downloaded most_followed]`: Sort cookbooks returned from the Supermarket API +- `--owned_by`: Limit returned cookbooks to a particular owner ## Updated Resources @@ -1828,10 +2039,10 @@ The `windows_share` resource is now fully idempotent by better validating the pr Ruby has been updated from 2.6.4 to 2.6.5 in order to resolve the following CVEs: -* [CVE-2019-16255](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16255): A code injection vulnerability of Shell#[] and Shell#test -* [CVE-2019-16254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16254): HTTP response splitting in WEBrick (Additional fix) -* [CVE-2019-15845](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15845): A NUL injection vulnerability of File.fnmatch and File.fnmatch? -* [CVE-2019-16201](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16201): Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication +- [CVE-2019-16255](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16255): A code injection vulnerability of Shell#[] and Shell#test +- [CVE-2019-16254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16254): HTTP response splitting in WEBrick (Additional fix) +- [CVE-2019-15845](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15845): A NUL injection vulnerability of File.fnmatch and File.fnmatch? +- [CVE-2019-16201](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16201): Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication # What's New in 15.3 @@ -1879,13 +2090,13 @@ The `archive_file` resource now supports archives in the RAR 5.0 format as well The `user` resource now supports the creation of users on macOS 10.14 and 10.15 systems. The updated resource now complies with macOS TCC policies by using a user with admin privileges to create and modify users. The following new properties have been added for macOS user creation: -* `admin` sets a user to be an admin. +- `admin` sets a user to be an admin. -* `admin_username` and `admin_password` define the admin user credentials required for toggling SecureToken for a user. The value of 'admin_username' must correspond to a system user that is part of the 'admin' with SecureToken enabled in order to toggle SecureToken. +- `admin_username` and `admin_password` define the admin user credentials required for toggling SecureToken for a user. The value of 'admin_username' must correspond to a system user that is part of the 'admin' with SecureToken enabled in order to toggle SecureToken. -* `secure_token` is a boolean property that sets the desired state for SecureToken. FileVault requires a SecureToken for full disk encryption. +- `secure_token` is a boolean property that sets the desired state for SecureToken. FileVault requires a SecureToken for full disk encryption. -* `secure_token_password` is the plaintext password required to enable or disable `secure_token` for a user. If no salt is specified we assume the 'password' property corresponds to a plaintext password and will attempt to use it in place of secure_token_password if it is not set. +- `secure_token_password` is the plaintext password required to enable or disable `secure_token` for a user. If no salt is specified we assume the 'password' property corresponds to a plaintext password and will attempt to use it in place of secure_token_password if it is not set. #### Password property is now sensitive @@ -1915,10 +2126,10 @@ Chef Infra Client is now validated against AIX 7.2 with packages now available a Chef InSpec has been updated from 4.10.4 to 4.16.0 with the following changes: -* A new `postfix_conf` has been added for inspecting Postfix configuration files. -* A new `plugins` section has been added to the InSpec configuration file which can be used to pass secrets or other configurations into Chef InSpec plugins. -* The `service` resource now includes a new `startname` property for determining which user is starting the Windows services. -* The `groups` resource now properly gathers membership information on macOS hosts. +- A new `postfix_conf` has been added for inspecting Postfix configuration files. +- A new `plugins` section has been added to the InSpec configuration file which can be used to pass secrets or other configurations into Chef InSpec plugins. +- The `service` resource now includes a new `startname` property for determining which user is starting the Windows services. +- The `groups` resource now properly gathers membership information on macOS hosts. ## Security Updates @@ -1975,20 +2186,20 @@ Packages will no longer be built for Ubuntu 14.04 as Canonical ended maintenance ## Ohai 15.2 Ohai has been updated to 15.2 with the following changes: - * Improved detection of Openstack including proper detection of Windows nodes running on Openstack when fetching metadata. Thanks [@jjustice6](https://github.com/jjustice6). - * A new `other_versions` field has been added to the Packages plugin when the node is using RPM. This allows you to see all installed versions of packages, not just the latest version. Thanks [@jjustice6](https://github.com/jjustice6). - * The Linux Network plugin has been improved to not mark interfaces down if `stp_state` is marked as down. Thanks [@josephmilla](https://github.com/josephmilla). - * Arch running on ARM processors is now detected as the `arm` platform. Thanks [@BackSlasher](https://github.com/BackSlasher). + - Improved detection of Openstack including proper detection of Windows nodes running on Openstack when fetching metadata. Thanks [@jjustice6](https://github.com/jjustice6). + - A new `other_versions` field has been added to the Packages plugin when the node is using RPM. This allows you to see all installed versions of packages, not just the latest version. Thanks [@jjustice6](https://github.com/jjustice6). + - The Linux Network plugin has been improved to not mark interfaces down if `stp_state` is marked as down. Thanks [@josephmilla](https://github.com/josephmilla). + - Arch running on ARM processors is now detected as the `arm` platform. Thanks [@BackSlasher](https://github.com/BackSlasher). ## Chef InSpec 4.10.4 Chef InSpec has been updated from 4.6.4 to 4.10.4 with the following changes: -* Fix handling multiple triggers in the `windows_task` resource -* Fix exceptions when resources are used with incompatible transports -* Un-deprecate the `be_running` matcher on the `service` resource -* Add resource `sys_info.manufacturer` and `sys_info.model` -* Add `ip6tables` resource +- Fix handling multiple triggers in the `windows_task` resource +- Fix exceptions when resources are used with incompatible transports +- Un-deprecate the `be_running` matcher on the `service` resource +- Add resource `sys_info.manufacturer` and `sys_info.model` +- Add `ip6tables` resource ## Security Updates @@ -2030,35 +2241,35 @@ Our experimental Target Mode received a large number of updates in Chef Infra Cl Ohai has been updated to 15.1 with the following changes: - * The `Shard` plugin properly uses the machine's `machinename`, `serial`, and `uuid` attributes to generate the shard value. The plugin also no longer throws an exception on macOS hosts. Thanks [@michel-slm](https://github.com/michel-slm) for these fixes. - * The `Virtualbox` plugin has been enhanced to gather information on running guests, storage, and networks when VirtualBox is installed on a node. Thanks [@freakinhippie](https://github.com/freakinhippie) for this new capability. - * Ohai no longer fails to gather interface information on Solaris in some rare conditions. Thanks [@devoptimist](https://github.com/devoptimist) for this fix. + - The `Shard` plugin properly uses the machine's `machinename`, `serial`, and `uuid` attributes to generate the shard value. The plugin also no longer throws an exception on macOS hosts. Thanks [@michel-slm](https://github.com/michel-slm) for these fixes. + - The `Virtualbox` plugin has been enhanced to gather information on running guests, storage, and networks when VirtualBox is installed on a node. Thanks [@freakinhippie](https://github.com/freakinhippie) for this new capability. + - Ohai no longer fails to gather interface information on Solaris in some rare conditions. Thanks [@devoptimist](https://github.com/devoptimist) for this fix. ## Chef InSpec 4.6.4 Chef InSpec has been updated from 4.3.2 to 4.6.4 with the following changes: - * InSpec `Attributes` have now been renamed to `Inputs` to avoid confusion with Chef Infra attributes. - * A new InSpec plugin type of `Input` has been added for defining new input types. See the [InSpec Plugins documentation](https://github.com/inspec/inspec/blob/master/docs/dev/plugins.md#implementing-input-plugins) for more information on writing these plugins. - * InSpec no longer prints errors to the stdout when passing `--format json`. - * When fetching profiles from GitHub, the URL can now include periods. - * The performance of InSpec startup has been improved. + - InSpec `Attributes` have now been renamed to `Inputs` to avoid confusion with Chef Infra attributes. + - A new InSpec plugin type of `Input` has been added for defining new input types. See the [InSpec Plugins documentation](https://github.com/inspec/inspec/blob/master/docs/dev/plugins.md#implementing-input-plugins) for more information on writing these plugins. + - InSpec no longer prints errors to the stdout when passing `--format json`. + - When fetching profiles from GitHub, the URL can now include periods. + - The performance of InSpec startup has been improved. # What's New in 15.0.300 This release includes critical bugfixes for the 15.0 release: - * Fix `knife bootstrap` over SSH when `requiretty` is configured on the host. - * Added the `--chef-license` CLI flag to `chef-apply` and `chef-solo` commands. + - Fix `knife bootstrap` over SSH when `requiretty` is configured on the