Merge pull request #9997 from chef/162

Add release notes for Infra Client 16.2

2 files changed, 214 insertions, 93 deletions

diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index d6f49140f4..c041915442 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -1,6 +1,117 @@
 This file holds "in progress" release notes for the current release under development and is intended for consumption by the Chef Documentation team. Please see <https://docs.chef.io/release_notes/> for the official Chef release notes.
 
-# Chef Infra Client 16.1.16
+# What's New in 16.2
+
+## Breaking Change in Resources
+
+In Chef Infra Client 16.0, we changed the way that custom resource names are applied in order to resolve some longstanding edge-cases. This change had several unintended side effects, so we're further changing how custom names are set in this release of Chef Infra Client.
+
+Previously you could set a custom name for a resource via `resource_name` and under the hood this would also magically set the `provides` for the resource. Magic is great when it works, but is confusing when it doesn't. We've decided to remove some of this magic and instead rely on more explicit `provides` statements in resources. For cookbooks that support just Chef Infra Client 16 and later, you should change any `resource_name` calls to `provides` instead. If you need to support older releases of Chef Infra Client as well as 16+, you'll want to include both `resource_name` and `provides` for full compatibility.
+
+**Pre-16 code:**
+
+```ruby
+resource_name :foo
+```
+
+**Chef Infra Client 16+ code**
+
+```ruby
+provides :foo
+```
+
+**Chef Infra Client < 16 backwards compatible code**
+
+```ruby
+resource_name :foo
+provides :foo
+```
+
+We've introduced several Cookstyle rules to detect both custom resources and legacy HWRPs that need to be updated for this change:
+
+**[ChefDeprecations/ResourceUsesOnlyResourceName](https://github.com/chef/cookstyle/blob/master/docs/cops_chefdeprecations.md#chefdeprecationsresourceusesonlyresourcename)**: detects resources that only set resource_name and automatically adds a provides call as well.
+
+**[ChefDeprecations/HWRPWithoutProvides](https://github.com/chef/cookstyle/blob/master/docs/cops_chefdeprecations.md#chefdeprecationshwrpwithoutprovides)**: detects legacy HWRPs that don't include the necessary provides and resource_name calls for Chef Infra Client 16.
+
+## New Resources
+
+### windows_audit_policy
+
+The `windows_audit_policy` resource is used to configure system-level and per-user Windows advanced audit policy settings. See the [windows_audit_policy Documentation](https://docs.chef.io/resources/windows_audit_policy/) for complete usage information.
+
+For example, you can enable auditing of successful credential validation:
+
+```ruby
+windows_audit_policy "Set Audit Policy for 'Credential Validation' actions to 'Success'" do
+  subcategory  'Credential Validation'
+  success true
+  failure false
+  action :set
+end
+```
+
+### homebrew_update
+
+The `homebrew_update` resource is used to update the available package cache for the Homebrew package system similar to the behavior of the `apt_update` resource. See the [homebrew_update Documentation](https://docs.chef.io/resources/homebrew_update/) for complete usage information. Thanks for adding this new resource, [@damacus](http://github.com/damacus).
+
+## Resource Updates
+
+## All resources now include umask property
+
+All resources, including custom resources, now have a `umask` property which allows you to specify a umask for file creation. If not specified the system default will continue to be used.
+
+### archive_file
+
+The `archive_file` resource has been updated with two important fixes. The resource will no longer fail with uninitialized constant errors under some scenarios. Additionally, the behavior of the `mode` property has been improved to prevent incorrect file modes from being applied to the decompressed files. Due to how file modes and Integer values are processed in Ruby, this resource will now produce a deprecation warning if integer values are passed. Using string values lets us accurately pass values such as '644' or '0644' without ambiguity as to the user's intent. Thanks for reporting these issues [@sfiggins](http://github.com/sfiggins) and [@hammerhead](http://github.com/hammerhead).
+
+### chef_client_scheduled_task
+
+The `chef_client_scheduled_task` resource has been updated to default the `frequency_modifier` property to `30` if the `frequency` property is set to `minutes`, otherwise it still defaults to `1`. This provides a more predictable schedule behavior for users.
+
+### cron / cron_d
+
+The `cron` and `cron_d` resources have been updated using the new Custom Resource Partials functionality introduced in Chef Infra Client 16. This has allowed us to standardize the properties used to declare cron job timing between the two resources. The timing properties in both resources all accept the same types and ranges, and include the same validation, which makes moving from `cron` to `cron_d` seamless.
+
+### cron_access
+
+The `cron_access` resource has been updated to support Solaris and AIX systems. Thanks [@aklyachkin](http://github.com/aklyachkin).
+
+### execute
+
+The `execute` resource has a new `input` property which allows you to pass `stdin` input to the command being executed.
+
+### powershell_package
+
+The `powershell_package` resource has been updated to use TLS 1.2 when communicating with the PowerShell Gallery on Windows Server 2012-2016. Previously this resource used the system default cipher suite which did not include TLS 1.2. The PowerShell Gallery now requires TLS 1.2 for all communication, which caused failures on Windows Server 2012-2016. Thanks for reporting this issue [@Xorima](http://github.com/Xorima).
+
+### remote_file
+
+The `remote_file` resource has a new property `ssl_verify_mode` which allows you to control SSL validation at the property level. This can be used to verify certificates (Chef Infra Client's defaults) with `:verify_peer` or to skip verification in the case of a self-signed certificate with `:verify_none`. Thanks [@jaymzh](http://github.com/jaymzh).
+
+### script
+
+The various `script` resources such as `bash` or `ruby` now pass the provided script content to the interpreter using system pipes instead of writing to a temporary file and executing it. Executing script content using pipes is faster, more secure as potentially sensitive scripts aren't written to disk, and bypasses issues around user privileges.
+
+### snap_package
+
+Multiple issues with the `snap_package` resource have been resolved, including an infinite wait that occurred, and issues with specifying the package version or channel. Thanks [@jaymzh](http://github.com/jaymzh).
+
+### zypper_repository
+
+The `zypper_repository` resource has been updated to work with the newer release of GPG in openSUSE 15 and SLES 15. This prevents failures when importing GPG keys in the resource.
+
+## Knife bootstrap updates
+
+- Knife bootstrap will now warn when bootstrapping a system using a validation key. Users should instead use `validatorless bootstrapping` with `knife bootstrap` which generates node and client keys using the client key of the user bootstrapping the node. This method is far more secure as an org-wide validation key does not not need to be distributed or rotated. Users can switch to `validatorless bootstrapping` by removing any `validation_key` entries in their `config.rb (knife.rb)` file.
+- Resolved an error bootstrapping Linux nodes from Windows hosts
+- Improved information messages during the bootstrap process
+
+## Platform Packages
+
+- Debian 8 packages are no longer being produced as Debian 8 is now end-of-life.
+- We now produce Windows 8 packages
+
+# What's New in 16.1.16
 
