diff options
| author | Tim Smith <tsmith@chef.io> | 2020-02-10 12:54:22 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-02-10 12:54:22 -0800 |
| commit | cbcfd9a0b7c8f69e1770a055132bb8caa2fbc3b7 (patch) | |
| tree | a2baed56f3fadefd86758b16ab6b205dd26e6c43 | |
| parent | 3fe96500944129c024c5276967eae6219b5d76ad (diff) | |
| download | chef-cbcfd9a0b7c8f69e1770a055132bb8caa2fbc3b7.tar.gz | |
Add Chef Infra Client 15.8 release notes (#9325)
* Add Chef Infra Client 15.8 release notes
Release notes for 15.8
Signed-off-by: Tim Smith <tsmith@chef.io>
Co-Authored-By: Ian Maddaus <IanMadd@users.noreply.github.com>
* Document notify_group
Signed-off-by: Tim Smith <tsmith@chef.io>
* Update RELEASE_NOTES.md
Signed-off-by: Tim Smith <tsmith@chef.io>
Co-Authored-By: Ian Maddaus <IanMadd@users.noreply.github.com>
* Update RELEASE_NOTES.md
Signed-off-by: Tim Smith <tsmith@chef.io>
Co-Authored-By: Ian Maddaus <IanMadd@users.noreply.github.com>
* Update RELEASE_NOTES.md
Signed-off-by: Tim Smith <tsmith@chef.io>
Co-Authored-By: Ian Maddaus <IanMadd@users.noreply.github.com>
* Update RELEASE_NOTES.md
Signed-off-by: Tim Smith <tsmith@chef.io>
Co-Authored-By: Ian Maddaus <IanMadd@users.noreply.github.com>
* Update RELEASE_NOTES.md
Signed-off-by: Tim Smith <tsmith@chef.io>
Co-Authored-By: Ian Maddaus <IanMadd@users.noreply.github.com>
* Update RELEASE_NOTES.md
Signed-off-by: Tim Smith <tsmith@chef.io>
Co-Authored-By: Ian Maddaus <IanMadd@users.noreply.github.com>
Co-authored-by: Ian Maddaus <IanMadd@users.noreply.github.com>
| -rw-r--r-- | RELEASE_NOTES.md | 751 |
1 files changed, 437 insertions, 314 deletions
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index e1a634addd..464701c2af 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -1,8 +1,127 @@ This file holds "in progress" release notes for the current release under development and is intended for consumption by the Chef Documentation team. Please see <https://docs.chef.io/release_notes.html> for the official Chef release notes. -# UNRELEASED +# Chef Infra Client 15.8 -### sysctl now accepts a comments parameter +## New notify_group functionality + +Chef Infra Client now includes a new `notify_group` feature that can be used to extract multiple common notifies out of individual resources to reduce duplicate code in your cookbooks and custom resources. Previously cookbook authors would often use a `log` resource to achieve a similar outcome, but using the log resource results in unnecessary Chef Infra Client log output. The `notify_group` method produces no additional logging, but fires all defined notifications when the `:run` action is set. + +Example notify_group that stops, sleeps, and then starts service when a service config is updated: + +```ruby + service "crude" do + action [ :enable, :start ] + end + + chef_sleep "60" do + action :nothing + end + + notify_group "crude_stop_and_start" do + notifies :stop, "service[crude]", :immediately + notifies :sleep, "chef_sleep[60]", :immediately + notifies :start, "service[crude]", :immediately + end + + template "/etc/crude/crude.conf" do + source "crude.conf.erb" + variables node["crude"] + notifies :run, "notify_group[crude_stop_and_start]", :immediately + end +``` + +## Chef InSpec 4.18.85 + +Chef InSpec has been updated from 4.18.39 to 4.18.85. This release includes a large number of bug fixes in addition to some great resource enhancements: + +* The service resource features new support for yocto-based linux distributions. Thank you to [@michaellihs](https://github.com/michaellihs) for this addition! +* The package resource now includes support for FreeBSD. Thank you to [@fzipi](https://github.com/fzipi) for this work! +* We standardized the platform for the etc_hosts, virtualization, ini, and xml resources. +* The oracledb_session resource works again due to a missing quote fix. +* The groups resource on macOS no longer reports duplicates anymore. +command.exist? now conforms to POSIX standards. Thanks to [@PiQuer](https://github.com/PiQuer)! +* Changed the postfix_conf resource's supported platform to the broader unix. Thank you to [@fzipi](https://github.com/fzipi) for this fix! + +## New Cookbook Helpers + +New helpers have been added to make writing cookbooks easier. + +### Platform Version Helpers + +New helpers for checking platform versions have been added. These helpers return parsed version strings so there's no need to convert the returned values to Integers or Floats before comparing them. Additionally, comparisons with version objects properly understand the order of versions so `5.11` will compare as larger than `5.9`, whereas converting those values to Floats would result in `5.9` being larger than `5.11`. + +* `windows_nt_version` returns the NT kernel version which often differs from Microsoft's marketing versions. This helper offers a good way to find desktop and server releases that are based on the same codebase. For example, NT 6.3 is both Windows 8.1 and Windows 2012 R2. +* `powershell_version` returns the version of PowerShell installed on the system. +* `platform_version` returns the value of node['platform_version']. + +Example comparison using windows_nt_version: + +```ruby +if windows_nt_version >= 10 + some_modern_windows_things +end +``` + +### Cloud Helpers + +The cloud helpers from chef-sugar have been ported to Chef Infra Client: + +* `cloud?` - if the node is running in any cloud, including internal clouds +* `ec2?` - if the node is running in ec2 +* `gce?` - if the node is running in gce +* `rackspace?` - if the node is running in rackspace +* `eucalyptus?` - if the node is running under eucalyptus +* `linode?` - if the node is running in linode +* `openstack?` - if the node is running under openstack +* `azure?` - if the node is running in azure +* `digital_ocean?` - if the node is running in digital ocean +* `softlayer?` - if the node is running in softlayer + +### Virtualization Helpers + +The virtualization helpers from chef-sugar have been ported to Chef Infra Client and extended with helpers to detect hypervisor hosts, physical, and guest systems. + +* `kvm?` - if the node is a kvm guest +* `kvm_host?` - if the node is a kvm host +* `lxc?` - if the node is an lxc guest +* `lxc_host?` - if the node is an lxc host +* `parallels?`- if the node is a parallels guest +* `parallels_host?`- if the node is a parallels host +* `vbox?` - if the node is a virtualbox guest +* `vbox_host?` - if the node is a virtualbox host +* `vmware?` - if the node is a vmware guest +* `vmware_host?` - if the node is a vmware host +* `openvz?` - if the node is an openvz guest +* `openvz_host?` - if the node is an openvz host +* `guest?` - if the node is detected as any kind of guest +* `hypervisor?` - if the node is detected as being any kind of hypervisor +* `physical?` - the node is not running as a guest (may be a hypervisor or may be bare-metal) +* `vagrant?` - attempts to identify the node as a vagrant guest (this check may be error-prone) + +### include_recipe? helper + +chef-sugar's `include_recipe?` has been added to Chef Infra Client providing a simple way to see if a recipe has been included on a node already. + +Example usage in a not_if conditional: + +```ruby +execute 'install my_app' + command '/tmp/my_app_install.sh' + not_if { include_recipe?('my_app::install') } +end +``` + +## Updated Resources + +### ifconfig + +The `ifconfig` resource now supports the newer `ifconfig` release that ships in Debian 10. + +### mac_user + +The `mac_user` resource, used when creating a user on Mac systems, has been improved to work better with macOS Catalina (10.15). The resource now properly looks up the numeric GID when creating a user, once again supports the `system` property, and includes a new `hidden` property which prevents the user from showing on the login screen. Thanks [@chilcote](https://github.com/chilcote) for these fixes and improvements. + +### sysctl The `sysctl` resource has been updated to allow the inclusion of descriptive comments. Comments may be passed as an array or as a string. Any comments provided are prefixed with '#' signs and precede the `sysctl` setting in generated files. @@ -36,6 +155,10 @@ which results in `/etc/sysctl.d/99-chef-vm.swappiness.conf` as follows: vm.swappiness = 10 ``` +## Platform Support + +* Chef Infra Clients packages are now validated for Debian 10. + # Chef Infra Client 15.7 ## Updated Resources @@ -48,10 +171,10 @@ The `archive_file` resource will now only change ownership on files and director The `cron` and `cron_d` resources now include a `timeout` property, which allows you to configure actions to perform when a job times out. This property accepts a hash of timeout configuration