host. + - Added the `--chef-license` CLI flag to `chef-apply` and `chef-solo` commands. # What's New in 15.0.298 This release includes critical bugfixes for the 15.0 release: - * Allow accepting the license on non-interactive Windows sessions - * Resolve license acceptance failures on Windows 2012 R2 - * Improve some `knife` and `chef-client` help text - * Properly handle session_timeout default value in `knife bootstrap` - * Avoid failures due to Train::Transports::SSHFailed class not being loaded in `knife bootstrap` - * Resolve failures using the ca_trust_file option with `knife bootstrap` + - Allow accepting the license on non-interactive Windows sessions + - Resolve license acceptance failures on Windows 2012 R2 + - Improve some `knife` and `chef-client` help text + - Properly handle session_timeout default value in `knife bootstrap` + - Avoid failures due to Train::Transports::SSHFailed class not being loaded in `knife bootstrap` + - Resolve failures using the ca_trust_file option with `knife bootstrap` # What's New in 15.0.293 @@ -2070,10 +2281,10 @@ Chef Client has a new name, but don't worry, it's the same Chef Client you've gr Chef Infra Client requires an EULA to be accepted by users before it can run. Users can accept the EULA in a variety of ways: -* `chef-client --chef-license accept` -* `chef-client --chef-license accept-no-persist` -* `CHEF_LICENSE="accept" chef-client` -* `CHEF_LICENSE="accept-no-persist" chef-client` +- `chef-client --chef-license accept` +- `chef-client --chef-license accept-no-persist` +- `CHEF_LICENSE="accept" chef-client` +- `CHEF_LICENSE="accept-no-persist" chef-client` Finally, if users run `chef-client` without any of these options, they will receive an interactive prompt asking for license acceptance. If the license is accepted, a marker file will be written to the filesystem unless `accept-no-persist` is specified. Once this marker file is persisted, users no longer need to set any of these flags. @@ -2192,7 +2403,7 @@ The `windows_task` resource now supports the Start When Available option with a ### locale -The `locale` resource now allows setting all possible LC_* environmental variables. +The `locale` resource now allows setting all possible LC_- environmental variables. ### directory @@ -2487,14 +2698,14 @@ The `windows_task` resource now supports the Start When Available option with a Chef Infra Client is now tested against the following platforms with packages available on [downloads.chef.io](https://downloads.chef.io): -* Ubuntu 20.04 -* Ubuntu 18.04 aarch64 -* Debian 10 +- Ubuntu 20.04 +- Ubuntu 18.04 aarch64 +- Debian 10 ### Retired Platforms -* Chef Infra Clients packages are no longer produced for Windows 2008 R2 as this release reached its end of life on Jan 14th, 2020. -* Chef Infra Client packages are no longer produced for RHEL 6 on the s390x platform. +- Chef Infra Clients packages are no longer produced for Windows 2008 R2 as this release reached its end of life on Jan 14th, 2020. +- Chef Infra Client packages are no longer produced for RHEL 6 on the s390x platform. ## Security Updates @@ -2506,16 +2717,16 @@ OpenSSL has been updated to 1.0.2u to resolve [CVE-2019-1551](https://cve.mitre. Ruby has been updated from 2.5.7 to 2.5.8 to resolve the following CVEs: -* [CVE-2020-16255](https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/): Unsafe Object Creation Vulnerability in JSON (Additional fix) -* [CVE-2020-10933](https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/): Heap exposure vulnerability in the socket library +- [CVE-2020-16255](https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/): Unsafe Object Creation Vulnerability in JSON (Additional fix) +- [CVE-2020-10933](https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/): Heap exposure vulnerability in the socket library # What's New in 14.14.29 ## Bug Fixes -* Fixed an error with the `service` and `systemd_unit` resources which would try to re-enable services with an indirect status. -* The `systemd_unit` resource now logs at the info level. -* Fixed knife config when it returned a `TypeError: no implicit conversion of nil into String` error. +- Fixed an error with the `service` and `systemd_unit` resources which would try to re-enable services with an indirect status. +- The `systemd_unit` resource now logs at the info level. +- Fixed knife config when it returned a `TypeError: no implicit conversion of nil into String` error. ## Security Updates @@ -2527,14 +2738,14 @@ libxslt has been updated to 1.1.34 to resolve [CVE-2019-13118](https://nvd.nist. ## Bug Fixes -* Resolved a regression introduced in Chef Infra Client 14.14.14 that broke installation of gems in some scenarios -* Fixed Habitat packaging of `chef-client` artifacts -* Fixed crash in knife when displaying a missing profile error message -* Fixed knife subcommand --help not working as intended for some commands -* Fixed knife ssh interactive mode exit error -* Fixed for `:day` option not accepting integer value in the `windows_task` resource -* Fixed for `user` resource not handling a GID if it is specified as a string -* Fixed the `ifconfig` resource to support interfaces with a `-` in the name +- Resolved a regression introduced in Chef Infra Client 14.14.14 that broke installation of gems in some scenarios +- Fixed Habitat packaging of `chef-client` artifacts +- Fixed crash in knife when displaying a missing profile error message +- Fixed knife subcommand --help not working as intended for some commands +- Fixed knife ssh interactive mode exit error +- Fixed for `:day` option not accepting integer value in the `windows_task` resource +- Fixed for `user` resource not handling a GID if it is specified as a string +- Fixed the `ifconfig` resource to support interfaces with a `-` in the name ## What's New in 14.14.14 @@ -2544,20 +2755,20 @@ libxslt has been updated to 1.1.34 to resolve [CVE-2019-13118](https://nvd.nist. The following platforms are now packaged and tested for Chef Infra Client: -* Red Hat 8 -* FreeBSD 12 -* macOS 10.15 -* Windows 2019 -* AIX 7.2 +- Red Hat 8 +- FreeBSD 12 +- macOS 10.15 +- Windows 2019 +- AIX 7.2 ### Deprecated Platforms The following platforms have reached EOL status and are no longer packaged or tested for Chef Infra Client: -* FreeBSD 10 -* macOS 10.12 -* SUSE Linux Enterprise Server (SLES) 11 -* Ubuntu 14.04 +- FreeBSD 10 +- macOS 10.12 +- SUSE Linux Enterprise Server (SLES) 11 +- Ubuntu 14.04 See Chef's [Platform End-of-Life Policy](https://docs.chef.io/platforms.html#platform-end-of-life-policy) for more information on when Chef ends support for an OS release. @@ -2604,8 +2815,8 @@ end ### New Options for installing Ruby Gems From metadata.rb Chef Infra Client allows gems to be specified in the cookbook metadata.rb, which can be problematic in some environments. When a cookbook is running in an airgapped environment, Chef Infra Client attempts to connect to rubygems.org even if the gem is already on the system. There are now two additional configuration options that can be set in your `client.rb` config: - * `gem_installer_bundler_options`: This allows setting additional bundler options for the install such as --local to install from local cache. Example: ["--local", "--clean"]. - * `skip_gem_metadata_installation`: If set to true skip gem metadata installation if all gems are already installed. + - `gem_installer_bundler_options`: This allows setting additional bundler options for the install such as --local to install from local cache. Example: ["--local", "--clean"]. + - `skip_gem_metadata_installation`: If set to true skip gem metadata installation if all gems are already installed. ### SLES / openSUSE 15 detection @@ -2625,12 +2836,12 @@ Knife now fails with a descriptive error message when attempting to bootstrap no Ruby has been updated from 2.5.5 to 2.5.7 in order to resolve the following CVEs: -* [CVE-2012-6708](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6708) -* [CVE-2015-9251](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251). -* [CVE-2019-16201](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15845). -* [CVE-2019-15845](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251). -* [CVE-2019-16254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16254). -* [CVE-2019-16255](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16255). +- [CVE-2012-6708](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6708) +- [CVE-2015-9251](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251). +- [CVE-2019-16201](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15845). +- [CVE-2019-15845](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251). +- [CVE-2019-16254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16254). +- [CVE-2019-16255](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16255). ### openssl @@ -2678,8 +2889,8 @@ The `CHEF-25` deprecation for resource collisions between cookbooks and resource ## Updated Components -* openssl 1.0.2r -> 1.0.2s (bugfix only release) -* cacerts 2019-01-23 -> 2019-05-15 +- openssl 1.0.2r -> 1.0.2s (bugfix only release) +- cacerts 2019-01-23 -> 2019-05-15 # What's New in 14.12.9 @@ -2689,9 +2900,9 @@ In preparation for Chef Infra Client 15.0 we've added a placeholder `--chef-lice ## Important Bug Fixes -* Blacklisting and whitelisting default and override level attributes is once again possible. -* You may now encrypt a previously unencrypted data bag. -* Resolved a regression introduced in Chef Infra Client 14.12.3 that resulted in errors when managing Windows services +- Blacklisting and whitelisting default and override level attributes is once again possible. +- You may now encrypt a previously unencrypted data bag. +- Resolved a regression introduced in Chef Infra Client 14.12.3 that resulted in errors when managing Windows