 This release resolves high-priority bugs in the 16.1 release of Chef Infra Client:
 
@@ -16,7 +127,7 @@ This release resolves high-priority bugs in the 16.1 release of Chef Infra Clien
 
 openSSL has been updated from 1.0.2u to 1.0.2v which does not address any particular CVEs, but includes multiple security hardening updates.
 
-# Chef Infra Client 16.1
+# What's New in 16.1
 
 ## Ohai 16.1
 
@@ -40,7 +151,7 @@ Chef Infra Client packages are now produced for Debian 10 on the aarch64 archite
 - The `:disable` action in the `launchd` resource no longer fails if the plist was not found.
 - Several Ruby 2.7 deprecation warnings have been resolved.
 
-# Chef Infra Client 16.0.287
+# What's New in 16.0.287
 
 The Chef Infra Client 16.0.287 release includes important bug fixes for the Chef Infra Client 16 release:
 
@@ -51,7 +162,7 @@ The Chef Infra Client 16.0.287 release includes important bug fixes for the Chef
 - Fixes the incorrectly spelled `knife user invite recind` command to be `knife user invite rescind`. <!-- cspell:disable-line !-->
 - Update Chef InSpec to 4.8.111 with several minor improvements.
 
-# Chef Infra Client 16.0.275
+# What's New in 16.0.275
 
 The Chef Infra Client 16.0.275 release includes important regression fixes for the Chef Infra Client 16 release:
 
@@ -62,7 +173,7 @@ The Chef Infra Client 16.0.275 release includes important regression fixes for t
 - The `knife yaml convert` command now correctly converts symbol values.
 - The `sysctl`, `apt_preference`, and `cron_d` remove actions no longer fail with missing property warnings.
 
-# Chef Infra Client 16.0
+# What's New in 16.0
 
 ## Breaking Changes
 
@@ -151,7 +262,7 @@ depends 'windows', '>> 1.0'
 
 ### Logging Improvements May Cause Behavior Changes
 
-We've make low level changes to how logging behaves in Chef Infra Client that resolves many complaints we've heard of the years. With these change you'll now see the same logging output when you run `chef-client` on the command line as you will in logs from a daemonized client run. This also corrects often confusing behavior where running `chef-client` on the command line would log to the console, but not to the log file location defined your `client.rb`. In that scenario you'll now see logs in your console and in your log file. We believe this is the expected behavior and will mean that your on-disk log files can always be the source of truth for changes that were made by Chef Infra Client. This may cause unexpected behavior changes for users that relied on using the command line flags to override the `client.rb` log location - in this case logging will be sent to *both* the locations in `client.rb` and on the command line. If you have daemons running that log using the command line options you want to make sure that `client.rb` log location either matches or isn't defined.
+We've made low level changes to how logging behaves in Chef Infra Client that resolves many complaints we've heard of the years. With these change you'll now see the same logging output when you run `chef-client` on the command line as you will in logs from a daemonized client run. This also corrects often confusing behavior where running `chef-client` on the command line would log to the console, but not to the log file location defined your `client.rb`. In that scenario you'll now see logs in your console and in your log file. We believe this is the expected behavior and will mean that your on-disk log files can always be the source of truth for changes that were made by Chef Infra Client. This may cause unexpected behavior changes for users that relied on using the command line flags to override the `client.rb` log location - in this case logging will be sent to *both* the locations in `client.rb` and on the command line. If you have daemons running that log using the command line options you want to make sure that `client.rb` log location either matches or isn't defined.
 