options: -- `preserve-status`: `true`/`false` with a default of `false` -- `foreground`: `true`/`false` with a default of `false` -- `kill-after`: `Integer` for the timeout in seconds -- `signal`: `String` or `Integer` to send to the process such as `HUP` +* `preserve-status`: `true`/`false` with a default of `false` +* `foreground`: `true`/`false` with a default of `false` +* `kill-after`: `Integer` for the timeout in seconds +* `signal`: `String` or `Integer` to send to the process such as `HUP` ### launchd @@ -73,7 +196,7 @@ The `windows_task` resource is now idempotent when a system is joined to a domai ### x509_certificate -The `x509_certificate` resource now includes a new `renew_before_expiry` property that allows you to auto renew certicates a specified number of days before they expire. Thanks [@julienhuon](https://github.com/julienhuon/) for this improvement. +The `x509_certificate` resource now includes a new `renew_before_expiry` property that allows you to auto renew certificates a specified number of days before they expire. Thanks [@julienhuon](https://github.com/julienhuon/) for this improvement. ## Additional Recipe Helpers @@ -93,16 +216,16 @@ Returns `true` if the system is a Windows Server Core edition. ## Notable Changes and Fixes -- `knife upload` and `knife cookbook upload` will now generate a metadata.json file from metadata.rb when uploading a cookbook to the Chef Infra Server. -- A bug in `knife bootstrap` behavior that caused failures when bootstrapping Windows hosts from non-Windows hosts and vice versa has been resolved. -- The existing system path is now preserved when bootstrapping Windows nodes. Thanks for this fix, [@Xorima](https://github.com/Xorima/). -- Ohai now properly returns the drive name on Windows and includes new drive_type fields to allow you to determine the type of attached disk. Thanks for this improvement [@sshock](https://github.com/sshock/). -- Ohai has been updated to properly return DMI data to Chef Infra Client. Thanks for troubleshooting this, [@zmscwx](https://github.com/zmscwx) and [@Sliim](https://github.com/Sliim). +* `knife upload` and `knife cookbook upload` will now generate a metadata.json file from metadata.rb when uploading a cookbook to the Chef Infra Server. +* A bug in `knife bootstrap` behavior that caused failures when bootstrapping Windows hosts from non-Windows hosts and vice versa has been resolved. +* The existing system path is now preserved when bootstrapping Windows nodes. Thanks for this fix, [@Xorima](https://github.com/Xorima/). +* Ohai now properly returns the drive name on Windows and includes new drive_type fields to allow you to determine the type of attached disk. Thanks for this improvement [@sshock](https://github.com/sshock/). +* Ohai has been updated to properly return DMI data to Chef Infra Client. Thanks for troubleshooting this, [@zmscwx](https://github.com/zmscwx) and [@Sliim](https://github.com/Sliim). ## Platform Support -- Chef Infra Clients packages are no longer produced for Windows 2008 R2 as this release reached its end of life on Jan 14th, 2020. -- Chef Infra Client packages are no longer produced for RHEL 6 on the s390x platform. Builds will continue to be published for RHEL 7 on the s390x platform. +* Chef Infra Clients packages are no longer produced for Windows 2008 R2 as this release reached its end of life on Jan 14th, 2020. +* Chef Infra Client packages are no longer produced for RHEL 6 on the s390x platform. Builds will continue to be published for RHEL 7 on the s390x platform. ## Security Updates @@ -154,7 +277,7 @@ We've also updated the `windows_package` resource. The resource will now provide Chef Infra Client now includes a new `chef-utils` gem, which ships with a large number of helpers to make writing cookbooks easier. Many of these helpers existed previously in the `chef-sugar` gem. We have renamed many of the named helpers for consistency, while providing backwards compatibility with existing `chef-sugar` names. Existing cookbooks written with `chef-sugar` should work unmodified with any of these new helpers. Expect a Cookstyle rule in the near future to help you update existing `chef-sugar` code to use the newer built-in helpers. -For more information all all of the new helpers available, see the [chef-utils readme](https://github.com/chef/chef/blob/master/chef-utils/README.md) +For more information all of the new helpers available, see the [chef-utils readme](https://github.com/chef/chef/blob/master/chef-utils/README.md) ## Chefignore Improvements @@ -172,16 +295,16 @@ This release of Chef Infra Client ships with several optimizations to our Ruby i Chef InSpec has been updated from 4.17.17 to 4.18.38. This release includes a large number of bug fixes in addition to some great resource enhancements: -- Inputs can now be used within a `describe.one` block -- The `service` resource now includes a `startname` property for Windows and systemd services -- The `interface` resource now includes a `name` property -- The `user` resource now better supports Windows with the addition of `passwordage`, `maxbadpasswords`, and `badpasswordattempts` properties -- The `nginx` resource now includes parsing support for wildcard, dot prefix, and regex -- The `iis_app_pool` resource now handles empty app pools -- The `filesystem` resource now supports devices with very long names -- The `apt` better handles URIs and supports repos with an `arch` -- The `oracledb_session` has received multiple fixes to make it work better -- The `npm` resource now works under sudo on Unix and on Windows with a custom PATH +* Inputs can now be used within a `describe.one` block +* The `service` resource now includes a `startname` property for Windows and systemd services +* The `interface` resource now includes a `name` property +* The `user` resource now better supports Windows with the addition of `passwordage`, `maxbadpasswords`, and `badpasswordattempts` properties +* The `nginx` resource now includes parsing support for wildcard, dot prefix, and regex +* The `iis_app_pool` resource now handles empty app pools +* The `filesystem` resource now supports devices with very long names +* The `apt` better handles URIs and supports repos with an `arch` +* The `oracledb_session` has received multiple fixes to make it work better +* The `npm` resource now works under sudo on Unix and on Windows with a custom PATH ## New Resources @@ -230,18 +353,18 @@ Chef Infra Client will now take into account any `default` values specified in c Several improvements have been made to the `knife bootstrap` command to make it more reliable and secure: -- File creation is now wrapped in a umask to avoid potential race conditions -- `NameError` and `RuntimeError` failures during bootstrap have been resolved -- `Undefined method 'empty?' for nil:NilClass` during bootstrap have been resolved -- Single quotes in attributes during bootstrap no longer result in bootstrap failures -- The bootstrap command no longer appears in PS on the host while bootstrapping is running +* File creation is now wrapped in a umask to avoid potential race conditions +* `NameError` and `RuntimeError` failures during bootstrap have been resolved +* `Undefined method 'empty?' for nil:NilClass` during bootstrap have been resolved +* Single quotes in attributes during bootstrap no longer result in bootstrap failures +* The bootstrap command no longer appears in PS on the host while bootstrapping is running ## knife supermarket list Improvements The `knife supermarket list` command now includes two new options: -- `--sort-by [recently_updated recently_added most_downloaded most_followed]`: Sort cookbooks returned from the Supermarket API -- `--owned_by`: Limit returned cookbooks to a particular owner +* `--sort-by [recently_updated recently_added most_downloaded most_followed]`: Sort cookbooks returned from the Supermarket API +* `--owned_by`: Limit returned cookbooks to a particular owner ## Updated Resources @@ -300,10 +423,10 @@ The `windows_share` resource is now fully idempotent by better validating the pr Ruby has been updated from 2.6.4 to 2.6.5 in order to resolve the following CVEs: -- [CVE-2019-16255](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16255): A code injection vulnerability of Shell#[] and Shell#test -- [CVE-2019-16254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16254): HTTP response splitting in WEBrick (Additional fix) -- [CVE-2019-15845](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15845): A NUL injection vulnerability of File.fnmatch and File.fnmatch? -- [CVE-2019-16201](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16201): Regular Expression Denial of Service vulnerability