services # What's New in 14.12.3 @@ -2707,10 +2918,10 @@ The windows_certificate resource now imports nested certificates while importing ## Updated Components -* nokogiri 1.10.1 -> 1.10.2 -* ruby 2.5.3 -> 2.5.5 -* InSpec 3.7.1 -> 3.9.0 -* The unused windows-api gem is no longer bundled with Chef on Windows hosts +- nokogiri 1.10.1 -> 1.10.2 +- ruby 2.5.3 -> 2.5.5 +- InSpec 3.7.1 -> 3.9.0 +- The unused windows-api gem is no longer bundled with Chef on Windows hosts # What's New in 14.11 @@ -2746,9 +2957,9 @@ InSpec has been updated from 3.4.1 to 3.7.1. This new release contains improveme ## Updated Components -* bundler 1.16.1 -> 1.17.3 -* libxml2 2.9.7 -> 2.9.9 -* ca-certs updated to 2019-01-22 for new roots +- bundler 1.16.1 -> 1.17.3 +- libxml2 2.9.7 -> 2.9.9 +- ca-certs updated to 2019-01-22 for new roots ## Security Updates @@ -2760,12 +2971,12 @@ OpenSSL has been updated to 1.0.2r in order to resolve [CVE-2019-1559](https://c RubyGems has been updated to 2.7.9 in order to resolve the following CVEs: -* [CVE-2019-8320](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8320): Delete directory using symlink when decompressing tar -* [CVE-2019-8321](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8321): Escape sequence injection vulnerability in verbose -* [CVE-2019-8322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8322): Escape sequence injection vulnerability in gem owner -* [CVE-2019-8323](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8323): Escape sequence injection vulnerability in API response handling -* [CVE-2019-8324](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8324): Installing a malicious gem may lead to arbitrary code execution -* [CVE-2019-8325](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8325): Escape sequence injection vulnerability in errors +- [CVE-2019-8320](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8320): Delete directory using symlink when decompressing tar +- [CVE-2019-8321](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8321): Escape sequence injection vulnerability in verbose +- [CVE-2019-8322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8322): Escape sequence injection vulnerability in gem owner +- [CVE-2019-8323](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8323): Escape sequence injection vulnerability in API response handling +- [CVE-2019-8324](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8324): Installing a malicious gem may lead to arbitrary code execution +- [CVE-2019-8325](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8325): Escape sequence injection vulnerability in errors # What's New in 14.10 @@ -2932,12 +3143,12 @@ BSD-based systems can now detect guests running on KVM and Amazon's hypervisor w ### New Platform Support -* Ohai now properly detects the openSUSE 15.X platform. Thank you [@megamorf](https://github.com/megamorf) for reporting this issue. -* SUSE Linux Enterprise Desktop now identified as platform_family 'suse' -* XCP-NG is now identified as platform 'xcp' and platform_family 'rhel'. Thank you [@heyjodom](http://github.com/heyjodom) for submitting this enhancement. -* Mangeia Linux is now identified as platform 'mangeia' and platform_family 'mandriva' -* Antergos Linux now identified as platform_family 'arch' -* Manjaro Linux now identified as platform_family 'arch' +- Ohai now properly detects the openSUSE 15.X platform. Thank you [@megamorf](https://github.com/megamorf) for reporting this issue. +- SUSE Linux Enterprise Desktop now identified as platform_family 'suse' +- XCP-NG is now identified as platform 'xcp' and platform_family 'rhel'. Thank you [@heyjodom](http://github.com/heyjodom) for submitting this enhancement. +- Mangeia Linux is now identified as platform 'mangeia' and platform_family 'mandriva' +- Antergos Linux now identified as platform_family 'arch' +- Manjaro Linux now identified as platform_family 'arch' ## Security Updates @@ -2945,8 +3156,8 @@ BSD-based systems can now detect guests running on KVM and Amazon's hypervisor w OpenSSL has been updated to 1.0.2q in order to resolve: -* Microarchitecture timing vulnerability in ECC scalar multiplication [CVE-2018-5407](https://nvd.nist.gov/vuln/detail/CVE-2018-5407) -* Timing vulnerability in DSA signature generation ([CVE-2018-0734](https://nvd.nist.gov/vuln/detail/CVE-2018-0734)) +- Microarchitecture timing vulnerability in ECC scalar multiplication [CVE-2018-5407](https://nvd.nist.gov/vuln/detail/CVE-2018-5407) +- Timing vulnerability in DSA signature generation ([CVE-2018-0734](https://nvd.nist.gov/vuln/detail/CVE-2018-0734)) # What's New in 14.7 @@ -3052,12 +3263,12 @@ Chef is now tested against macOS Mojave, and packages are now available at downl ## Important Bugfixes -* Multiple bugfixes in Chef Vault have been resolved by updating chef-vault to 3.4.2 -* Invalid yum package names now gracefully fail -* `windows_ad_join` now properly executes. Thank you [@cpjones01](https://github.com/cpjones01) for reporting this. -* `rhsm_errata_level` now properly executes. Thank you [@freakinhippie](https://github.com/freakinhippie) for this fix. -* `registry_key` now properly writes out the correct value when `sensitive` is specified. Thank you [@josh-barker](https://github.com/josh-barker) for this fix. -* `locale` now properly executes on RHEL 6 and Amazon Linux 201X. +- Multiple bugfixes in Chef Vault have been resolved by updating chef-vault to 3.4.2 +- Invalid yum package names now gracefully fail +- `windows_ad_join` now properly executes. Thank you [@cpjones01](https://github.com/cpjones01) for reporting this. +- `rhsm_errata_level` now properly executes. Thank you [@freakinhippie](https://github.com/freakinhippie) for this fix. +- `registry_key` now properly writes out the correct value when `sensitive` is specified. Thank you [@josh-barker](https://github.com/josh-barker) for this fix. +- `locale` now properly executes on RHEL 6 and Amazon Linux 201X. ## Ohai 14.6 @@ -3085,16 +3296,16 @@ The system_profile plugin will be removed from Chef/Ohai 15 in April 2019. This Ruby has been updated to from 2.5.1 to 2.5.3 to resolve multiple CVEs and bugs: -* [CVE-2018-16396](https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/) -* [CVE-2018-16395](https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/) +- [CVE-2018-16396](https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/) +- [CVE-2018-16395](https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/) # What's New in 14.5.33 This release resolves a regression that caused the ``windows_ad_join`` resource to fail to run. It also makes the following additional fixes: -* The ``ohai`` resource's unused ``ohai_name`` property has been deprecated. This will be removed in Chef Infra Client 15.0. -* Error messages in the ``windows_feature`` resources have been improved. -* The ``windows_service`` resource will no longer log potentially sensitive information if the ``sensitive`` property is used. +- The ``ohai`` resource's unused ``ohai_name`` property has been deprecated. This will be removed in Chef Infra Client 15.0. +- Error messages in the ``windows_feature`` resources have been improved. +- The ``windows_service`` resource will no longer log potentially sensitive information if the ``sensitive`` property is used. Thanks to @cpjones01, @kitforbes, and @dgreeninger for their help with this release. @@ -3132,11 +3343,11 @@ Thanks [@derekgroh](https://github.com/derekgroh) for contributing this new prop InSpec has been updated from 2.2.70 to 2.2.102. This new version includes the following improvements: -* Support for using ERB templating within the .yml files -* HTTP basic auth support for fetching dependent profiles -* A new global attributes concept -* Better error handling with Automate reporting -* Vendor command now vendors profiles when using path:// +- Support for using ERB templating within the .yml files +- HTTP basic auth support for fetching dependent profiles +- A new global attributes concept +- Better error handling with Automate reporting +- Vendor command now vendors profiles when using path:// ## Ohai 14.5 @@ -3266,8 +3477,8 @@ Thank you [@dbresson](https://github.com/dbresson) for this contribution. OpenSSL updated to 1.0.2p to resolve: -* Client DoS due to large DH parameter ([CVE-2018-0732](https://nvd.nist.gov/vuln/detail/CVE-2018-0732)) -* Cache timing vulnerability in RSA Key Generation ([CVE-2018-0737](https://nvd.nist.gov/vuln/detail/CVE-2018-0737)) +- Client DoS due to large DH parameter ([CVE-2018-0732](https://nvd.nist.gov/vuln/detail/CVE-2018-0732)) +- Cache timing vulnerability in RSA Key Generation ([CVE-2018-0737](https://nvd.nist.gov/vuln/detail/CVE-2018-0737)) # What's New in 14.3 @@ -3287,13 +3498,13 @@ Use the chocolatey_config resource to add or remove Chocolatey configuration key #### Actions -* `set` * Sets a Chocolatey config value. -* `unset` * Unsets a Chocolatey config value. +- `set` - Sets a Chocolatey config value. +- `unset` - Unsets a Chocolatey config value. #### Properties -* `config_key` * The name of the config. We'll use the resource's name if this isn't provided. -* `value` * The value to set. +- `config_key` - The name of the config. We'll use the resource's name if this isn't provided. +- `value` - The value to set. ### chocolatey_source @@ -3301,15 +3512,15 @@ Use the chocolatey_source resource to add or remove Chocolatey sources. #### Actions -* `add` * Adds a Chocolatey source. -* `remove` * Removes a Chocolatey source. +- `add` - Adds a Chocolatey source. +- `remove` - Removes a Chocolatey source. #### Properties -* `source_name` * The name of the source to add. We'll use the resource's name if this isn't provided. -* `source` * The source URL. -* `bypass_proxy` * Whether or not to bypass the system's proxy settings to access the