 ### Red Hat / CentOS 6 Systems Require C11 GCC for Some Gem Installations
 
@@ -583,7 +694,7 @@ Several legacy Windows helpers have been deprecated as they will always return t
 - Chef::Platform.supports_powershell_execution_bypass?
 - Chef::Platform.windows_nano_server?
 
-# Chef Infra Client 15.10
+# What's New in 15.10
 
 ## Improvements
 
@@ -613,7 +724,7 @@ Several legacy Windows helpers have been deprecated as they will always return t
 
 Chef Infra Client is now tested on Amazon Linux 2 running on x86_64 and aarch64 with packages available on the [Chef Downloads Page](https://downloads.chef.io/chef).
 
-# Chef Infra Client 15.9
+# What's New in 15.9
 
 ## Chef InSpec 4.18.100
 
@@ -677,7 +788,7 @@ libarchive has been updated from 3.4.0 to 3.4.2 to resolve multiple security vul
 - [CVE-2019-19221](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19221): archive_wstring_append_from_mbs in archive_string.c has an out-of-bounds read because of an incorrect mbrtowc or mbtowc call
 - [CVE-2020-9308](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9308): archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts to unpack a RAR5 file with an invalid or corrupted header
 
-# Chef Infra Client 15.8
+# What's New in 15.8
 
 ## New notify_group functionality
 
@@ -840,7 +951,7 @@ vm.swappiness = 10
 
 Each binary in the macOS Chef Infra Client installation is now signed to improve the integrity of the installation and ensure compatibility with macOS Catalina security requirements.
 
-# Chef Infra Client 15.7
+# What's New in 15.7
 
 ## Updated Resources
 
@@ -914,7 +1025,7 @@ Returns `true` if the system is a Windows Server Core edition.
 
 OpenSSL has been updated to 1.0.2u to resolve [CVE-2019-1551](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551)
 
-# Chef Infra Client 15.6
+# What's New in 15.6
 
 ## Updated Resources
 
@@ -946,13 +1057,13 @@ We've further optimized our install footprint and reduced the size of `/opt/chef
 
 Ohai 15.6 includes new `node['filesystem2']` data on Windows hosts. Fileystem2 presents filesystem data by both mountpoint and by device name. This data structure matches that of the filesystem plugin on Linux and other *nix operating systems. Thanks [@jaymzh](https://github.com/jaymzh) for this new data structure.
 
-# Chef Infra Client 15.5.15
+# What's New in 15.5.15
 
 The Chef Infra Client 15.5.15 release includes fixes for two regressions. A regression in the `build_essential` resource caused failures on `rhel` platforms and a second regression caused Chef Infra Client to fail when starting with `enforce_path_sanity` enabled. As part of this fix we've added a new property, `raise_if_unsupported`, to the `build-essential` resource. Instead of silently continuing, this property will fail a Chef Infra Client run if an unknown platform is encountered.
 
 We've also updated the `windows_package` resource. The resource will now provide better error messages if invalid options are passed to the `installer_type` property and the `checksum` property will now accept uppercase SHA256 checksums.
 
-# Chef Infra Client 15.5.9
+# What's New in 15.5.9
 
 ## New Cookbook Helpers
 
@@ -1024,7 +1135,7 @@ The `windows_firewall` resource has been updated to support passing in an array
 
 libxslt has been updated to 1.1.34 to resolve [CVE-2019-13118](https://nvd.nist.gov/vuln/detail/CVE-2019-13118).
 
-# Chef Infra Client 15.4
+# What's New in 15.4
 
 ## converge_if_changed Improvements
 
@@ -1109,7 +1220,7 @@ Ruby has been updated from 2.6.4 to 2.6.5 in order to resolve the following CVEs
 - [CVE-2019-15845](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15845): A NUL injection vulnerability of File.fnmatch and File.fnmatch?
 - [CVE-2019-16201](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16201): Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication
 
-# Chef Infra Client 15.3
+# What's New in 15.3
 
 ## Custom Resource Unified Mode
 
@@ -1210,7 +1321,7 @@ openssl has been updated from 1.0.2s to 1.0.2t in order to resolve [CVE-2019-156
 
 nokogiri has been updated from 1.10.2 to 1.10.4 in order to resolve [CVE-2019-5477](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5477)
 
-# Chef Infra Client 15.2
+# What's New in 15.2
 
 ## Updated Resources
 
@@ -1272,7 +1383,7 @@ Chef InSpec has been updated from 4.6.4 to 4.10.4 with the following changes:
 
 bzip2 has been updated from 1.0.6 to 1.0.8 to resolve [CVE-2016-3189](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3189) and [CVE-2019-12900](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900).
 