of WEBrick’s Digest access authentication +* [CVE-2019-16255](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16255): A code injection vulnerability of Shell#[] and Shell#test +* [CVE-2019-16254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16254): HTTP response splitting in WEBrick (Additional fix) +* [CVE-2019-15845](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15845): A NUL injection vulnerability of File.fnmatch and File.fnmatch? +* [CVE-2019-16201](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16201): Regular Expression Denial of Service vulnerability of WEBrick’s Digest access authentication # Chef Infra Client 15.3 @@ -387,10 +510,10 @@ Chef Infra Client is now validated against AIX 7.2 with packages now available a Chef InSpec has been updated from 4.10.4 to 4.16.0 with the following changes: -- A new `postfix_conf` has been added for inspecting Postfix configuration files. -- A new `plugins` section has been added to the InSpec configuration file which can be used to pass secrets or other configurations into Chef InSpec plugins. -- The `service` resource now includes a new `startname` property for determining which user is starting the Windows services. -- The `groups` resource now properly gathers membership information on macOS hosts. +* A new `postfix_conf` has been added for inspecting Postfix configuration files. +* A new `plugins` section has been added to the InSpec configuration file which can be used to pass secrets or other configurations into Chef InSpec plugins. +* The `service` resource now includes a new `startname` property for determining which user is starting the Windows services. +* The `groups` resource now properly gathers membership information on macOS hosts. ## Security Updates @@ -456,11 +579,11 @@ Ohai has been updated to 15.2 with the following changes: Chef InSpec has been updated from 4.6.4 to 4.10.4 with the following changes: -- Fix handling multiple triggers in the `windows_task` resource -- Fix exceptions when resources are used with incompatible transports -- Un-deprecate the `be_running` matcher on the `service` resource -- Add resource `sys_info.manufacturer` and `sys_info.model` -- Add `ip6tables` resource +* Fix handling multiple triggers in the `windows_task` resource +* Fix exceptions when resources are used with incompatible transports +* Un-deprecate the `be_running` matcher on the `service` resource +* Add resource `sys_info.manufacturer` and `sys_info.model` +* Add `ip6tables` resource ## Security Updates @@ -542,10 +665,10 @@ Chef Client has a new name, but don't worry, it's the same Chef Client you've gr Chef Infra Client requires an EULA to be accepted by users before it can run. Users can accept the EULA in a variety of ways: -- `chef-client --chef-license accept` -- `chef-client --chef-license accept-no-persist` -- `CHEF_LICENSE="accept" chef-client` -- `CHEF_LICENSE="accept-no-persist" chef-client` +* `chef-client --chef-license accept` +* `chef-client --chef-license accept-no-persist` +* `CHEF_LICENSE="accept" chef-client` +* `CHEF_LICENSE="accept-no-persist" chef-client` Finally, if users run `chef-client` without any of these options, they will receive an interactive prompt asking for license acceptance. If the license is accepted, a marker file will be written to the filesystem unless `accept-no-persist` is specified. Once this marker file is persisted, users no longer need to set any of these flags. @@ -977,8 +1100,8 @@ The `CHEF-25` deprecation for resource collisions between cookbooks and resource ## Updated Components -- openssl 1.0.2r -> 1.0.2s (bugfix only release) -- cacerts 2019-01-23 -> 2019-05-15 +* openssl 1.0.2r -> 1.0.2s (bugfix only release) +* cacerts 2019-01-23 -> 2019-05-15 # Chef Infra Client Release Notes 14.12: @@ -994,10 +1117,10 @@ The windows_certificate resource now imports nested certificates while importing ## Updated Components -- nokogiri 1.10.1 -> 1.10.2 -- ruby 2.5.3 -> 2.5.5 -- InSpec 3.7.1 -> 3.9.0 -- The unused windows-api gem is no longer bundled with Chef on Windows hosts +* nokogiri 1.10.1 -> 1.10.2 +* ruby 2.5.3 -> 2.5.5 +* InSpec 3.7.1 -> 3.9.0 +* The unused windows-api gem is no longer bundled with Chef on Windows hosts # Chef Infra Client Release Notes 14.11: @@ -1033,9 +1156,9 @@ InSpec has been updated from 3.4.1 to 3.7.1. This new release contains improveme ## Updated Components -- bundler 1.16.1 -> 1.17.3 -- libxml2 2.9.7 -> 2.9.9 -- ca-certs updated to 2019-01-22 for new roots +* bundler 1.16.1 -> 1.17.3 +* libxml2 2.9.7 -> 2.9.9 +* ca-certs updated to 2019-01-22 for new roots ## Security Updates @@ -1219,20 +1342,20 @@ BSD-based systems can now detect guests running on KVM and Amazon's hypervisor w ### New Platform Support -- Ohai now properly detects the openSUSE 15.X platform. Thank you [@megamorf](https://github.com/megamorf) for reporting this issue. -- SUSE Linux Enterprise Desktop now identified as platform_family 'suse' -- XCP-NG is now identified as platform 'xcp' and platform_family 'rhel'. Thank you [@heyjodom](http://github.com/heyjodom) for submitting this enhancement. -- Mangeia Linux is now identified as platform 'mangeia' and platform_family 'mandriva' -- Antergos Linux now identified as platform_family 'arch' -- Manjaro Linux now identified as platform_family 'arch' +* Ohai now properly detects the openSUSE 15.X platform. Thank you [@megamorf](https://github.com/megamorf) for reporting this issue. +* SUSE Linux Enterprise Desktop now identified as platform_family 'suse' +* XCP-NG is now identified as platform 'xcp' and platform_family 'rhel'. Thank you [@heyjodom](http://github.com/heyjodom) for submitting this enhancement. +* Mangeia Linux is now identified as platform 'mangeia' and platform_family 'mandriva' +* Antergos Linux now identified as platform_family 'arch' +* Manjaro Linux now identified as platform_family 'arch' ## Security Updates ### OpenSSL OpenSSL has been updated to 1.0.2q in order to resolve: -- Microarchitecture timing vulnerability in ECC scalar multiplication ([CVE-2018-5407](https://nvd.nist.gov/vuln/detail/CVE-2018-5407)) -- Timing vulnerability in DSA signature generation ([CVE-2018-0734](https://nvd.nist.gov/vuln/detail/CVE-2018-0734)) +* Microarchitecture timing vulnerability in ECC scalar multiplication ([CVE-2018-5407](https://nvd.nist.gov/vuln/detail/CVE-2018-5407)) +* Timing vulnerability in DSA signature generation ([CVE-2018-0734](https://nvd.nist.gov/vuln/detail/CVE-2018-0734)) # Chef Client Release Notes 14.7: @@ -1338,12 +1461,12 @@ Chef is now tested against macOS Mojave, and packages are now available at downl ## Important Bugfixes -- Multiple bugfixes in Chef Vault have been resolved by updating chef-vault to 3.4.2 -- Invalid yum package names now gracefully fail -- `windows_ad_join` now properly executes. Thank you [@cpjones01](https://github.com/cpjones01) for reporting this. -- `rhsm_errata_level` now properly executes. Thank you [@freakinhippie](https://github.com/freakinhippie) for this fix. -- `registry_key` now properly writes out the correct value when `sensitive` is specified. Thank you [@josh-barker](https://github.com/josh-barker) for this fix. -- `locale` now properly executes on RHEL 6 and Amazon Linux 201X. +* Multiple bugfixes in Chef Vault have been resolved by updating chef-vault to 3.4.2 +* Invalid yum package names now gracefully fail +* `windows_ad_join` now properly executes. Thank you [@cpjones01](https://github.com/cpjones01) for reporting this. +* `rhsm_errata_level` now properly executes. Thank you [@freakinhippie](https://github.com/freakinhippie) for this fix. +* `registry_key` now properly writes out the correct value when `sensitive` is specified. Thank you [@josh-barker](https://github.com/josh-barker) for this fix. +* `locale` now properly executes on RHEL 6 and Amazon Linux 201X. ## Ohai 14.6 @@ -1370,8 +1493,8 @@ The system_profile plugin will be removed from Chef/Ohai 15 in April 2019. This ### Ruby 2.5.3 Ruby has been updated to from 2.5.1 to 2.5.3 to resolve multiple CVEs and bugs: -- [CVE-2018-16396](https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/) -- [CVE-2018-16395](https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/) +* [CVE-2018-16396](https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/) +* [CVE-2018-16395](https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/) # Chef Client Release Notes 14.5.33: @@ -1548,8 +1671,8 @@ Thank you [@dbresson](https://github.com/dbresson) for this contribution. ### OpenSSL OpenSSL updated to 1.0.2p to resolve: -- Client DoS due to large DH parameter ([CVE-2018-0732](https://nvd.nist.gov/vuln/detail/CVE-2018-0732)) -- Cache timing vulnerability in RSA Key Generation ([CVE-2018-0737](https://nvd.nist.gov/vuln/detail/CVE-2018-0737)) +* Client DoS due to large DH parameter ([CVE-2018-0732](https://nvd.nist.gov/vuln/detail/CVE-2018-0732)) +* Cache timing vulnerability in RSA Key Generation ([CVE-2018-0737](https://nvd.nist.gov/vuln/detail/CVE-2018-0737)) # Chef Client Release Notes 14.3: @@ -1569,13 +1692,13 @@ Use the chocolatey_config resource to add or remove Chocolatey configuration key #### Actions -- `set` - Sets a Chocolatey config value. -- `unset` - Unsets a Chocolatey config value. +* `set` - Sets a Chocolatey config value. +* `unset` - Unsets a Chocolatey config value. #### Properties -- `config_key` - The name of the config. We'll use the resource's name if this isn't provided. -- `value` - The value to set. +* `config_key` - The name of the config. We'll use the resource's name if this isn't provided. +* `value` - The value to set. ### chocolatey_source @@ -1583,15 +1706,15 @@ Use the chocolatey_source resource to add or remove Chocolatey sources. #### Actions -- `add` - Adds a Chocolatey source. -- `remove` - Removes a Chocolatey source. +* `add` - Adds a Chocolatey source. +* `remove` - Removes a Chocolatey source. #### Properties -- `source_name` - The name of the source to add. We'll use the resource's name if this isn't provided. -- `source` - The source URL. -- `bypass_proxy` - Whether or not to bypass the system's proxy settings to access the source. -- `priority` - The priority level of the source. +* `source_name` - The name of the source to add. We'll use the resource's name if this isn't provided. +* `source` - The source URL. +* `bypass_proxy` - Whether or not to bypass the system's proxy settings to access the source. +* `priority` - The priority level of the source. ### powershell_package_source @@ -1599,18 +1722,18 @@ Use the `powershell_package_source` resource to register a PowerShell package re ### Actions -- `register` - Registers and updates the PowerShell package source. -- `unregister` - Unregisters the PowerShell package source. +* `register` - Registers and updates the PowerShell package source. +* `unregister` - Unregisters the PowerShell package source. #### Properties -- `source_name` - The name of the package source. -- `url` - The url to the package source. -- `trusted` - Whether or not to trust packages from this source. -- `provider_name` - The package management provider for the source. It supports the following providers: 'Programs', 'msi', 'NuGet', 'msu', 'PowerShellGet', 'psl' and 'chocolatey'. -- `publish_location` - The url where modules will be published to for this source. Only valid if the provider is 'PowerShellGet'. -- `script_source_location` - The url where scripts are located for this source. Only valid if the provider is 'PowerShellGet'. -- `script_publish_location` - The location where scripts will be published to for this source. Only valid if the provider is 'PowerShellGet'. +* `source_name` - The name of the package source. +* `url` - The url to the package source. +* `trusted` - Whether or not to trust packages from this source. +* `provider_name` - The package management provider for the source. It supports the following providers: 'Programs', 'msi', 'NuGet', 'msu', 'PowerShellGet', 'psl' and 'chocolatey'. +* `publish_location` - The url where modules will be published to for this source. Only valid if the provider is 'PowerShellGet'. +* `script_source_location` - The url where scripts are located for this source. Only valid if the provider is 'PowerShellGet'. +* `script_publish_location` - The location where scripts will be published to for this source. Only valid if the provider is 'PowerShellGet'. ### kernel_module @@ -1618,17 +1741,17 @@ Use the kernel_module resource to manage kernel modules on Linux systems. This r #### Actions -- `install` - Load kernel module, and ensure it loads on reboot. -- `uninstall` - Unload a kernel module and remove module config, so it doesn't load on reboot. -- `blacklist` - Blacklist a kernel module. -- `load` - Load a kernel module. -- `unload` - Unload kernel module +* `install` - Load kernel module, and ensure it loads on reboot. +* `uninstall` - Unload a kernel module and remove module config, so it doesn't load on reboot. +* `blacklist` - Blacklist a kernel module. +* `load` - Load a kernel module. +* `unload` - Unload kernel module #### Properties -- `modname` - The name of the kernel module. -- `load_dir` - The directory to load modules from. -- `unload_dir` - The modprobe.d directory. +* `modname` - The name of the kernel module. +* `load_dir` - The directory to load modules from. +* `unload_dir` - The modprobe.d directory. ### ssh_known_hosts_entry @@ -1636,21 +1759,21 @@ Use the ssh_known_hosts_entry resource to add an entry for the specified host in #### Actions -- `create` - Create an entry in the ssh_known_hosts file. -- `flush` - Immediately flush the entries to the config file. Without this the actual writing of the file is delayed in the Chef run so all entries can be accumulated before writing the file out. +* `create` - Create an entry in the ssh_known_hosts file. +* `flush` - Immediately flush the entries to the config file. Without this the actual writing of the file is delayed in the Chef run so all entries can be accumulated before writing the file out. #### Properties -- `host` - The host to add to the known hosts file. -- `key` - An optional key for the host. If not provided this will be automatically determined. -- `key_type` - The type of key to store. -- `port` - The server port that the ssh-keyscan command will use to gather the public key. -- `timeout` - The timeout in seconds for ssh-keyscan. -- `mode` - The file mode for the ssh_known_hosts file. -- `owner`- The file owner for the ssh_known_hosts file. -- `group` - The file group for the ssh_known_hosts file. -- `hash_entries` - Hash the hostname and addresses in the ssh_known_hosts file for privacy. -- `file_location` - The location of the ssh known hosts file. Change this to set a known host file for a particular user. +* `host` - The host to add to the known hosts file. +* `key` - An optional key for the host. If not provided this will be automatically determined. +* `key_type` - The type of key to store. +* `port` - The server port that the ssh-keyscan command will use to gather the public key. +* `timeout` - The timeout in seconds for ssh-keyscan. +* `mode` - The file mode for the ssh_known_hosts file. +* `owner`- The file owner for the ssh_known_hosts file. +* `group` - The file group for the ssh_known_hosts file. +* `hash_entries` - Hash the hostname and addresses in the ssh_known_hosts file for privacy. +* `file_location` - The location of the ssh known hosts file. Change this to set a known host file for a particular user. ## New `knife config get` command @@ -1676,14 +1799,14 @@ You can also pass specific keys to only display those `knife config get node_nam The following helper methods have been deprecated in favor of the single shell_out helper: -- `shell_out_with_systems_locale` -- `shell_out_with_timeout` -- `shell_out_compact` -- `shell_out_compact_timeout` -- `shell_out_with_systems_locale!` -- `shell_out_with_timeout!` -- `shell_out_compact!` -- `shell_out_compact_timeout!` +* `shell_out_with_systems_locale` +* `shell_out_with_timeout` +* `shell_out_compact` +* `shell_out_compact_timeout` +* `shell_out_with_systems_locale!` +* `shell_out_with_timeout!` +* `shell_out_compact!` +* `shell_out_compact_timeout!