source. -* `priority` * The priority level of the source. +- `source_name` - The name of the source to add. We'll use the resource's name if this isn't provided. +- `source` - The source URL. +- `bypass_proxy` - Whether or not to bypass the system's proxy settings to access the source. +- `priority` - The priority level of the source. ### powershell_package_source @@ -3317,18 +3528,18 @@ Use the `powershell_package_source` resource to register a PowerShell package re ### Actions -* `register` * Registers and updates the PowerShell package source. -* `unregister` * Unregisters the PowerShell package source. +- `register` - Registers and updates the PowerShell package source. +- `unregister` - Unregisters the PowerShell package source. #### Properties -* `source_name` * The name of the package source. -* `url` * The URL to the package source. -* `trusted` * Whether or not to trust packages from this source. -* `provider_name` * The package management provider for the source. It supports the following providers: 'Programs', 'msi', 'NuGet', 'msu', 'PowerShellGet', 'psl' and 'chocolatey'. -* `publish_location` * The URL where modules will be published to for this source. Only valid if the provider is 'PowerShellGet'. -* `script_source_location` * The URL where scripts are located for this source. Only valid if the provider is 'PowerShellGet'. -* `script_publish_location` * The location where scripts will be published to for this source. Only valid if the provider is 'PowerShellGet'. +- `source_name` - The name of the package source. +- `url` - The URL to the package source. +- `trusted` - Whether or not to trust packages from this source. +- `provider_name` - The package management provider for the source. It supports the following providers: 'Programs', 'msi', 'NuGet', 'msu', 'PowerShellGet', 'psl' and 'chocolatey'. +- `publish_location` - The URL where modules will be published to for this source. Only valid if the provider is 'PowerShellGet'. +- `script_source_location` - The URL where scripts are located for this source. Only valid if the provider is 'PowerShellGet'. +- `script_publish_location` - The location where scripts will be published to for this source. Only valid if the provider is 'PowerShellGet'. ### kernel_module @@ -3336,17 +3547,17 @@ Use the kernel_module resource to manage kernel modules on Linux systems. This r #### Actions -* `install` * Load kernel module, and ensure it loads on reboot. -* `uninstall` * Unload a kernel module and remove module config, so it doesn't load on reboot. -* `blacklist` * Blacklist a kernel module. -* `load` * Load a kernel module. -* `unload` * Unload kernel module +- `install` - Load kernel module, and ensure it loads on reboot. +- `uninstall` - Unload a kernel module and remove module config, so it doesn't load on reboot. +- `blacklist` - Blacklist a kernel module. +- `load` - Load a kernel module. +- `unload` - Unload kernel module #### Properties -* `modname` * The name of the kernel module. -* `load_dir` * The directory to load modules from. -* `unload_dir` * The modprobe.d directory. +- `modname` - The name of the kernel module. +- `load_dir` - The directory to load modules from. +- `unload_dir` - The modprobe.d directory. ### ssh_known_hosts_entry @@ -3354,21 +3565,21 @@ Use the ssh_known_hosts_entry resource to add an entry for the specified host in #### Actions -* `create` * Create an entry in the ssh_known_hosts file. -* `flush` * Immediately flush the entries to the config file. Without this the actual writing of the file is delayed in the Chef run so all entries can be accumulated before writing the file out. +- `create` - Create an entry in the ssh_known_hosts file. +- `flush` - Immediately flush the entries to the config file. Without this the actual writing of the file is delayed in the Chef run so all entries can be accumulated before writing the file out. #### Properties -* `host` * The host to add to the known hosts file. -* `key` * An optional key for the host. If not provided this will be automatically determined. -* `key_type` * The type of key to store. -* `port` * The server port that the ssh-keyscan command will use to gather the public key. -* `timeout` * The timeout in seconds for ssh-keyscan. -* `mode` * The file mode for the ssh_known_hosts file. -* `owner`* The file owner for the ssh_known_hosts file. -* `group` * The file group for the ssh_known_hosts file. -* `hash_entries` * Hash the hostname and addresses in the ssh_known_hosts file for privacy. -* `file_location` * The location of the ssh known hosts file. Change this to set a known host file for a particular user. +- `host` - The host to add to the known hosts file. +- `key` - An optional key for the host. If not provided this will be automatically determined. +- `key_type` - The type of key to store. +- `port` - The server port that the ssh-keyscan command will use to gather the public key. +- `timeout` - The timeout in seconds for ssh-keyscan. +- `mode` - The file mode for the ssh_known_hosts file. +- `owner`- The file owner for the ssh_known_hosts file. +- `group` - The file group for the ssh_known_hosts file. +- `hash_entries` - Hash the hostname and addresses in the ssh_known_hosts file for privacy. +- `file_location` - The location of the ssh known hosts file. Change this to set a known host file for a particular user. ## New `knife config get` command @@ -3394,14 +3605,14 @@ You can also pass specific keys to only display those `knife config get node_nam The following helper methods have been deprecated in favor of the single shell_out helper: -* `shell_out_with_systems_locale` -* `shell_out_with_timeout` -* `shell_out_compact` -* `shell_out_compact_timeout` -* `shell_out_with_systems_locale!` -* `shell_out_with_timeout!` -* `shell_out_compact!` -* `shell_out_compact_timeout!` +- `shell_out_with_systems_locale` +- `shell_out_with_timeout` +- `shell_out_compact` +- `shell_out_compact_timeout` +- `shell_out_with_systems_locale!` +- `shell_out_with_timeout!` +- `shell_out_compact!` +- `shell_out_compact_timeout!` The functionality of `shell_out_with_systems_locale` has been implemented using the `default_env: false` option that removes the PATH and locale mangling that has been the default behavior of `shell_out`. @@ -3431,9 +3642,9 @@ provisioner: solo_rb: treat_deprecation_warnings_as_errors: true silence_deprecation_warnings: - * deploy_resource - * chef-23 - * recipes/install.rb:22 + - deploy_resource + - chef-23 + - recipes/install.rb:22 ``` You can also silence deprecations using a comment on the line that is raising the warning: @@ -3446,12 +3657,12 @@ We advise caution in the use of this feature, as excessive or prolonged silencin ## Misc Windows improvements -* A new `skip_publisher_check` property has been added to the `powershell_package` resource -* `windows_feature_powershell` now supports Windows 2008 R2 -* The `mount` resource now supports the `mount_point` property on Windows -* `windows_feature_dism` no longer errors when specifying the source -* Resolved idempotency issues in the `windows_task` resource and prevented setting up a task with bad credentials -* `windows_service` no longer throws Ruby deprecation warnings +- A new `skip_publisher_check` property has been added to the `powershell_package` resource +- `windows_feature_powershell` now supports Windows 2008 R2 +- The `mount` resource now supports the `mount_point` property on Windows +- `windows_feature_dism` no longer errors when specifying the source +- Resolved idempotency issues in the `windows_task` resource and prevented setting up a task with bad credentials +- `windows_service` no longer throws Ruby deprecation warnings ## Newly Introduced Deprecations @@ -3500,18 +3711,18 @@ Ohai now detects the virtualization hypervisor `amazonec2` when running on Amazo This release resolves a number of regressions in 14.1.1: -* `git` resource: don't use `--prune-tags` as it's really new. -* `rhsm_repo` resource: now works -* `apt_repository` resource: use the `repo_name` property to name files -* `windows_task` resource: properly handle commands with arguments -* `windows_task` resource: handle creating tasks as the SYSTEM user -* `remote_directory` resource: restore the default for the `overwrite` property +- `git` resource: don't use `--prune-tags` as it's really new. +- `rhsm_repo` resource: now works +- `apt_repository` resource: use the `repo_name` property to name files +- `windows_task` resource: properly handle commands with arguments +- `windows_task` resource: handle creating tasks as the SYSTEM user +- `remote_directory` resource: restore the default for the `overwrite` property ## Ohai 14.1.3 -* Properly detect FIPS environments -* `shard` plugin: work in FIPS compliant environments -* `filesystem` plugin: Handle BSD platforms +- Properly detect FIPS environments +- `shard` plugin: work in FIPS compliant environments +- `filesystem` plugin: Handle BSD platforms # What's New in 14.1.1 @@ -3535,19 +3746,19 @@ The `ignore_failure` property takes a new argument, `:quiet`, to suppress the er ## This release of Chef Client 14 resolves a number of regressions in 14.0 -* On Windows, the installer now correctly re-extracts files during repair mode -* Fix a number of issues relating to use with Red Hat Satellite -* Git fetch now prunes remotes before running -* Fix locking and unlocking packages with apt and zypper -* Ensure we don't request every remote file when running with lazy loading enabled -* The sysctl resource correctly handles missing keys when used with `ignore_error` -* --recipe-url apparently never worked on Windows. Now it does. +- On Windows, the installer now correctly re-extracts files during repair mode +- Fix a number of issues relating to use with Red Hat Satellite +- Git fetch now prunes remotes before running +- Fix locking and unlocking packages with apt and zypper +- Ensure we don't request every remote file when running with lazy loading enabled +- The sysctl resource correctly handles missing keys when used with `ignore_error` +- --recipe-url apparently never worked on Windows. Now it does. ## Security Updates ### ffi Gem -* CVE-2018-1000201: DLL loading issue which can be hijacked on Windows OS +- CVE-2018-1000201: DLL loading issue which can be hijacked on Windows OS # Ohai Release Notes 14.1: @@ -3567,10 +3778,10 @@ A new plugin to enumerate SCSI devices has been added. This plugin is optional. This release of Chef 14 resolves several regressions in the Chef 14.0 release. -* Resources contained in cookbooks would be used instead of built-in Chef client resources causing older resources to run -* Resources failed due to a missing `property_is_set?