-# Chef Infra Client 15.1
+# What's New in 15.1
 
 ## New Resources
 
@@ -1320,13 +1431,13 @@ Chef InSpec has been updated from 4.3.2 to 4.6.4 with the following changes:
   - When fetching profiles from GitHub, the URL can now include periods.
   - The performance of InSpec startup has been improved.
 
-# Chef Infra Client 15.0.300
+# What's New in 15.0.300
 
 This release includes critical bugfixes for the 15.0 release:
   - Fix `knife bootstrap` over SSH when `requiretty` is configured on the host.
   - Added the `--chef-license` CLI flag to `chef-apply` and `chef-solo` commands.
 
-# Chef Infra Client 15.0.298
+# What's New in 15.0.298
 
 This release includes critical bugfixes for the 15.0 release:
   - Allow accepting the license on non-interactive Windows sessions
@@ -1336,7 +1447,7 @@ This release includes critical bugfixes for the 15.0 release:
   - Avoid failures due to Train::Transports::SSHFailed class not being loaded in `knife bootstrap`
   - Resolve failures using the ca_trust_file option with `knife bootstrap`
 
-# Chef Infra Client 15.0.293
+# What's New in 15.0.293
 
 ## Chef Client is now Chef Infra Client
 
@@ -1745,7 +1856,7 @@ The `refresh_plugins` method in the `Ohai::System` class has been removed as it
 
 The `Virtualization` plugin will no longer detect systems running on the circa ~2005 VirtualPC or VirtualServer hypervisors. These hypervisors were long ago deprecated by Microsoft and support can no longer be tested.
 
-# Chef Client Release Notes 14.15
+# What's New in 14.15
 
 ## Updated Resources
 
@@ -1769,8 +1880,8 @@ Chef Infra Client is now tested against the following platforms with packages av
 
 ### Retired Platforms
 
-  - Chef Infra Clients packages are no longer produced for Windows 2008 R2 as this release reached its end of life on Jan 14th, 2020.
-  - Chef Infra Client packages are no longer produced for RHEL 6 on the s390x platform.
+- Chef Infra Clients packages are no longer produced for Windows 2008 R2 as this release reached its end of life on Jan 14th, 2020.
+- Chef Infra Client packages are no longer produced for RHEL 6 on the s390x platform.
 
 ## Security Updates
 
@@ -1782,17 +1893,16 @@ OpenSSL has been updated to 1.0.2u to resolve [CVE-2019-1551](https://cve.mitre.
 
 Ruby has been updated from 2.5.7 to 2.5.8 to resolve the following CVEs:
 
-  - [CVE-2020-16255](https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/): Unsafe Object Creation Vulnerability in JSON (Additional fix)
-  - [CVE-2020-10933](https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/): Heap exposure vulnerability in the socket library
-
+- [CVE-2020-16255](https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/): Unsafe Object Creation Vulnerability in JSON (Additional fix)
+- [CVE-2020-10933](https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/): Heap exposure vulnerability in the socket library
 
-# Chef Client Release Notes 14.14.29
+# What's New in 14.14.29
 
 ## Bug Fixes
 
- - Fixed an error with the `service` and `systemd_unit` resources which would try to re-enable services with an indirect status.
- - The `systemd_unit` resource now logs at the info level.
- - Fixed knife config when it returned a `TypeError: no implicit conversion of nil into String` error.
+- Fixed an error with the `service` and `systemd_unit` resources which would try to re-enable services with an indirect status.
+- The `systemd_unit` resource now logs at the info level.
+- Fixed knife config when it returned a `TypeError: no implicit conversion of nil into String` error.
 
 ## Security Updates
 
@@ -1800,7 +1910,7 @@ Ruby has been updated from 2.5.7 to 2.5.8 to resolve the following CVEs:
 
 libxslt has been updated to 1.1.34 to resolve [CVE-2019-13118](https://nvd.nist.gov/vuln/detail/CVE-2019-13118).
 