` The functionality of `shell_out_with_systems_locale` has been implemented using the `default_env: false` option that removes the PATH and locale mangling that has been the default behavior of `shell_out`. @@ -1728,12 +1851,12 @@ We advise caution in the use of this feature, as excessive or prolonged silencin ## Misc Windows improvements -- A new `skip_publisher_check` property has been added to the `powershell_package` resource -- `windows_feature_powershell` now supports Windows 2008 R2 -- The `mount` resource now supports the `mount_point` property on Windows -- `windows_feature_dism` no longer errors when specifying the source -- Resolved idempotency issues in the `windows_task` resource and prevented setting up a task with bad credentials -- `windows_service` no longer throws Ruby deprecation warnings +* A new `skip_publisher_check` property has been added to the `powershell_package` resource +* `windows_feature_powershell` now supports Windows 2008 R2 +* The `mount` resource now supports the `mount_point` property on Windows +* `windows_feature_dism` no longer errors when specifying the source +* Resolved idempotency issues in the `windows_task` resource and prevented setting up a task with bad credentials +* `windows_service` no longer throws Ruby deprecation warnings ## Newly Introduced Deprecations @@ -1782,18 +1905,18 @@ Ohai now detects the virtualization hypervisor `amazonec2` when running on Amazo This release resolves a number of regressions in 14.1: -- `git` resource: don't use `--prune-tags` as it's really new. -- `rhsm_repo` resource: now works -- `apt_repository` resource: use the `repo_name` property to name files -- `windows_task` resource: properly handle commands with arguments -- `windows_task` resource: handle creating tasks as the SYSTEM user -- `remote_directory` resource: restore the default for the `overwrite` property +* `git` resource: don't use `--prune-tags` as it's really new. +* `rhsm_repo` resource: now works +* `apt_repository` resource: use the `repo_name` property to name files +* `windows_task` resource: properly handle commands with arguments +* `windows_task` resource: handle creating tasks as the SYSTEM user +* `remote_directory` resource: restore the default for the `overwrite` property ## Ohai 14.1.3 -- Properly detect FIPS environments -- `shard` plugin: work in FIPS compliant environments -- `filesystem` plugin: Handle BSD platforms +* Properly detect FIPS environments +* `shard` plugin: work in FIPS compliant environments +* `filesystem` plugin: Handle BSD platforms # Chef Client Release Notes 14.1.1: @@ -1817,19 +1940,19 @@ The `ignore_failure` property takes a new argument, `:quiet`, to suppress the er ## This release of Chef Client 14 resolves a number of regressions in 14.0 -- On Windows, the installer now correctly re-extracts files during repair mode -- Fix a number of issues relating to use with Red Hat Satellite -- Git fetch now prunes remotes before running -- Fix locking and unlocking packages with apt and zypper -- Ensure we don't request every remote file when running with lazy loading enabled -- The sysctl resource correctly handles missing keys when used with `ignore_error` -- --recipe-url apparently never worked on Windows. Now it does. +* On Windows, the installer now correctly re-extracts files during repair mode +* Fix a number of issues relating to use with Red Hat Satellite +* Git fetch now prunes remotes before running +* Fix locking and unlocking packages with apt and zypper +* Ensure we don't request every remote file when running with lazy loading enabled +* The sysctl resource correctly handles missing keys when used with `ignore_error` +* --recipe-url apparently never worked on Windows. Now it does. ## Security Updates ### ffi Gem -- CVE-2018-1000201: DLL loading issue which can be hijacked on Windows OS +* CVE-2018-1000201: DLL loading issue which can be hijacked on Windows OS # Ohai Release Notes 14.1: @@ -1849,10 +1972,10 @@ A new plugin to enumerate SCSI devices has been added. This plugin is optional. This release of Chef 14 resolves several regressions in the Chef 14.0 release. -- Resources contained in cookbooks would be used instead of built-in Chef client resources causing older resources to run -- Resources failed due to a missing `property_is_set?` and `resources` methods -- `yum_package` changed the order of `disablerepo` and `enablerepo` options -- Depsolving large numbers of cookbooks with chef zero/local took a very long time +* Resources contained in cookbooks would be used instead of built-in Chef client resources causing older resources to run +* Resources failed due to a missing `property_is_set?` and `resources` methods +* `yum_package` changed the order of `disablerepo` and `enablerepo` options +* Depsolving large numbers of cookbooks with chef zero/local took a very long time # Chef Client Release Notes 14.0: @@ -2070,9 +2193,9 @@ The `sensitive` property can now be used in `registry_key` to suppress the outpu `systemd_unit` includes the following new actions: -- `preset` - Restore the preset enable/disable configuration for a unit -- `revert` - Revert to a vendor's version of a unit file -- `reenable` - Reenable a unit file +* `preset` - Restore the preset enable/disable configuration for a unit +* `revert` - Revert to a vendor's version of a unit file +* `reenable` - Reenable a unit file Thanks @nathwill for these new actions. @@ -2080,9 +2203,9 @@ Thanks @nathwill for these new actions. `windows_service` now includes actions for fully managing services on Windows, in addition to the previous actions for starting/stopping/enabling services. -- `create` - Create a new service -- `delete` - Delete an existing service -- `configure` - Reconfigure an existing service +* `create` - Create a new service +* `delete` - Delete an existing service +* `configure` - Reconfigure an existing service Thanks @jasonwbarnett for these new actions @@ -2100,9 +2223,9 @@ Ohai has been expanded to collect more information than ever. This should make w The kernel plugin now reports the following information on Windows: -- `node['kernel']['product_type']` - Workstation vs. Server editions of Windows -- `node['kernel']['system_type']` - What kind of hardware are we installed on (Desktop, Mobile, Workstation, Enterprise Server, etc.) -- `node['kernel']['server_core']` - Are we on Windows Server Core edition? +* `node['kernel']['product_type']` - Workstation vs. Server editions of Windows +* `node['kernel']['system_type']` - What kind of hardware are we installed on (Desktop, Mobile, Workstation, Enterprise Server, etc.) +* `node['kernel']['server_core']` - Are we on Windows Server Core edition? ### Cloud Detection @@ -2184,13 +2307,13 @@ OpenSSL has been updated to 1.0.2o to resolve [CVE-2018-0739](https://cve.mitre. Ruby has been updated to 2.5.1 to resolve the following vulnerabilities: -- [cve-2017-17742](https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/) -- [cve-2018-6914](https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/) -- [cve-2018-8777](https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/) -- [cve-2018-8778](https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/) -- [cve-2018-8779](https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/) -- [cve-2018-8780](https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/) -- [Multiple vulnerabilities in rubygems](https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/) +* [cve-2017-17742](https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/) +* [cve-2018-6914](https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/) +* [cve-2018-8777](https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/) +* [cve-2018-8778](https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/) +* [cve-2018-8779](https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/) +* [cve-2018-8780](https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/) +* [Multiple vulnerabilities in rubygems](https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/) ## Breaking Changes @@ -2210,11 +2333,11 @@ Support for Windows 2003 has been removed from both Chef and Ohai, improving the ### knife deprecations -- `knife bootstrap` options `--distro` and `--template_file` flags were deprecated in Chef 12 and have now been removed. -- `knife help` functionality that read legacy Chef manpages has been removed as the manpages had not been updated and were often quite wrong. Running knife help will now simply show the help menu. -- `knife index rebuild` has been removed as reindexing Chef Server was only necessary on releases prior to Chef Server 11. -- The `knife ssh --identity-file` flag was deprecated and has been removed. Users should use the `--ssh_identity_file` flag instead. -- `knife ssh csshx` was deprecated in Chef 10 and has been removed. Users should use `knife ssh cssh` instead. +* `knife bootstrap` options `--distro` and `--template_file` flags were deprecated in Chef 12 and have now been removed. +* `knife help` functionality that read legacy Chef manpages has been removed as the manpages had not been updated and were often quite wrong. Running knife help will now simply show the help menu. +* `knife index rebuild` has been removed as reindexing Chef Server was only necessary on releases prior to Chef Server 11. +* The `knife ssh --identity-file` flag was deprecated and has been removed. Users should use the `--ssh_identity_file` flag instead. +* `knife ssh csshx` was deprecated in Chef 10 and has been removed. Users should use `knife ssh cssh` instead. ### Chef Solo `-r` flag @@ -2240,11 +2363,11 @@ The original name for the `ignore_failure` property in resource was `epic_fail`. Several legacy mixins mostly used in older HWRPs have been removed. Usage of these mixins has resulted in deprecation warnings for several years and they are rarely used in cookbooks available on the Supermarket. -- Chef::Mixin::LanguageIncludeAttribute -- Chef::Mixin::RecipeDefinitionDSLCore -- Chef::Mixin::LanguageIncludeRecipe -- Chef::Mixin::Language -- Chef::DSL::Recipe::FullDSL +* Chef::Mixin::LanguageIncludeAttribute +* Chef::Mixin::RecipeDefinitionDSLCore +* Chef::Mixin::LanguageIncludeRecipe +* Chef::Mixin::Language +* Chef::DSL::Recipe::FullDSL ### cloud_v2 and filesystem2 Ohai Plugins @@ -2276,16 +2399,16 @@ optional_plugins [ "lspci", "passwd" ] ## Bugfixes -- The mount provider now properly adds blank lines between fstab entries on AIX -- Ohai now reports itself as Ohai well communicating with GCE metadata endpoints -- Property deprecations in custom resources no longer result in an error. Thanks for reporting this [martinisoft](https://github.com/martinisoft) -- mixlib-archive has been updated to prevent corruption of archives on Windows systems +* The mount provider now properly adds blank lines between fstab entries on AIX +* Ohai now reports itself as Ohai well communicating with GCE metadata endpoints +* Property deprecations in custom resources no longer result in an error. Thanks for reporting this [martinisoft](https://github.com/martinisoft) +* mixlib-archive has been updated to prevent corruption of archives on Windows systems ## Updated Components -- libxml2 2.9.7 -> 2.9.9 -- ca-certs updated to 2019-01-22 for new roots -- nokogiri 1.8.5 -> 1.10.1 +* libxml2 2.9.7 -> 2.9.9 +* ca-certs updated to 2019-01-22 for new roots +* nokogiri 1.8.5 -> 1.10.1 ## Security Updates @@ -2315,8 +2438,8 @@ Chef is now tested against macOS Mojave and packages are now available at downlo ## SUSE Linux Enterprise Server 15 -- Ohai now properly detects SLES 15 -- The Chef package will no longer remove symlinks to chef-client and ohai when upgrading on SLES 15 +* Ohai now properly detects SLES 15 +* The Chef package will no longer remove symlinks to chef-client and ohai when upgrading on SLES 15 ## Updated Chef-Vault @@ -2330,8 +2453,8 @@ Improved Windows installation speed by skipping unnecessary steps when Windows I ### macOS Improvements -- sysctl commands have been modified to gather only the bare minimum required data, which prevents sysctl hanging in some scenarios -- Extra data has been removed from the system_profile plugin, reducing the amount of data stored on the chef-server for each node +* sysctl commands have been modified to gather only the bare minimum required data, which prevents sysctl hanging in some scenarios +* Extra data has been removed from the system_profile plugin, reducing the amount of data stored on the chef-server for each node ## New Deprecations @@ -2348,51 +2471,51 @@ The ``ohai`` resource's unused ``ohai_name`` property has been deprecated. This ### Ruby 2.4.5 Ruby has been updated to from 2.4.4 to 2.4.5 to resolve multiple CVEs as well as bugs: -- [CVE-2018-16396](https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/) -- [CVE-2018-16395](https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/) +* [CVE-2018-16396](https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/) +* [CVE-2018-16395](https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/) # Chef Client Release Notes 13.11 ### Sensitive Properties on Windows -- `windows_service` no longer logs potentially sensitive information when a service is setup -- `windows_package` now respects the `sensitive` property to avoid logging sensitive data in the event of a package installation failure +* `windows_service` no longer logs potentially sensitive information when a service is setup +* `windows_package` now respects the `sensitive` property to avoid logging sensitive data in the event of a package installation failure ### Other Fixes -- `remote_directory` now properly loads files in the root of a cookbook's `files` directory -- `osx_profile` now uses the full path the profiles CLI tool to avoid running other binaries of the same name in a users path -- `package` resources that don't support the `allow_downgrade` property will no longer fail -- `knife bootstrap windows` error messages have been improved +* `remote_directory` now properly loads files in the root of a cookbook's `files` directory +* `osx_profile` now uses the full path the profiles CLI tool to avoid running other binaries of the same name in a users path +* `package` resources that don't support the `allow_downgrade` property will no longer fail +* `knife bootstrap windows` error messages have been improved ## Security Updates ### OpenSSL -- OpenSSL has been updated to 1.0.2p to resolve [CVE-2018-0732](https://nvd.nist.gov/vuln/detail/CVE-2018-0732) and [CVE-2018-0737](https://nvd.nist.gov/vuln/detail/CVE-2018-0737) +* OpenSSL has been updated to 1.0.2p to resolve [CVE-2018-0732](https://nvd.nist.gov/vuln/detail/CVE-2018-0732) and [CVE-2018-0737](https://nvd.nist.gov/vuln/detail/CVE-2018-0737) ### Rubyzip -- Updated Rubyzip to 1.2.2 to resolve [CVE-2018-1000544](https://nvd.nist.gov/vuln/detail/CVE-2018-1000544) +* Updated Rubyzip to 1.2.2 to resolve [CVE-2018-1000544](https://nvd.nist.gov/vuln/detail/CVE-2018-1000544) # Chef Client Release Notes 13.10 ## Bugfixes -- Resolves a duplicate logging getting created when redirecting stdout -- Using --recipe-url with a local file on Windows no longer fails -- Service resource no longer throws Ruby deprecation warnings on Windows +* Resolves a duplicate logging getting created when redirecting stdout +* Using --recipe-url with a local file on Windows no longer fails +* Service resource no longer throws Ruby deprecation warnings on Windows ## Ohai 13.10 Improvements -- Correctly identify the platform_version on the final release of Amazon Linux 2.0 -- Detect nodes with the DMI data of "OpenStack Compute" as being OpenStack nodes +* Correctly identify the platform_version on the final release of Amazon Linux 2.0 +* Detect nodes with the DMI data of "OpenStack Compute" as being OpenStack nodes ## Security Updates ### ffi Gem -- CVE-2018-1000201: DLL loading issue which can be hijacked on Windows OS +* CVE-2018-1000201: DLL loading issue which can be hijacked on Windows OS # Chef Client Release Notes 13.9.X: @@ -2400,21 +2523,21 @@ Ruby has been updated to from 2.4.4 to 2.4.5 to resolve multiple CVEs as well as Ruby has been updated to 2.4.4 -- CVE-2017-17742: HTTP response splitting in WEBrick -- CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir -- CVE-2018-8777: DoS by large request in WEBrick -- CVE-2018-8778: Buffer under-read in String#unpack -- CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket -- CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir -- Multiple vulnerabilities in RubyGems +* CVE-2017-17742: HTTP response splitting in WEBrick +* CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir +* CVE-2018-8777: DoS by large request in WEBrick +* CVE-2018-8778: Buffer under-read in String#unpack +* CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket +* CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir +* Multiple vulnerabilities in RubyGems Nokogiri has been updated to 1.8.2 -- [MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem). +* [MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem). OpenSSL has been updated to 1.0.2o -- CVE-2018-0739: Constructed ASN.1 types with a recursive definition could exceed the stack. +* CVE-2018-0739: Constructed ASN.1 types with a recursive definition could exceed the stack. ## Platform Updates @@ -2446,10 +2569,10 @@ Enable Ubuntu-18.04 and Debian-9 tested chef-client packages. # Chef Client Release Notes 13.9: -- On Windows, the installer now correctly re-extracts files during repair mode -- The mount resource will now not create duplicate entries when the device type differs -- Ensure we don't request every remote file when running with lazy loading enabled -- Don't crash when getting the access rights for Windows system accounts +* On Windows, the installer now correctly re-extracts files during repair mode +* The mount resource will now not create duplicate entries when the device type differs +* Ensure we don't request every remote file when running with lazy loading enabled +* Don't crash when getting the access rights for Windows system accounts ## Custom Resource Improvements @@ -2517,10 +2640,10 @@ end # Ohai Release Notes 13.9: -- Fix uptime parsing on AIX -- Fix Softlayer cloud detection -- Use the current Azure metadata endpoint -- Correctly detect macOS guests on VMware and VirtualBox +* Fix uptime parsing on AIX +* Fix Softlayer cloud detection +* Use the current Azure metadata endpoint +* Correctly detect macOS guests on VMware and VirtualBox # Chef Client Release Notes 13.8: @@ -2534,7 +2657,7 @@ Per <https://discourse.chef.io/t/regression-in-chef-client-13-7-16/12518/1> , th ## Security Updates -- Updated libxml2 to 2.9.7; fixes: CVE-2017-15412 +* Updated libxml2 to 2.9.7; fixes: CVE-2017-15412 # Chef Client Release Notes 13.7: @@ -2560,11 +2683,11 @@ The original name for the ignore_failure property in resources was epic_fail. Ou In Chef 14 several legacy legacy mixins will be removed. Usage of these mixins has resulted in deprecation warnings for several years. They were traditionally used in some HWRPs, but are rarely found in code available on the Supermarket. Foodcritic rules FC097, FC098, FC099, FC100, and FC102 have been introduced to detect these mixins. -- Chef::Mixin::LanguageIncludeAttribute -- Chef::Mixin::RecipeDefinitionDSLCore -- Chef::Mixin::LanguageIncludeRecipe -- Chef::Mixin::Language -- Chef::DSL::Recipe::FullDSL +* Chef::Mixin::LanguageIncludeAttribute +* Chef::Mixin::RecipeDefinitionDSLCore +* Chef::Mixin::LanguageIncludeRecipe +* Chef::Mixin::Language +* Chef::DSL::Recipe::FullDSL ### :uninstall action in chocolatey_package @@ -2572,14 +2695,14 @@ The chocolatey cookbook's chocolatey_package resource originally contained an :u ## Bugfixes -- Resolved a bug where knife commands that prompted on Windows would never display the prompt -- Fixed hiding of sensitive resources when converge_if_changed was used -- Fixed scenarios where services would fail to start on Solaris +* Resolved a bug where knife commands that prompted on Windows would never display the prompt +* Fixed hiding of sensitive resources when converge_if_changed was used +* Fixed scenarios where services would fail to start on Solaris ## Security Updates -- OpenSSL has been upgraded to 1.0.2n to resolve CVE-2017-3738, CVE-2017-3737, CVE-2017-3736, and CVE-2017-3735. -- Ruby has been upgraded to 2.4.3 to resolve CVE-2017-17405 +* OpenSSL has been upgraded to 1.0.2n to resolve CVE-2017-3738, CVE-2017-3737, CVE-2017-3736, and CVE-2017-3735. +* Ruby has been upgraded to 2.4.3 to resolve CVE-2017-17405 ## Ohai 13.7 Release Notes: @@ -2603,12 +2726,12 @@ The mdadm plugin has been updated to properly handle arrays with more than 10 di ## Bugfixes -- Resolved a regression in 13.6.0 that prevented upgrading packages on Debian/Ubuntu when the package name contained a tilde. +* Resolved a regression in 13.6.0 that prevented upgrading packages on Debian/Ubuntu when the package name contained a tilde. ## Security Updates -- OpenSSL has been upgraded to 1.0.2m to resolve CVE-2017-3735 and CVE-2017-3736 -- RubyGems has been upgraded to 2.6.14 to resolve CVE-2017-0903 +* OpenSSL has been upgraded to 1.0.2m to resolve CVE-2017-3735 and CVE-2017-3736 +* RubyGems has been upgraded to 2.6.14 to resolve CVE-2017-0903 # Chef Client Release Notes 13.6: @@ -2684,19 +2807,19 @@ Debug logs will show the length of time each plugin takes to run, making debuggi Chef Client 13.4 includes Ruby 2.4.2 to fix the following CVEs: -- CVE-2017-0898 -- CVE-2017-10784 -- CVE-2017-14033 -- CVE-2017-14064 +* CVE-2017-0898 +* CVE-2017-10784 +* CVE-2017-14033 +* CVE-2017-14064 ## Security release of RubyGems Chef Client 13.4 includes RubyGems 2.6.13 to fix the following CVEs: -- CVE-2017-0899 -- CVE-2017-0900 -- CVE-2017-0901 -- CVE-2017-0902 +* CVE-2017-0899 +* CVE-2017-0900 +* CVE-2017-0901 +* CVE-2017-0902 ## Ifconfig provider on Red Hat now supports additional properties @@ -2704,19 +2827,19 @@ It is now possible to set `ETHTOOL_OPTS`, `BONDING_OPTS`, `MASTER` and `SLAVE` p ### Properties -- `ethtool_opts`<br> +* `ethtool_opts`<br> **Ruby types:** String<br> **Platforms:** Fedora, RHEL, Amazon Linux A string containing arguments to ethtool. The string will be wrapped in double quotes, so ensure that any needed quotes in the property are surrounded by single quotes -- `bonding_opts`<br> +* `bonding_opts`<br> **Ruby types:** String<br> **Platforms:** Fedora, RHEL, Amazon Linux A string containing configuration parameters for the bonding device. -- `master`<br> +* `master`<br> **Ruby types:** String<br> **Platforms:** Fedora, RHEL, Amazon Linux The channel bonding interface that this interface is linked to. -- `slave`<br> +* `slave`<br> **Ruby types:** String<br> **Platforms:** Fedora, RHEL, Amazon Linux Whether the interface is controlled by the channel bonding interface defined by `master`, above. @@ -2734,15 +2857,15 @@ The `remote_file` resource now supports the use of credentials on Windows when a The following properties are new for the `remote_file` resource: -- `remote_user`<br> +* `remote_user`<br> **Ruby types:** String<br> _Windows only:_ The user name of a user with access to the remote file specified by the `source` property. Default value: `nil`. The user name may optionally be specifed with a domain, i.e. `domain\user` or `user@my.dns.domain.com` via Universal Principal Name (UPN) format. It can also be specified without a domain simply as `user` if the domain is instead specified using the `remote_domain` attribute. Note that this property is ignored if `source` is not a UNC path. If this property is specified, the `remote_password` property **must** be specified. -- `remote_password`<br> +* `remote_password`<br> **Ruby types** String<br> _Windows only:_ The password of the user specified by the `remote_user` property. Default value: `nil`. This property is mandatory if `remote_user` is specified and may only be specified if `remote_user` is specified. The `sensitive` property for this resource will automatically be set to `true` if `remote_password` is specified. -- `remote_domain`<br> +* `remote_domain`<br> **Ruby types** String<br> _Windows only:_ The domain of the user user specified by the `remote_user` property. Default value: `nil`. If not specified, the user and password properties specified by the `remote_user` and `remote_password` properties will be used to authenticate that user against the domain in which the system hosting the UNC path specified via `source` is joined, or if that system is not joined to a domain it will authenticate the user as a local account on that system. An alternative way to specify the domain is to leave this property unspecified and specify the domain as part of the `remote_user` property. @@ -2796,12 +2919,12 @@ end ### Actions -- `:add` - Add an item to the system path -- `:remove` - Remove an item from the system path +* `:add` - Add an item to the system path +* `:remove` - Remove an item from the system path ### Properties -- `path` - Name attribute. The name of the value to add to the system path +* `path` - Name attribute. The name of the value to add to the system path ### Examples @@ -2928,15 +3051,15 @@ Further information regarding apt-pinning is available via <https://wiki.debian. ### Actions -- `:add`: creates a preferences file under /etc/apt/preferences.d -- `:remove`: Removes the file, therefore unpin the package +* `:add`: creates a preferences file under /etc/apt/preferences.d +* `:remove`: Removes the file, therefore unpin the package ### Properties -- `package_name`: name attribute. The name of the package -- `glob`: Pin by glob() expression or regexp surrounded by /. -- `pin`: The package version/repository to pin -- `pin_priority`: The pinning priority aka "the highest package version wins" +* `package_name`: name attribute. The name of the package +* `glob`: Pin by glob() expression or regexp surrounded by /. +* `pin`: The package version/repository to pin +* `pin_priority`: The pinning priority aka "the highest package version wins" ### Examples @@ -2973,25 +3096,25 @@ The zypper_repository resource allows for the creation of Zypper package reposit ### Actions -- `:add` - adds a repo -- `:delete` - removes a repo +* `:add` - adds a repo +* `:delete` - removes a repo ### Properties -- `repo_name` - repository name if different from the resource name (name property) -- `type` - the repository type. default: 'NONE' -- `description` - the description of the repo that will be shown in `zypper repos` -- `baseurl` - the base url of the repo -- `path` - the relative path from the `baseurl` -- `mirrorlist` - the url to the mirrorlist to use -- `gpgcheck` - should we gpg check the repo (true/false). default: true -- `gpgkey` - location of repo key to import -- `priority` - priority of the repo. default: 99 -- `autorefresh` - should the repository be automatically refreshed (true/false). default: true -- `keeppackages` - should packages be saved (true/false). default: false -- `refresh_cache` - should package cache be refreshed (true/false). default: true -- `enabled` - should this repository be enabled (true/false). default: true -- `mode` - the file mode of the repository file. default: "0644" +* `repo_name` - repository name if different from the resource name (name property) +* `type` - the repository