` and `resources` methods -* `yum_package` changed the order of `disablerepo` and `enablerepo` options -* Depsolving large numbers of cookbooks with chef zero/local took a very long time +- Resources contained in cookbooks would be used instead of built-in Chef client resources causing older resources to run +- Resources failed due to a missing `property_is_set?` and `resources` methods +- `yum_package` changed the order of `disablerepo` and `enablerepo` options +- Depsolving large numbers of cookbooks with chef zero/local took a very long time # What's New in 14.0 @@ -3788,9 +3999,9 @@ The `sensitive` property can now be used in `registry_key` to suppress the outpu `systemd_unit` includes the following new actions: -* `preset` * Restore the preset enable/disable configuration for a unit -* `revert` * Revert to a vendor's version of a unit file -* `reenable` * Reenable a unit file +- `preset` - Restore the preset enable/disable configuration for a unit +- `revert` - Revert to a vendor's version of a unit file +- `reenable` - Reenable a unit file Thanks @nathwill for these new actions. @@ -3798,9 +4009,9 @@ Thanks @nathwill for these new actions. `windows_service` now includes actions for fully managing services on Windows, in addition to the previous actions for starting/stopping/enabling services. -* `create` * Create a new service -* `delete` * Delete an existing service -* `configure` * Reconfigure an existing service +- `create` - Create a new service +- `delete` - Delete an existing service +- `configure` - Reconfigure an existing service Thanks @jasonwbarnett for these new actions @@ -3818,9 +4029,9 @@ Ohai has been expanded to collect more information than ever. This should make w The kernel plugin now reports the following information on Windows: -* `node['kernel']['product_type']` * Workstation vs. Server editions of Windows -* `node['kernel']['system_type']` * What kind of hardware are we installed on (Desktop, Mobile, Workstation, Enterprise Server, etc.) -* `node['kernel']['server_core']` * Are we on Windows Server Core edition? +- `node['kernel']['product_type']` - Workstation vs. Server editions of Windows +- `node['kernel']['system_type']` - What kind of hardware are we installed on (Desktop, Mobile, Workstation, Enterprise Server, etc.) +- `node['kernel']['server_core']` - Are we on Windows Server Core edition? ### Cloud Detection @@ -3902,13 +4113,13 @@ OpenSSL has been updated to 1.0.2o to resolve [CVE-2018-0739](https://cve.mitre. Ruby has been updated to 2.5.1 to resolve the following vulnerabilities: -* [cve-2017-17742](https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/) -* [cve-2018-6914](https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/) -* [cve-2018-8777](https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/) -* [cve-2018-8778](https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/) -* [cve-2018-8779](https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/) -* [cve-2018-8780](https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/) -* [Multiple vulnerabilities in rubygems](https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/) +- [cve-2017-17742](https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/) +- [cve-2018-6914](https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/) +- [cve-2018-8777](https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/) +- [cve-2018-8778](https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/) +- [cve-2018-8779](https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/) +- [cve-2018-8780](https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/) +- [Multiple vulnerabilities in rubygems](https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/) ## Breaking Changes @@ -3928,11 +4139,11 @@ Support for Windows 2003 has been removed from both Chef and Ohai, improving the ### knife deprecations -* `knife bootstrap` options `--distro` and `--template_file` flags were deprecated in Chef 12 and have now been removed. -* `knife help` functionality that read legacy Chef manpages has been removed as the manpages had not been updated and were often quite wrong. Running knife help will now simply show the help menu. -* `knife index rebuild` has been removed as reindexing Chef Server was only necessary on releases prior to Chef Server 11. -* The `knife ssh --identity-file` flag was deprecated and has been removed. Users should use the `--ssh_identity_file` flag instead. -* `knife ssh csshx` was deprecated in Chef 10 and has been removed. Users should use `knife ssh cssh` instead. +- `knife bootstrap` options `--distro` and `--template_file` flags were deprecated in Chef 12 and have now been removed. +- `knife help` functionality that read legacy Chef manpages has been removed as the manpages had not been updated and were often quite wrong. Running knife help will now simply show the help menu. +- `knife index rebuild` has been removed as reindexing Chef Server was only necessary on releases prior to Chef Server 11. +- The `knife ssh --identity-file` flag was deprecated and has been removed. Users should use the `--ssh_identity_file` flag instead. +- `knife ssh csshx` was deprecated in Chef 10 and has been removed. Users should use `knife ssh cssh` instead. ### Chef Solo `-r` flag @@ -3958,11 +4169,11 @@ The original name for the `ignore_failure` property in resource was `epic_fail`. Several legacy mixins mostly used in older HWRPs have been removed. Usage of these mixins has resulted in deprecation warnings for several years and they are rarely used in cookbooks available on the Supermarket. -* Chef::Mixin::LanguageIncludeAttribute -* Chef::Mixin::RecipeDefinitionDSLCore -* Chef::Mixin::LanguageIncludeRecipe -* Chef::Mixin::Language -* Chef::DSL::Recipe::FullDSL +- Chef::Mixin::LanguageIncludeAttribute +- Chef::Mixin::RecipeDefinitionDSLCore +- Chef::Mixin::LanguageIncludeRecipe +- Chef::Mixin::Language +- Chef::DSL::Recipe::FullDSL ### cloud_v2 and filesystem2 Ohai Plugins @@ -3994,16 +4205,16 @@ optional_plugins [ "lspci", "passwd" ] ## Bugfixes -* The mount provider now properly adds blank lines between fstab entries on AIX -* Ohai now reports itself as Ohai well communicating with GCE metadata endpoints -* Property deprecations in custom resources no longer result in an error. Thanks for reporting this [martinisoft](https://github.com/martinisoft) -* mixlib-archive has been updated to prevent corruption of archives on Windows systems +- The mount provider now properly adds blank lines between fstab entries on AIX +- Ohai now reports itself as Ohai well communicating with GCE metadata endpoints +- Property deprecations in custom resources no longer result in an error. Thanks for reporting this [martinisoft](https://github.com/martinisoft) +- mixlib-archive has been updated to prevent corruption of archives on Windows systems ## Updated Components -* libxml2 2.9.7 -> 2.9.9 -* ca-certs updated to 2019-01-22 for new roots -* nokogiri 1.8.5 -> 1.10.1 +- libxml2 2.9.7 -> 2.9.9 +- ca-certs updated to 2019-01-22 for new roots +- nokogiri 1.8.5 -> 1.10.1 ## Security Updates @@ -4014,12 +4225,12 @@ OpenSSL has been updated to 1.0.2r in order to resolve [CVE-2019-1559](https://c ### RubyGems RubyGems has been updated to 2.7.9 in order to resolve the following CVEs: - * [CVE-2019-8320](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8320): Delete directory using symlink when decompressing tar - * [CVE-2019-8321](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8321): Escape sequence injection vulnerability in verbose - * [CVE-2019-8322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8322): Escape sequence injection vulnerability in gem owner - * [CVE-2019-8323](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8323): Escape sequence injection vulnerability in API response handling - * [CVE-2019-8324](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8324): Installing a malicious gem may lead to arbitrary code execution - * [CVE-2019-8325](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8325): Escape sequence injection vulnerability in errors + - [CVE-2019-8320](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8320): Delete directory using symlink when decompressing tar + - [CVE-2019-8321](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8321): Escape sequence injection vulnerability in verbose + - [CVE-2019-8322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8322): Escape sequence injection vulnerability in gem owner + - [CVE-2019-8323](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8323): Escape sequence injection vulnerability in API response handling + - [CVE-2019-8324](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8324): Installing a malicious gem may lead to arbitrary code execution + - [CVE-2019-8325](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8325): Escape sequence injection vulnerability in errors # What's New in 13.12.3 @@ -4033,8 +4244,8 @@ Chef is now tested against macOS Mojave and packages are now available at downlo ## SUSE Linux Enterprise Server 15 -* Ohai now properly detects SLES 15 -* The Chef package will no longer remove symlinks to chef-client and ohai when upgrading on SLES 15 +- Ohai now properly detects SLES 15 +- The Chef package will no longer remove symlinks to chef-client and ohai when upgrading on SLES 15 ## Updated Chef-Vault @@ -4048,8 +4259,8 @@ Improved Windows installation speed by skipping unnecessary steps when Windows I ### macOS Improvements -* sysctl commands have been modified to gather only the bare minimum required data, which prevents sysctl hanging in some scenarios -* Extra data has been removed from the system_profile plugin, reducing the amount of data stored on the chef-server for each node +- sysctl commands have been modified to gather only the bare minimum required data, which prevents sysctl hanging in some scenarios +- Extra data has been removed from the system_profile plugin, reducing the amount of data stored on the chef-server for each node ## New Deprecations @@ -4066,51 +4277,51 @@ The ``ohai`` resource's unused ``ohai_name`` property has been deprecated. This ### Ruby 2.4.5 Ruby has been updated to from 2.4.4 to 2.4.5 to resolve multiple CVEs as well as bugs: -* [CVE-2018-16396](https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/) -* [CVE-2018-16395](https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/) +- [CVE-2018-16396](https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/) +- [CVE-2018-16395](https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/) # What's New in 13.11 ### Sensitive Properties on Windows -* `windows_service` no longer logs potentially sensitive information when a service is setup -* `windows_package` now respects the `sensitive` property to avoid logging sensitive data in the event of a package installation failure +- `windows_service` no longer logs potentially sensitive information when a service is setup +- `windows_package` now respects the `sensitive` property to avoid logging sensitive data in the event of a package installation failure ### Other Fixes -* `remote_directory` now properly loads files in the root of a cookbook's `files` directory -* `osx_profile` now uses the full path the profiles CLI tool to avoid running other binaries of the same name in a users path -* `package` resources that don't support the `allow_downgrade` property will no longer fail -* `knife bootstrap windows` error messages have been improved +- `remote_directory` now properly loads files in the root of a cookbook's `files` directory +- `osx_profile` now uses the full path the profiles CLI tool to avoid running other binaries of the same name in a users path +- `package` resources that don't support the `allow_downgrade` property will no longer fail +- `knife bootstrap windows` error messages have been improved ## Security Updates ### OpenSSL -* OpenSSL has been updated to 1.0.2p to resolve [CVE-2018-0732](https://nvd.nist.gov/vuln/detail/CVE-2018-0732) and [CVE-2018-0737](https://nvd.nist.gov/vuln/detail/CVE-2018-0737) +- OpenSSL has been updated to 1.0.2p to resolve [CVE-2018-0732](https://nvd.nist.gov/vuln/detail/CVE-2018-0732) and [CVE-2018-0737](https://nvd.nist.gov/vuln/detail/CVE-2018-0737) ### Rubyzip -* Updated Rubyzip to 1.2.2 to resolve [CVE-2018-1000544](https://nvd.nist.gov/vuln/detail/CVE-2018-1000544) +- Updated Rubyzip to 1.2.2 to resolve [CVE-2018-1000544](https://nvd.nist.gov/vuln/detail/CVE-2018-1000544) # What's New in 13.10 ## Bugfixes -* Resolves a duplicate logging getting created when redirecting stdout -* Using --recipe-url with a local file on Windows no longer fails -* Service resource no longer throws Ruby deprecation warnings on Windows +- Resolves a duplicate logging getting created when redirecting stdout +- Using --recipe-url with a local file on Windows no longer fails +- Service resource no longer throws Ruby deprecation warnings on Windows ## Ohai 13.10 Improvements -* Correctly identify the platform_version on the final release of Amazon Linux 2.0 -* Detect nodes with the DMI data of "OpenStack Compute" as being OpenStack nodes +- Correctly identify the platform_version on the final release of Amazon Linux 2.0 +- Detect nodes with the DMI data of "OpenStack Compute" as being OpenStack nodes ## Security Updates ### ffi Gem -* CVE-2018-1000201: DLL loading issue which can be hijacked on Windows OS +- CVE-2018-1000201: DLL loading issue which can be hijacked on Windows OS # What's New in 13.9.X: @@ -4118,21 +4329,21 @@ Ruby has been updated to from 2.4.4 to 2.4.5 to resolve multiple CVEs as well as Ruby has been updated to 2.4.4 -* CVE-2017-17742: HTTP response splitting in WEBrick -* CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir -* CVE-2018-8777: DoS by large request in WEBrick -* CVE-2018-8778: Buffer under-read in String#unpack -* CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket -* CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir -* Multiple vulnerabilities in RubyGems +- CVE-2017-17742: HTTP response splitting in WEBrick +- CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir +- CVE-2018-8777: DoS by large request in WEBrick +- CVE-2018-8778: Buffer under-read in String#unpack +- CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket +- CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir +- Multiple vulnerabilities in RubyGems Nokogiri has been updated to 1.8.2 -* [MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem). +- [MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem). OpenSSL has been updated to 1.0.2o -* CVE-2018-0739: Constructed ASN.1 types with a recursive definition could exceed the stack. +- CVE-2018-0739: Constructed ASN.1 types with a recursive definition could exceed the stack. ## Platform Updates @@ -4164,10 +4375,10 @@ Enable Ubuntu-18.04 and Debian-9 tested chef-client packages. # What's New in 13.9: -* On Windows, the installer now correctly re-extracts files during repair mode -* The mount resource will now not create duplicate entries when the device type differs -* Ensure we don't request every remote file when running with lazy loading enabled -* Don't crash when getting the access rights for Windows system accounts +- On Windows, the installer now correctly re-extracts files during repair mode +- The mount resource will now not create duplicate entries when the device type differs +- Ensure we don't request every remote file when running with lazy loading enabled +- Don't crash when getting the access rights for Windows system accounts ## Custom Resource Improvements @@ -4235,10 +4446,10 @@ end # Ohai Release Notes 13.9: -* Fix uptime parsing on AIX -* Fix Softlayer cloud detection -* Use the current Azure metadata endpoint -* Correctly detect macOS guests on VMware and VirtualBox +- Fix uptime parsing on AIX +- Fix Softlayer cloud detection +- Use the current Azure metadata endpoint +- Correctly detect macOS guests on VMware and VirtualBox # What's New in 13.8: @@ -4252,7 +4463,7 @@ Per <https://discourse.chef.io/t/regression-in-chef-client-13-7-16/12518/1> , th ## Security Updates -* Updated libxml2 to 2.9.7; fixes: CVE-2017-15412 +- Updated libxml2 to 2.9.7; fixes: CVE-2017-15412 # What's New in 13.7: @@ -4278,11 +4489,11 @@ The original name for the ignore_failure property in resources was epic_fail. Ou In Chef 14 several legacy legacy mixins will be removed. Usage of these mixins has resulted in deprecation warnings for several years. They were traditionally used in some HWRPs, but are rarely found in code available on the Supermarket. Foodcritic rules FC097, FC098, FC099, FC100, and FC102 have been introduced to detect these mixins. -* Chef::Mixin::LanguageIncludeAttribute -* Chef::Mixin::RecipeDefinitionDSLCore -* Chef::Mixin::LanguageIncludeRecipe -* Chef::Mixin::Language -* Chef::DSL::Recipe::FullDSL +- Chef::Mixin::LanguageIncludeAttribute +- Chef::Mixin::RecipeDefinitionDSLCore +- Chef::Mixin::LanguageIncludeRecipe +- Chef::Mixin::Language +- Chef::DSL::Recipe::FullDSL ### :uninstall action in chocolatey_package @@ -4290,14 +4501,14 @@ The chocolatey cookbook's chocolatey_package resource originally contained an :u ## Bugfixes -* Resolved a bug where knife commands that prompted on Windows would never display the prompt -* Fixed hiding of sensitive resources when converge_if_changed was used -* Fixed scenarios where services would fail to start on Solaris +- Resolved a bug where knife commands that prompted on Windows would never display the prompt +- Fixed hiding of sensitive resources when converge_if_changed was used +- Fixed scenarios where services would fail to start on Solaris ## Security Updates -* OpenSSL has been upgraded to 1.0.2n to resolve CVE-2017-3738, CVE-2017-3737, CVE-2017-3736, and CVE-2017-3735. -* Ruby has been upgraded to 2.4.3 to resolve CVE-2017-17405 +- OpenSSL has been upgraded to 1.0.2n to resolve CVE-2017-3738, CVE-2017-3737, CVE-2017-3736, and CVE-2017-3735. +- Ruby has been upgraded to 2.4.3 to resolve CVE-2017-17405 ## Ohai 13.7 Release Notes: @@ -4321,12 +4532,12 @@ The mdadm plugin has been updated to properly handle arrays with more than 10 di ## Bugfixes -* Resolved a regression in 13.6.0 that prevented upgrading packages on Debian/Ubuntu when the package name contained a tilde. +- Resolved a regression in 13.6.0 that prevented upgrading packages on Debian/Ubuntu when the package name contained a tilde. ## Security Updates -* OpenSSL has been upgraded to 1.0.2m to resolve CVE-2017-3735 and CVE-2017-3736 -* RubyGems has been upgraded to 2.6.14 to resolve CVE-2017-0903 +- OpenSSL has been upgraded to 1.0.2m to resolve CVE-2017-3735 and CVE-2017-3736 +- RubyGems has been upgraded to 2.6.14 to resolve CVE-2017-0903 # What's New in 13.6: @@ -4402,19 +4613,19 @@ Debug logs will show the length of time each plugin takes to run, making debuggi Chef Client 13.4 includes Ruby 2.4.2 to fix the following CVEs: -* CVE-2017-0898 -* CVE-2017-10784 -* CVE-2017-14033 -* CVE-2017-14064 +- CVE-2017-0898 +- CVE-2017-10784 +- CVE-2017-14033 +- CVE-2017-14064 ## Security release of RubyGems Chef Client 13.4 includes RubyGems 2.6.13 to fix the following CVEs: -* CVE-2017-0899 -* CVE-2017-0900 -* CVE-2017-0901 -* CVE-2017-0902 +- CVE-2017-0899 +- CVE-2017-0900 +- CVE-2017-0901 +- CVE-2017-0902 ## Ifconfig provider on Red Hat now supports additional properties @@ -4422,21 +4633,21 @@ It is now possible to set `ETHTOOL_OPTS`, `BONDING_OPTS`, `MASTER` and `SLAVE` p ### Properties -* `ethtool_opts`<br> - **Ruby types:** String<br> - **Platforms:** Fedora, RHEL, Amazon Linux A string containing arguments to ethtool. The string will be wrapped in double quotes, so ensure that any needed quotes in the property are surrounded by single quotes +- `ethtool_opts`<br> + **Ruby types:*- String<br> + **Platforms:*- Fedora, RHEL, Amazon Linux A string containing arguments to ethtool. The string will be wrapped in double quotes, so ensure that any needed quotes in the property are surrounded by single quotes -* `bonding_opts`<br> - **Ruby types:** String<br> - **Platforms:** Fedora, RHEL, Amazon Linux A string containing configuration parameters for the bonding device. +- `bonding_opts`<br> + **Ruby types:*- String<br> + **Platforms:*- Fedora, RHEL, Amazon Linux A string containing configuration parameters for the bonding device. -* `master`<br> - **Ruby types:** String<br> - **Platforms:** Fedora, RHEL, Amazon Linux The channel bonding interface that this interface is linked to. +- `master`<br> + **Ruby types:*- String<br> + **Platforms:*- Fedora, RHEL, Amazon Linux The channel bonding interface that this interface is linked to. -* `slave`<br> - **Ruby types:** String<br> - **Platforms:** Fedora, RHEL, Amazon Linux Whether the interface is controlled by the channel bonding interface defined by `master`, above. +- `slave`<br> + **Ruby types:*- String<br> + **Platforms:*- Fedora, RHEL, Amazon Linux Whether the interface is controlled by the channel bonding interface defined by `master`, above. ## Chef Vault is now included @@ -4452,16 +4663,16 @@ The `remote_file` resource now supports the use of credentials on Windows when a The following properties are new for the `remote_file` resource: -* `remote_user`<br> - **Ruby types:** String<br> - _Windows only:_ The user name of a user with access to the remote file specified by the `source` property. Default value: `nil`. The user name may optionally be specified with a domain, i.e. `domain\user` or `user@my.dns.domain.com` via Universal Principal Name (UPN) format. It can also be specified without a domain simply as `user` if the domain is instead specified using the `remote_domain` attribute. Note that this property is ignored if `source` is not a UNC path. If this property is specified, the `remote_password` property **must** be specified. +- `remote_user`<br> + **Ruby types:*- String<br> + _Windows only:_ The user name of a user with access to the remote file specified by the `source` property. Default value: `nil`. The user name may optionally be specified with a domain, i.e. `domain\user` or `user@my.dns.domain.com` via Universal Principal Name (UPN) format. It can also be specified without a domain simply as `user` if the domain is instead specified using the `remote_domain` attribute. Note that this property is ignored if `source` is not a UNC path. If this property is specified, the `remote_password` property **must*- be specified. -* `remote_password`<br> - **Ruby types** String<br> +- `remote_password`<br> + **Ruby types*- String<br> _Windows only:_ The password of the user specified by the `remote_user` property. Default value: `nil`. This property is mandatory if `remote_user` is specified and may only be specified if `remote_user` is specified. The `sensitive` property for this resource will automatically be set to `true` if `remote_password` is specified. -* `remote_domain`<br> - **Ruby types** String<br> +- `remote_domain`<br> + **Ruby types*- String<br> _Windows only:_ The domain of the user user specified by the `remote_user` property. Default value: `nil`. If not specified, the user and password properties specified by the `remote_user` and `remote_password` properties will be used to authenticate that user against the domain in which the system hosting the UNC path specified via `source` is joined, or if that system is not joined to a domain it will authenticate the user as a local account on that system. An alternative way to specify the domain is to leave this property unspecified and specify the domain as part of the `remote_user` property. ### Examples @@ -4514,12 +4725,12 @@ end ### Actions -* `:add` * Add an item to the system path -* `:remove` * Remove an item from the system path +- `:add` - Add an item to the system path +- `:remove` - Remove an item from the system path ### Properties -* `path` * Name attribute. The name of the value to add to the system path +- `path` - Name attribute. The name of the value to add to the system path ### Examples @@ -4646,15 +4857,15 @@ Further information regarding apt-pinning is available via <https://wiki.debian. ### Actions -* `:add`: creates a preferences file under /etc/apt/preferences.d -* `:remove`: Removes the file, therefore unpin the package +- `:add`: creates a preferences file under /etc/apt/preferences.d +- `:remove`: Removes the file, therefore unpin the package ### Properties -* `package_name`: name attribute. The name of the package -* `glob`: Pin by glob() expression or regexp surrounded by /. -* `pin`: The package version/repository to pin -* `pin_priority`: The pinning priority aka "the highest package version wins" +- `package_name`: name attribute. The name of the package +- `glob`: Pin by glob() expression or regexp surrounded by /. +- `pin`: The package version/repository to pin +- `pin_priority`: The pinning priority aka "the highest package version wins" ### Examples @@ -4691,25 +4902,25 @@ The zypper_repository resource allows for the creation of Zypper package reposit ### Actions -* `:add` * adds a repo -* `:delete` * removes a repo +- `:add` - adds a repo +- `:delete` - removes a repo ### Properties -* `repo_name` * repository name if different from the resource name (name property) -* `type` * the repository type. default: 'NONE' -* `description` * the description of the repo that will be shown in `zypper repos` -* `baseurl` * the base url of the repo -* `path` * the relative path from the `baseurl` -* `mirrorlist` * the url to the mirrorlist to use -* `gpgcheck` * should we gpg check the repo (true/false). default: true -* `gpgkey` * location of repo key to import -* `priority` * priority of the repo. default: 99 -* `autorefresh` * should the repository be automatically refreshed (true/false). default: true -* `keeppackages` * should packages be saved (true/false). default: false -* `refresh_cache` * should package cache be refreshed (true/false). default: true -* `enabled` * should this repository be enabled (true/false). default: true -* `mode` * the file mode of the repository file. default: "0644" +- `repo_name` - repository name if different from the resource name (name property) +- `type` - the repository type. default: 'NONE' +- `description` - the description of the repo that will be shown in `zypper repos` +- `baseurl` - the base url of the repo +- `path` - the relative path from the `baseurl` +- `mirrorlist` - the url to the mirrorlist to use +- `gpgcheck` - should we gpg check the repo (true/false). default: true +- `gpgkey` - location of repo key to import +- `priority` - priority of the repo. default: 99 +- `autorefresh` - should the repository be automatically refreshed (true/false). default: true +- `keeppackages` - should packages be saved (true/false). default: false +- `refresh_cache` - should package cache be refreshed (true/false). default: true +- `enabled` - should this repository be enabled (true/false). default: true +- `mode` - the file mode of the repository file. default: "0644" ### Examples @@ -4730,8 +4941,8 @@ end Ohai now properly detects the [F5 Big-IP](https://www.f5.com/) platform and platform_version. -* platform: bigip -* platform_family: rhel +- platform: bigip +- platform_family: rhel # What's New in 13.2: @@ -4783,13 +4994,13 @@ Ohai now properly detects the [Clear](https://clearlinux.org/) and [ClearOS](htt #### Clear Linux -* platform: clearlinux -* platform_family: clearlinux +- platform: clearlinux +- platform_family: clearlinux #### ClearOS -* platform: clearos -* platform_family: rhel +- platform: clearos +- platform_family: rhel ## New Deprecations @@ -4823,7 +5034,7 @@ The behavior of `gem_package` and `chef_gem` is now to always apply the `Chef::C This should enable easier setup of rubygems mirrors particularly in "airgapped" environments through the use of the global config variable. It also means that an admin may force all rubygems.org traffic to an internal mirror, while still being able to consume external cookbooks which have resources which add other mirrors unchanged (in a non-airgapped environment). -In the case where a resource must force the use of only the specified source(s), then the `include_default_source` property has been added -* setting it to false will remove the `Chef::Config[:rubygems_url]` setting from the list of sources for that resource. +In the case where a resource must force the use of only the specified source(s), then the `include_default_source` property has been added -- setting it to false will remove the `Chef::Config[:rubygems_url]` setting from the list of sources for that resource. The behavior of the `clear_sources` property is now to only add `--clear-sources` and has no magic side effects on the source options. @@ -4841,7 +5052,7 @@ This can be used by any other resource by just overriding the name property and property :name, String, default: "" ``` -Notifications to resources with empty strings as their name is also supported via either the bare resource name (`apt_update` -* matches what the user types in the DSL) or with empty brackets (`apt_update[]` -* matches the resource notification pattern). +Notifications to resources with empty strings as their name is also supported via either the bare resource name (`apt_update` -- matches what the user types in the DSL) or with empty brackets (`apt_update[]` -- matches the resource notification pattern). ## The knife ssh command applies the same fuzzifier as knife search node @@ -5097,16 +5308,16 @@ The PATH changes have also been tweaked so that the ruby bindir and gemdir PATHS Some examples of changes: -* `which ruby` in 12.x will return any system ruby and fall back to the embedded ruby if using omnibus -* `which ruby` in 13.x will return any system ruby and will not find the embedded ruby if using omnibus -* `shell_out_with_systems_locale("which ruby")` behaves the same as `which ruby` above -* `shell_out("which ruby")` in 12.x will return any system ruby and fall back to the embedded ruby if using omnibus -* `shell_out("which ruby")` in 13.x will always return the omnibus ruby first (but will find the system ruby if not using omnibus) +- `which ruby` in 12.x will return any system ruby and fall back to the embedded ruby if using omnibus +- `which ruby` in 13.x will return any system ruby and will not find the embedded ruby if using omnibus +- `shell_out_with_systems_locale("which ruby")` behaves the same as `which ruby` above +- `shell_out("which ruby")` in 12.x will return any system ruby and fall back to the embedded ruby if using omnibus +- `shell_out("which ruby")` in 13.x will always return the omnibus ruby first (but will find the system ruby if not using omnibus) The PATH in `shell_out` can also be overridden: -* `shell_out("which ruby", env: { "PATH" => nil })` * behaves like shell_out_with_systems_locale() -* `shell_out("which ruby", env: { "PATH" => [...include PATH string here...] })` * set it arbitrarily however you need +- `shell_out("which ruby", env: { "PATH" => nil })` - behaves like shell_out_with_systems_locale() +- `shell_out("which ruby", env: { "PATH" => [...include PATH string here...] })` - set it arbitrarily however you need Since most providers which launch custom user commands use `shell_out_with_systems_locale` (service, execute, script, etc) the behavior will be that those commands that used to be having embedded omnibus paths injected into them no longer will. Generally this will fix more problems than it solves, but may causes issues for some use cases. @@ -5152,25 +5363,25 @@ The virtualization plugin has been updated to properly detect when running on Do This release of Chef Client contains Ruby 2.3.5, fixing 4 CVEs: - * CVE-2017-0898 - * CVE-2017-10784 - * CVE-2017-14033 - * CVE-2017-14064 + - CVE-2017-0898 + - CVE-2017-10784 + - CVE-2017-14033 + - CVE-2017-14064 It also contains a new version of Rubygems, fixing 4 CVEs: - * CVE-2017-0899 - * CVE-2017-0900 - * CVE-2017-0901 - * CVE-2017-0902 + - CVE-2017-0899 + - CVE-2017-0900 + - CVE-2017-0901 + - CVE-2017-0902 This release also contains a new version of zlib, fixing 4 CVEs: - * [CVE-2016-9840](https://www.cvedetails.com/cve/CVE-2016-9840/) - * [CVE-2016-9841](https://www.cvedetails.com/cve/CVE-2016-9841/) - * [CVE-2016-9842](https://www.cvedetails.com/cve/CVE-2016-9842/) - * [CVE-2016-9843](https://www.cvedetails.com/cve/CVE-2016-9843/) + - [CVE-2016-9840](https://www.cvedetails.com/cve/CVE-2016-9840/) + - [CVE-2016-9841](https://www.cvedetails.com/cve/CVE-2016-9841/) + - [CVE-2016-9842](https://www.cvedetails.com/cve/CVE-2016-9842/) + - [CVE-2016-9843](https://www.cvedetails.com/cve/CVE-2016-9843/) ## On Debian based systems, correctly prefer Systemd to Upstart @@ -5202,9 +5413,9 @@ detail from the off. ## Highlighted enhancements for this release: -* Systemd unit files are now verified before being installed. -* Added support for windows alternate user identity in execute resources. -* Added ed25519 key support for for ssh connections. +- Systemd unit files are now verified before being installed. +- Added support for windows alternate user identity in execute resources. +- Added ed25519 key support for for ssh connections. ### Windows alternate user identity execute support @@ -5226,16 +5437,16 @@ Chef::ReservedNames::Win32::Security.get_account_right('<user>').include?('SeAss The following properties are new or updated for the `execute`, `script`, `batch`, and `powershell_script` resources and any resources derived from them: -* `user`<br> - **Ruby types:** String<br> - The user name of the user identity with which to launch the new process. Default value: `nil`. The user name may optionally be specified with a domain, i.e. `domain\user` or `user@my.dns.domain.com` via Universal Principal Name (UPN) format. It can also be specified without a domain simply as `user` if the domain is instead specified using the `domain` attribute. On Windows only, if this property is specified, the `password` property **must** be specified. +- `user`<br> + **Ruby types:*- String<br> + The user name of the user identity with which to launch the new process. Default value: `nil`. The user name may optionally be specified with a domain, i.e. `domain\user` or `user@my.dns.domain.com` via Universal Principal Name (UPN) format. It can also be specified without a domain simply as `user` if the domain is instead specified using the `domain` attribute. On Windows only, if this property is specified, the `password` property **must*- be specified. -* `password`<br> - **Ruby types** String<br> +- `password`<br> + **Ruby types*- String<br> _Windows only:_ The password of the user specified by the `user` property. Default value: `nil`. This property is mandatory if `user` is specified on Windows and may only be specified if `user` is specified. The `sensitive` property for this resource will automatically be set to `true` if `password` is specified. -* `domain`<br> - **Ruby types** String<br> +- `domain`<br> + **Ruby types*- String<br> _Windows only:_ The domain of the user user specified by the `user` property. Default value: `nil`. If not specified, the user name and password specified by the `user` and `password` properties will be used to resolve that user against the domain in which the system running Chef client is joined, or if that system is not joined to a domain it will resolve the user as a local account on that system. An alternative way to specify the domain is to leave this property unspecified and specify the domain as part of the `user` property. #### Usage @@ -5278,12 +5489,12 @@ end ## Highlighted bug fixes for this release: -* Ensure that the Windows Administrator group can access the chef-solo nodes directory -* When loading a cookbook in Chef Solo, use `metadata.json` in preference to `metadata.rb` +- Ensure that the Windows Administrator group can access the chef-solo nodes directory +- When loading a cookbook in Chef Solo, use `metadata.json` in preference to `metadata.rb` ## Deprecation Notice -* As of version 12.19, chef client will no longer be build or tested on the Cisco NX-OS and IOS XR platforms. +- As of version 12.19, chef client will no longer be build or tested on the Cisco NX-OS and IOS XR platforms. # Ohai Release Notes 8.23: @@ -5313,36 +5524,36 @@ GCC detection has been improved to collect additional information, and to not pr ### Ohai::Config removed -* **Deprecation ID**: OHAI-1 -* **Remediation Docs**: <https://docs.chef.io/deprecations_ohai_legacy_config> -* **Expected Removal**: Ohai 13 (April 2017) +- **Deprecation ID**: OHAI-1 +- **Remediation Docs**: <https://docs.chef.io/deprecations_ohai_legacy_config> +- **Expected Removal**: Ohai 13 (April 2017) ### sigar gem based plugins removed -* **Deprecation ID**: OHAI-2 -* **Remediation Docs**: <https://docs.chef.io/deprecations_ohai_sigar_plugins> -* **Expected Removal**: Ohai 13 (April 2017) +- **Deprecation ID**: OHAI-2 +- **Remediation Docs**: <https://docs.chef.io/deprecations_ohai_sigar_plugins> +- **Expected Removal**: Ohai 13 (April 2017) ### run_command and popen4 helper methods removed -* **Deprecation ID**: OHAI-3 -* **Remediation Docs**: <https://docs.chef.io/deprecations_ohai_run_command_helpers> -* **Expected Removal**: Ohai 13 (April 2017) +- **Deprecation ID**: OHAI-3 +- **Remediation Docs**: <https://docs.chef.io/deprecations_ohai_run_command_helpers> +- **Expected Removal**: Ohai 13 (April 2017) ### libvirt plugin attributes moved -* **Deprecation ID**: OHAI-4 -* **Remediation Docs**: <https://docs.chef.io/deprecations_ohai_libvirt_plugin> -* **Expected Removal**: Ohai 13 (April 2017) +- **Deprecation ID**: OHAI-4 +- **Remediation Docs**: <https://docs.chef.io/deprecations_ohai_libvirt_plugin> +- **Expected Removal**: Ohai 13 (April 2017) ### Windows CPU plugin attribute changes -* **Deprecation ID**: OHAI-5 -* **Remediation Docs**: <https://docs.chef.io/deprecations_ohai_windows_cpu> -* **Expected Removal**: Ohai 13 (April 2017) +- **Deprecation ID**: OHAI-5 +- **Remediation Docs**: <https://docs.chef.io/deprecations_ohai_windows_cpu> +- **Expected Removal**: Ohai 13 (April 2017) ### DigitalOcean plugin attribute changes -* **Deprecation ID**: OHAI-6 -* **Remediation Docs**: <https://docs.chef.io/deprecations_ohai_digitalocean/> -* **Expected Removal**: Ohai 13 (April 2017) +- **Deprecation ID**: OHAI-6 +- **Remediation Docs**: <https://docs.chef.io/deprecations_ohai_digitalocean/> +- **Expected Removal**: Ohai 13 (April 2017) |