-# Chef Client Release Notes 14.14.25
+# What's New in 14.14.25
 
 ## Bug Fixes
 
@@ -1809,11 +1919,11 @@ libxslt has been updated to 1.1.34 to resolve [CVE-2019-13118](https://nvd.nist.
 - Fixed crash in knife when displaying a missing profile error message
 - Fixed knife subcommand --help not working as intended for some commands
 - Fixed knife ssh interactive mode exit error
-- Fixed for `:day`` option not accepting integer value in the `windows_task` resource
+- Fixed for `:day` option not accepting integer value in the `windows_task` resource
 - Fixed for `user` resource not handling a GID if it is specified as a string
 - Fixed the `ifconfig` resource to support interfaces with a `-` in the name
 
-# Chef Client Release Notes 14.14
+## What's New in 14.14.14
 
 ## Platform Updates
 
@@ -1901,12 +2011,13 @@ Knife now fails with a descriptive error message when attempting to bootstrap no
 ### Ruby
 
 Ruby has been updated from 2.5.5 to 2.5.7 in order to resolve the following CVEs:
-  - [CVE-2012-6708](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6708)
-  - [CVE-2015-9251](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251).
-  - [CVE-2019-16201](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15845).
-  - [CVE-2019-15845](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251).
-  - [CVE-2019-16254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16254).
-  - [CVE-2019-16255](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16255).
+
+- [CVE-2012-6708](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6708)
+- [CVE-2015-9251](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251).
+- [CVE-2019-16201](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15845).
+- [CVE-2019-15845](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251).
+- [CVE-2019-16254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16254).
+- [CVE-2019-16255](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16255).
 
 ### openssl
 
@@ -1916,7 +2027,7 @@ openssl has been updated from 1.0.2s to 1.0.2t in order to resolve [CVE-2019-156
 
 nokogiri has been updated from 1.10.2 to 1.10.4 in order to resolve [CVE-2019-5477](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5477).
 
-# Chef Infra Client Release Notes 14.13:
+# What's New in 14.13
 
 ## Updated Resources
 
@@ -1957,7 +2068,7 @@ The `CHEF-25` deprecation for resource collisions between cookbooks and resource
 - openssl 1.0.2r -> 1.0.2s (bugfix only release)
 - cacerts 2019-01-23 -> 2019-05-15
 
-# Chef Client Release Notes 14.12.9:
+# What's New in 14.12.9
 
 ## License Acceptance Placeholder Flag
 
@@ -1969,7 +2080,7 @@ In preparation for Chef Infra Client 15.0 we've added a placeholder `--chef-lice
 - You may now encrypt a previously unencrypted data bag.
 - Resolved a regression introduced in Chef Infra Client 14.12.3 that resulted in errors when managing Windows services
 
-# Chef Infra Client Release Notes 14.12.3:
+# What's New in 14.12.3
 
 ## Updated Resources
 
@@ -1988,7 +2099,7 @@ The windows_certificate resource now imports nested certificates while importing
 - InSpec 3.7.1 -> 3.9.0
 - The unused windows-api gem is no longer bundled with Chef on Windows hosts
 
-# Chef Infra Client Release Notes 14.11:
+# What's New in 14.11
 
 ## Updated Resources
 
@@ -2035,14 +2146,15 @@ OpenSSL has been updated to 1.0.2r in order to resolve [CVE-2019-1559](https://c
 ### RubyGems
 
 RubyGems has been updated to 2.7.9 in order to resolve the following CVEs:
-  - [CVE-2019-8320](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8320): Delete directory using symlink when decompressing tar
-  - [CVE-2019-8321](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8321): Escape sequence injection vulnerability in verbose
-  - [CVE-2019-8322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8322): Escape sequence injection vulnerability in gem owner
-  - [CVE-2019-8323](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8323): Escape sequence injection vulnerability in API response handling
-  - [CVE-2019-8324](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8324): Installing a malicious gem may lead to arbitrary code execution
-  - [CVE-2019-8325](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8325): Escape sequence injection vulnerability in errors
 
-# Chef Client Release Notes 14.10:
+- [CVE-2019-8320](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8320): Delete directory using symlink when decompressing tar
+- [CVE-2019-8321](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8321): Escape sequence injection vulnerability in verbose
+- [CVE-2019-8322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8322): Escape sequence injection vulnerability in gem owner
+- [CVE-2019-8323](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8323): Escape sequence injection vulnerability in API response handling
+- [CVE-2019-8324](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8324): Installing a malicious gem may lead to arbitrary code execution
+- [CVE-2019-8325](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8325): Escape sequence injection vulnerability in errors
+
+# What's New in 14.10
 
 ## Updated Resources
 
@@ -2076,7 +2188,7 @@ Chef's Audit mode was introduced in 2015 as a beta that needed to be enabled via
 
 Cookbook shadowing was deprecated in 0.10 and will be removed in Chef Infra Client 15 (April 2019). Cookbook shadowing allowed combining cookbooks within a mono-repo, so long as the cookbooks in question had the same name and were present in both the cookbooks directory and the site-cookbooks directory.
 
-# Chef Client Release Notes 14.9:
+# What's New in 14.9
 
 ## Updated Resources
 
@@ -2136,7 +2248,7 @@ InSpec has been updated from 3.0.64 to 3.2.6 with improved resources for auditin
 
 The necessary VC++ runtimes for the powershell_exec helper are now bundled with Chef to prevent failures on hosts that lacked the runtimes.
 