type. default: 'NONE' +* `description` - the description of the repo that will be shown in `zypper repos` +* `baseurl` - the base url of the repo +* `path` - the relative path from the `baseurl` +* `mirrorlist` - the url to the mirrorlist to use +* `gpgcheck` - should we gpg check the repo (true/false). default: true +* `gpgkey` - location of repo key to import +* `priority` - priority of the repo. default: 99 +* `autorefresh` - should the repository be automatically refreshed (true/false). default: true +* `keeppackages` - should packages be saved (true/false). default: false +* `refresh_cache` - should package cache be refreshed (true/false). default: true +* `enabled` - should this repository be enabled (true/false). default: true +* `mode` - the file mode of the repository file. default: "0644" ### Examples @@ -3012,8 +3135,8 @@ end Ohai now properly detects the [F5 Big-IP](https://www.f5.com/) platform and platform_version. -- platform: bigip -- platform_family: rhel +* platform: bigip +* platform_family: rhel # Chef Client Release Notes 13.2: @@ -3065,13 +3188,13 @@ Ohai now properly detects the [Clear](https://clearlinux.org/) and [ClearOS](htt #### Clear Linux -- platform: clearlinux -- platform_family: clearlinux +* platform: clearlinux +* platform_family: clearlinux #### ClearOS -- platform: clearos -- platform_family: rhel +* platform: clearos +* platform_family: rhel ## New Deprecations @@ -3379,16 +3502,16 @@ The PATH changes have also been tweaked so that the ruby bindir and gemdir PATHS Some examples of changes: -- `which ruby` in 12.x will return any system ruby and fall back to the embedded ruby if using omnibus -- `which ruby` in 13.x will return any system ruby and will not find the embedded ruby if using omnibus -- `shell_out_with_systems_locale("which ruby")` behaves the same as `which ruby` above -- `shell_out("which ruby")` in 12.x will return any system ruby and fall back to the embedded ruby if using omnibus -- `shell_out("which ruby")` in 13.x will always return the omnibus ruby first (but will find the system ruby if not using omnibus) +* `which ruby` in 12.x will return any system ruby and fall back to the embedded ruby if using omnibus +* `which ruby` in 13.x will return any system ruby and will not find the embedded ruby if using omnibus +* `shell_out_with_systems_locale("which ruby")` behaves the same as `which ruby` above +* `shell_out("which ruby")` in 12.x will return any system ruby and fall back to the embedded ruby if using omnibus +* `shell_out("which ruby")` in 13.x will always return the omnibus ruby first (but will find the system ruby if not using omnibus) The PATH in `shell_out` can also be overridden: -- `shell_out("which ruby", env: { "PATH" => nil })` - behaves like shell_out_with_systems_locale() -- `shell_out("which ruby", env: { "PATH" => [...include PATH string here...] })` - set it arbitrarily however you need +* `shell_out("which ruby", env: { "PATH" => nil })` - behaves like shell_out_with_systems_locale() +* `shell_out("which ruby", env: { "PATH" => [...include PATH string here...] })` - set it arbitrarily however you need Since most providers which launch custom user commands use `shell_out_with_systems_locale` (service, execute, script, etc) the behavior will be that those commands that used to be having embedded omnibus paths injected into them no longer will. Generally this will fix more problems than it solves, but may causes issues for some use cases. @@ -3484,9 +3607,9 @@ detail from the off. ## Highlighted enhancements for this release: -- Systemd unit files are now verified before being installed. -- Added support for windows alternate user identity in execute resources. -- Added ed25519 key support for for ssh connections. +* Systemd unit files are now verified before being installed. +* Added support for windows alternate user identity in execute resources. +* Added ed25519 key support for for ssh connections. ### Windows alternate user identity execute support @@ -3508,15 +3631,15 @@ Chef::ReservedNames::Win32::Security.get_account_right('<user>').include?('SeAss The following properties are new or updated for the `execute`, `script`, `batch`, and `powershell_script` resources and any resources derived from them: -- `user`<br> +* `user`<br> **Ruby types:** String<br> The user name of the user identity with which to launch the new process. Default value: `nil`. The user name may optionally be specified with a domain, i.e. `domain\user` or `user@my.dns.domain.com` via Universal Principal Name (UPN) format. It can also be specified without a domain simply as `user` if the domain is instead specified using the `domain` attribute. On Windows only, if this property is specified, the `password` property **must** be specified. -- `password`<br> +* `password`<br> **Ruby types** String<br> _Windows only:_ The password of the user specified by the `user` property. Default value: `nil`. This property is mandatory if `user` is specified on Windows and may only be specified if `user` is specified. The `sensitive` property for this resource will automatically be set to `true` if `password` is specified. -- `domain`<br> +* `domain`<br> **Ruby types** String<br> _Windows only:_ The domain of the user user specified by the `user` property. Default value: `nil`. If not specified, the user name and password specified by the `user` and `password` properties will be used to resolve that user against the domain in which the system running Chef client is joined, or if that system is not joined to a domain it will resolve the user as a local account on that system. An alternative way to specify the domain is to leave this property unspecified and specify the domain as part of the `user` property. @@ -3560,12 +3683,12 @@ end ## Highlighted bug fixes for this release: -- Ensure that the Windows Administrator group can access the chef-solo nodes directory -- When loading a cookbook in Chef Solo, use `metadata.json` in preference to `metadata.rb` +* Ensure that the Windows Administrator group can access the chef-solo nodes directory +* When loading a cookbook in Chef Solo, use `metadata.json` in preference to `metadata.rb` ## Deprecation Notice -- As of version 12.19, chef client will no longer be build or tested on the Cisco NX-OS and IOS XR platforms. +* As of version 12.19, chef client will no longer be build or tested on the Cisco NX-OS and IOS XR platforms. # Ohai Release Notes 8.23: @@ -3595,36 +3718,36 @@ GCC detection has been improved to collect additional information, and to not pr ### Ohai::Config removed -- **Deprecation ID**: OHAI-1 -- **Remediation Docs**: <https://docs.chef.io/deprecations_ohai_legacy_config.html> -- **Expected Removal**: Ohai 13 (April 2017) +* **Deprecation ID**: OHAI-1 +* **Remediation Docs**: <https://docs.chef.io/deprecations_ohai_legacy_config.html> +* **Expected Removal**: Ohai 13 (April 2017) ### sigar gem based plugins removed -- **Deprecation ID**: OHAI-2 -- **Remediation Docs**: <https://docs.chef.io/deprecations_ohai_sigar_plugins.html> -- **Expected Removal**: Ohai 13 (April 2017) +* **Deprecation ID**: OHAI-2 +* **Remediation Docs**: <https://docs.chef.io/deprecations_ohai_sigar_plugins.html> +* **Expected Removal**: Ohai 13 (April 2017) ### run_command and popen4 helper methods removed -- **Deprecation ID**: OHAI-3 -- **Remediation Docs**: <https://docs.chef.io/deprecations_ohai_run_command_helpers.html> -- **Expected Removal**: Ohai 13 (April 2017) +* **Deprecation ID**: OHAI-3 +* **Remediation Docs**: <https://docs.chef.io/deprecations_ohai_run_command_helpers.html> +* **Expected Removal**: Ohai 13 (April 2017) ### libvirt plugin attributes moved -- **Deprecation ID**: OHAI-4 -- **Remediation Docs**: <https://docs.chef.io/deprecations_ohai_libvirt_plugin.html> -- **Expected Removal**: Ohai 13 (April 2017) +* **Deprecation ID**: OHAI-4 +* **Remediation Docs**: <https://docs.chef.io/deprecations_ohai_libvirt_plugin.html> +* **Expected Removal**: Ohai 13 (April 2017) ### Windows CPU plugin attribute changes -- **Deprecation ID**: OHAI-5 -- **Remediation Docs**: <https://docs.chef.io/deprecations_ohai_windows_cpu.html> -- **Expected Removal**: Ohai 13 (April 2017) +* **Deprecation ID**: OHAI-5 +* **Remediation Docs**: <https://docs.chef.io/deprecations_ohai_windows_cpu.html> +* **Expected Removal**: Ohai 13 (April 2017) ### DigitalOcean plugin attribute changes -- **Deprecation ID**: OHAI-6 -- **Remediation Docs**: <https://docs.chef.io/deprecations_ohai_digitalocean.html> -- **Expected Removal**: Ohai 13 (April 2017) +* **Deprecation ID**: OHAI-6 +* **Remediation Docs**: <https://docs.chef.io/deprecations_ohai_digitalocean.html> +* **Expected Removal**: Ohai 13 (April 2017) |