## Fixes - Chef Infra Client, which is used in the `chef-backend-ctl reconfigure` command, has been updated from 15.x to 16.17 to resolve EOL warnings when running. ## Enhancements - `chef-backend-ctl backup` no longer backs up the Elasticsearch cluster to speed up backup times. Users restoring a backed-up cluster can instead run `chef-server-ctl reindex --all` from a frontend node to generate new data in Elasticsearch. ## Packaging ### Newly Supported Platforms We now produce Chef Backend packages for SLES 15, Amazon Linux 2, and Ubuntu 20.04. ### Deprecated Platforms Chef Backend packages are no longer produced for RHEL 6, as this platform is now end-of-life. ### RPM Package Digests Updated the file digest in Chef Backend RPM packages from MD5 to SHA256 to prevent failures from installing on some FIPS-enabled systems. ## Security ### Log4j Mitigation We mitigated the Log4j vulnerability outlined in CVE-2021-44228 by disabling message formatting within logging. Chef Backend is not vulnerable to this CVE in Log4j, but this avoids security concerns with this CVE. ### Ruby 2.7.5 Updated Ruby from 2.6.5 to 2.7.5 for improved performance and to resolve the following CVEs: - CVE-2021-41817 - CVE-2021-41819 - CVE-2021-31810 - CVE-2021-32066 - CVE-2021-31799 - CVE-2020-25613 - CVE-2021-28965 - CVE-2020-10663 - CVE-2020-10933 ### OpenSSL 1.0.2zb Updated OpenSSL from 1.0.2v to 1.0.2zb to resolve issues with Let's Encrypt certificates and to resolve the following CVEs: - CVE-2021-3712 - CVE-2021-23841 - CVE-2021-23840 - CVE-2021-23839 - CVE-2020-1971 - CVE-2020-1968 ### OpenJDK 11.0.13+8 Updated OpenJDK from 11.0.7+10 to 11.0.13+8 to resolve the following CVEs: - CVE-2021-35550 - CVE-2021-35565 - CVE-2021-35556 - CVE-2021-35559 - CVE-2021-35561 - CVE-2021-35564 - CVE-2021-35567 - CVE-2021-35578 - CVE-2021-35586 - CVE-2021-35603 - CVE-2021-2341 - CVE-2021-2369 - CVE-2021-2388 - CVE-2021-2163 - CVE-2021-2161 - CVE-2020-14779 - CVE-2020-14781 - CVE-2020-14782 - CVE-2020-14792 - CVE-2020-14796 - CVE-2020-14797 - CVE-2020-14798 - CVE-2020-14803 ### PostgreSQL 9.5.25 Updated PostgreSQL from 9.5.19 to 9.5.25 to resolve the following CVEs: - CVE-2020-14350 - CVE-2020-25695 - CVE-2020-25694 - CVE-2020-25696