-# Chef Client Release Notes 14.8:
+# What's New in 14.8
 
 ## Updated Resources
 
@@ -2185,6 +2297,7 @@ A regression was resolved that prevented ChefSpec from testing the windows_task
 Detection of Linux guests running on Hyper-V has been improved. In addition, Linux guests on Hyper-V hypervisors will also now detect their hypervisor's hostname. Thank you [@safematix](https://github.com/safematix) for contributing this enhancement.
 
 Example `node['virtualization']` data:
+
 ```json
 {
   "systems": {
@@ -2218,10 +2331,11 @@ BSD-based systems can now detect guests running on KVM and Amazon's hypervisor w
 ### OpenSSL
 
 OpenSSL has been updated to 1.0.2q in order to resolve:
-- Microarchitecture timing vulnerability in ECC scalar multiplication ([CVE-2018-5407](https://nvd.nist.gov/vuln/detail/CVE-2018-5407))
+
+- Microarchitecture timing vulnerability in ECC scalar multiplication [CVE-2018-5407](https://nvd.nist.gov/vuln/detail/CVE-2018-5407)
 - Timing vulnerability in DSA signature generation ([CVE-2018-0734](https://nvd.nist.gov/vuln/detail/CVE-2018-0734))
 
-# Chef Client Release Notes 14.7:
+# What's New in 14.7
 
 ## New Resources
 
@@ -2267,7 +2381,7 @@ macOS support has been added to the timezone resource.
 
 A regression in Chef 14.6's windows_task resource which resulted in tasks being created with the "Run only when user is logged on" option being set when created with a specific user other than SYSTEM, has been resolved.
 
-# Chef Client Release Notes 14.6:
+# What's New in 14.6
 
 ## Smaller Package and Install Size
 
@@ -2317,7 +2431,7 @@ end
 
 ## InSpec 3.0
 
-Inspec has been updated to version 3.0 with addition resources, exception handling, and a new plugin system. See https://blog.chef.io/2018/10/16/announcing-inspec-3-0/ for details.
+Inspec has been updated to version 3.0 with addition resources, exception handling, and a new plugin system. See <https://blog.chef.io/2018/10/16/announcing-inspec-3-0/> for details.
 
 ## macOS Mojave (10.14)
 
@@ -2357,19 +2471,21 @@ The system_profile plugin will be removed from Chef/Ohai 15 in April 2019. This
 ### Ruby 2.5.3
 
 Ruby has been updated to from 2.5.1 to 2.5.3 to resolve multiple CVEs and bugs:
+
 - [CVE-2018-16396](https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/)
 - [CVE-2018-16395](https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/)
 
-# Chef Client Release Notes 14.5.33:
+# What's New in 14.5.33
 
 This release resolves a regression that caused the ``windows_ad_join`` resource to fail to run. It also makes the following additional fixes:
-  - The ``ohai`` resource's unused ``ohai_name`` property has been deprecated. This will be removed in Chef Infra Client 15.0.
-  - Error messages in the ``windows_feature`` resources have been improved.
-  - The ``windows_service`` resource will no longer log potentially sensitive information if the ``sensitive`` property is used.
+
+- The ``ohai`` resource's unused ``ohai_name`` property has been deprecated. This will be removed in Chef Infra Client 15.0.
+- Error messages in the ``windows_feature`` resources have been improved.
+- The ``windows_service`` resource will no longer log potentially sensitive information if the ``sensitive`` property is used.
 
 Thanks to @cpjones01, @kitforbes, and @dgreeninger for their help with this release.
 
-# Chef Client Release Notes 14.5.27:
+# What's New in 14.5.27
 
 ## New Resources
 
@@ -2402,11 +2518,12 @@ Thanks [@derekgroh](https://github.com/derekgroh) for contributing this new prop
 ## InSpec 2.2.102
 
 InSpec has been updated from 2.2.70 to 2.2.102. This new version includes the following improvements:
-  - Support for using ERB templating within the .yml files
-  - HTTP basic auth support for fetching dependent profiles
-  - A new global attributes concept
-  - Better error handling with Automate reporting
-  - Vendor command now vendors profiles when using path://
+
+- Support for using ERB templating within the .yml files
+- HTTP basic auth support for fetching dependent profiles
+- A new global attributes concept
+- Better error handling with Automate reporting
+- Vendor command now vendors profiles when using path://
 
 ## Ohai 14.5
 
@@ -2428,7 +2545,7 @@ Ohai now properly handles relative paths to config files when running on the com
 
 The rubyzip gem has been updated to 1.2.2 to resolve [CVE-2018-1000544](https://www.cvedetails.com/cve/CVE-2018-1000544/)
 
-# Chef Client Release Notes 14.4:
+# What's New in 14.4
 
 ## Knife configuration profile management commands
 
@@ -2535,10 +2652,11 @@ Thank you [@dbresson](https://github.com/dbresson) for this contribution.
 ### OpenSSL
 
 OpenSSL updated to 1.0.2p to resolve:
+
 - Client DoS due to large DH parameter ([CVE-2018-0732](https://nvd.nist.gov/vuln/detail/CVE-2018-0732))
 - Cache timing vulnerability in RSA Key Generation ([CVE-2018-0737](https://nvd.nist.gov/vuln/detail/CVE-2018-0737))
 
-# Chef Client Release Notes 14.3:
+# What's New in 14.3
 
 ## New Preview Resources Concept
 
@@ -2734,7 +2852,7 @@ See [CHEF-26 Deprecation Page](https://docs.chef.io/deprecations_shell_out) for
 
 Chef Infra Client 15 will remove support for the legacy FreeBSD pkg format. We will continue to support the pkgng format introduced in FreeBSD 10.
 
-# Chef Client Release Notes 14.2:
+# What's New in 14.2:
 
 ## `ssh-agent` support for user keys
 
@@ -2765,7 +2883,7 @@ Chef now bundles the inspec-core and train-core gems, which omit many cloud depe
 
 Ohai now detects the virtualization hypervisor `amazonec2` when running on Amazon's new C5/M5 instances.
 
-# Chef Client Release Notes 14.1.12:
+# What's New in 14.1.12
 
 This release resolves a number of regressions in 14.1.1:
 
@@ -2782,13 +2900,13 @@ This release resolves a number of regressions in 14.1.1:
 - `shard` plugin: work in FIPS compliant environments
 - `filesystem` plugin: Handle BSD platforms
 
-# Chef Client Release Notes 14.1.1:
+# What's New in 14.1.1
 
 ## Platform Additions
 
 Enable Ubuntu-18.04 and Debian-9 tested chef-client packages.
 
-# Chef Client Release Notes 14.1:
+# What's New in 14.1
 
 ## Windows Task
 
@@ -2832,7 +2950,7 @@ The Shard plugin has been returned to a default plugin rather than an optional o
 
 A new plugin to enumerate SCSI devices has been added. This plugin is optional.
 
-# Chef Client Release Notes 14.0.202:
+# What's New in 14.0.202
 
 This release of Chef 14 resolves several regressions in the Chef 14.0 release.
 
@@ -2841,7 +2959,7 @@ This release of Chef 14 resolves several regressions in the Chef 14.0 release.
 - `yum_package` changed the order of `disablerepo` and `enablerepo` options
 - Depsolving large numbers of cookbooks with chef zero/local took a very long time
 
-# Chef Client Release Notes 14.0:
+# What's New in 14.0
 
 ## New Resources
 
@@ -3259,7 +3377,7 @@ optional_plugins in the client.rb file:
 optional_plugins [ "lspci", "passwd" ]
 ```
 
