## Improvements - Azure support for external PostgreSQL: In the previous release we added support for ssl while connecting to PostgreSQL. With this release we add the ability to connect to an external PostgreSQL database in Azure. - Update HAProxy configuration: We have updated the configuration for HAProxy to make it more responsive. The changes include: - Set the connect, client, server, and tunnel timeouts to reasonable defaults. - Set client-fin and server-fin to try to mitigate connection pile-ups in the case of failing frontend services. - Set on-marked-down shutdown-session to avoid stale sessions to previous leaders living longer than they need to. - Chef Infra Server supports Elasticsearch version 6 for external Elasticsearch: Chef Infra Server previously supported index creation for Elasticsearch versions 2 and 5. We now support index creation for Elasticsearch 6 as well. - Cookstyle changes applied to the cookbooks. - Disable actions rabbitmq queue by default. - Log all errors triggered due to Elasticsearch reindex. ## Bug Fixes - Fix a regression that broke FIPS 140-2 support in Chef Infra Server 13.1.13. - Fix Habitat db config for external database. - Elasticsearch recipes should not create indexes at compile time. ## Updates - Erlang in the Habitat package: 18 -> 20 - libxml2 2.9.9 -> 2.9.10 - libxslt 1.1.30 -> 1.1.34 ## Security ### haproxy haproxy has been updated from 1.6.4 to 1.6.15 to resolve the following CVEs: - [CVE-2018-10184](https://nvd.nist.gov/vuln/detail/CVE-2018-10184) - [CVE-2018-14645](https://nvd.nist.gov/vuln/detail/CVE-2018-14645) - [CVE-2018-20103](https://nvd.nist.gov/vuln/detail/CVE-2018-20103) - [CVE-2018-20102](https://nvd.nist.gov/vuln/detail/CVE-2018-20102) - [CVE-2019-11323](https://nvd.nist.gov/vuln/detail/CVE-2019-11323) ### Java JRE The Java JRE has been updated from 8u162 to 8u202 to resolve the following CVEs: - [CVE-2018-3214](https://nvd.nist.gov/vuln/detail/CVE-2018-3214) - [CVE-2018-14048](https://nvd.nist.gov/vuln/detail/CVE-2018-14048) - [CVE-2018-3209](https://nvd.nist.gov/vuln/detail/CVE-2018-3209) - [CVE-2018-3211](https://nvd.nist.gov/vuln/detail/CVE-2018-3211) - [CVE-2018-2941](https://nvd.nist.gov/vuln/detail/CVE-2018-2941) - [CVE-2018-2942](https://nvd.nist.gov/vuln/detail/CVE-2018-2942) - [CVE-2018-2964](https://nvd.nist.gov/vuln/detail/CVE-2018-2964) - [CVE-2018-2798](https://nvd.nist.gov/vuln/detail/CVE-2018-2798) - [CVE-2018-2799](https://nvd.nist.gov/vuln/detail/CVE-2018-2799) - [CVE-2018-2800](https://nvd.nist.gov/vuln/detail/CVE-2018-2800) - [CVE-2018-2811](https://nvd.nist.gov/vuln/detail/CVE-2018-2811) - [CVE-2018-2815](https://nvd.nist.gov/vuln/detail/CVE-2018-2815) ### OpenSSL OpenSSL has been updated from 1.0.2t to 1.0.2u to resolve the following CVEs: - [CVE-2019-1551](https://nvd.nist.gov/vuln/detail/CVE-2019-1551) ### Rack The `rack` gem in the `oc-id` Chef Infra Server component has been updated from 1.6.11 to 1.6.12 to resolve [CVE-2019-16782](https://nvd.nist.gov/vuln/detail/CVE-2019-16782) ### Redis Redis has been updated from 3.0.7 to 5.0.7 to resolve the following CVEs: - [CVE-2019-10193](https://nvd.nist.gov/vuln/detail/CVE-2019-10193) - [CVE-2019-10192](https://nvd.nist.gov/vuln/detail/CVE-2019-10192) - [CVE-2019-11218](https://nvd.nist.gov/vuln/detail/CVE-2019-11218) - [CVE-2019-11219](https://nvd.nist.gov/vuln/detail/CVE-2019-11219) ### Ruby Ruby has been updated from 2.6.3 to 2.6.5 to resolve the following CVEs: - [CVE-2019-16255](https://nvd.nist.gov/vuln/detail/CVE-2019-16255): A code injection vulnerability of Shell#[] and Shell#test - [CVE-2019-16254](https://nvd.nist.gov/vuln/detail/CVE-2019-16254): HTTP response splitting in WEBrick (Additional fix) - [CVE-2019-15845](https://nvd.nist.gov/vuln/detail/CVE-2019-15845): A NUL injection vulnerability of File.fnmatch and File.fnmatch? - [CVE-2019-16201](https://nvd.nist.gov/vuln/detail/CVE-2019-16201): Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication - [CVE-2012-6708](https://nvd.nist.gov/vuln/detail/CVE-2012-6708): Cross-site Scripting vulnerability in RDoc - [CVE-2015-16892](https://nvd.nist.gov/vuln/detail/CVE-2015-9251): Cross-site Scripting vulnerability in RDoc ### rubyzip The release of rubyzip in the `oc-id` Chef Infra Server component has been updated from 1.2.3 to 1.3.0 to resolve [CVE-2019-16892](https://nvd.nist.gov/vuln/detail/CVE-2019-16892)