-# Chef Client Release Notes 13.12.14
+# What's New in 13.12.14
 
 ## Bugfixes
 
@@ -3290,7 +3408,7 @@ RubyGems has been updated to 2.7.9 in order to resolve the following CVEs:
   - [CVE-2019-8324](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8324): Installing a malicious gem may lead to arbitrary code execution
   - [CVE-2019-8325](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8325): Escape sequence injection vulnerability in errors
 
-# Chef Client Release Notes 13.12.3
+# What's New in 13.12.3
 
 ## Smaller Package and Install Size
 
@@ -3338,7 +3456,7 @@ Ruby has been updated to from 2.4.4 to 2.4.5 to resolve multiple CVEs as well as
 - [CVE-2018-16396](https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/)
 - [CVE-2018-16395](https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/)
 
-# Chef Client Release Notes 13.11
+# What's New in 13.11
 
 ### Sensitive Properties on Windows
 
@@ -3362,7 +3480,7 @@ Ruby has been updated to from 2.4.4 to 2.4.5 to resolve multiple CVEs as well as
 
 - Updated Rubyzip to 1.2.2 to resolve [CVE-2018-1000544](https://nvd.nist.gov/vuln/detail/CVE-2018-1000544)
 
-# Chef Client Release Notes 13.10
+# What's New in 13.10
 
 ## Bugfixes
 
@@ -3381,7 +3499,7 @@ Ruby has been updated to from 2.4.4 to 2.4.5 to resolve multiple CVEs as well as
 
 - CVE-2018-1000201: DLL loading issue which can be hijacked on Windows OS
 
-# Chef Client Release Notes 13.9.X:
+# What's New in 13.9.X:
 
 ## Security Updates
 
@@ -3425,13 +3543,13 @@ The whitelist of DMI IDs is now user configurable using the `additional_dmi_ids`
 
 The Filesystem2 functionality has been backported to BSD systems to provide a consistent filesystem format.
 
-# Chef Client Release Notes 13.9.1:
+# What's New in 13.9.1:
 
 ## Platform Additions
 
 Enable Ubuntu-18.04 and Debian-9 tested chef-client packages.
 
-# Chef Client Release Notes 13.9:
+# What's New in 13.9:
 
 - On Windows, the installer now correctly re-extracts files during repair mode
 - The mount resource will now not create duplicate entries when the device type differs
@@ -3509,7 +3627,7 @@ end
 - Use the current Azure metadata endpoint
 - Correctly detect macOS guests on VMware and VirtualBox
 
-# Chef Client Release Notes 13.8:
+# What's New in 13.8:
 
 ## Revert attributes changes from 13.7
 
@@ -3523,7 +3641,7 @@ Per <https://discourse.chef.io/t/regression-in-chef-client-13-7-16/12518/1> , th
 
 - Updated libxml2 to 2.9.7; fixes: CVE-2017-15412
 
-# Chef Client Release Notes 13.7:
+# What's New in 13.7:
 
 ## The `windows_task` Resource should be better behaved
 
@@ -3586,7 +3704,7 @@ The EC2 plugin has been updated to properly detect the new AWS hypervisor used i
 
 The mdadm plugin has been updated to properly handle arrays with more than 10 disks and to properly handle journal and spare drives in the disk counts
 
-# Chef Client Release Notes 13.6.4:
+# What's New in 13.6.4:
 
 ## Bugfixes
 
@@ -3597,7 +3715,7 @@ The mdadm plugin has been updated to properly handle arrays with more than 10 di
 - OpenSSL has been upgraded to 1.0.2m to resolve CVE-2017-3735 and CVE-2017-3736
 - RubyGems has been upgraded to 2.6.14 to resolve CVE-2017-0903
 
-# Chef Client Release Notes 13.6:
+# What's New in 13.6:
 
 ## `deploy` Resource Is Deprecated
 
@@ -3643,7 +3761,7 @@ The Packages plugin now supports gathering packages data on Amazon Linux
 
 In Ohai 13 we replaced the filesystem and cloud plugins with the filesystem2 and cloud_v2 plugins. To maintain compatibility with users of the previous V2 plugins we write data to both locations. We had originally planned to continue writing data to both locations until Chef Infra Client 15. Instead due to the large amount of duplicate node data this introduces we are updating OHAI-11 and OHAI-12 deprecations to remove node['cloud_v2'] and node['filesystem2'] with the release of Chef 14 in April 2018.
 
-# Chef Client Release Notes 13.5:
+# What's New in 13.5:
 
 ## Mount's password property is now marked as sensitive
 
@@ -3665,7 +3783,7 @@ Previously we would ignore routes that ended `::`, and now we properly detect th
 
 Debug logs will show the length of time each plugin takes to run, making debugging of long ohai runs easier.
 
-# Chef Client Release Notes 13.4:
+# What's New in 13.4:
 
 ## Security release of Ruby
 
@@ -3881,7 +3999,7 @@ Sample data now available under azure:
 
 The Package plugin has been updated to include package information on Arch Linux systems.
 
-# Chef Client Release Notes 13.3:
+# What's New in 13.3:
 
 ## Unprivileged Symlink Creation on Windows
 
@@ -4002,7 +4120,7 @@ Ohai now properly detects the [F5 Big-IP](https://www.f5.com/) platform and plat
 - platform: bigip
 - platform_family: rhel
 
-# Chef Client Release Notes 13.2:
+# What's New in 13.2:
 
 ## Properly send policyfile data
 
@@ -4389,7 +4507,7 @@ Chef Client will only exit with exit codes defined in RFC 062\. This allows othe
 
 When Chef Client is running as a forked process on unix systems, the standardized exit codes are used by the child process. To actually have Chef Client return the standard exit code, `client_fork false` will need to be set in Chef Client's configuration file.
 
-# Chef Client Release Notes 12.22:
+# What's New in 12.22:
 
 ## Security Updates
 
@@ -4415,7 +4533,7 @@ The new LsPci plugin provides a node[:pci] hash with information about the PCI b
 
 The virtualization plugin has been updated to properly detect when running on Docker CE
 
-# Chef Client Release Notes 12.21:
+# What's New in 12.21:
 
 ## Security Fixes
 
@@ -4467,7 +4585,7 @@ When Chef crashes, the output now includes details about the platform
 and version of Chef that was running, so that a bug report has more
 detail from the off.
 
-# Chef Client Release Notes 12.19:
+# What's New in 12.19:
 
 ## Highlighted enhancements for this release:
 
diff --git a/cspell.json b/cspell.json
index 1c2e44c8a8..ecebba32fb 100644
--- a/cspell.json
+++ b/cspell.json
@@ -2200,7 +2200,10 @@
     "zypp",
     "Zypper",
     "zypper",
-    "Ásgeirsson"
+    "Ásgeirsson",
+    "damacus",
+    "sfiggins",
+    "aklyachkin"
   ],
   // flagWords - list of words to be always considered incorrect
   // This is useful for offensive words and common spelling errors.