## New Features

### Policy Revisions API now includes Policy Groups

We've added Policy Groups to the Policy Revisions API, which means that you can now get a complete list of Policy Groups that use a specific version of a Policy. When you make an API call to `/organizations/[organization_id]/policies/[policy_name]/revisions/[revision_id]`, the response includes a `policy_group_list` array.

For example:

`GET organizations/4thcafe/policies/some_policy_name/revisions/909c26701e291510eacdc6c06d626b9fa5350d25`

returns: 

```json
{
    "revision_id": "909c26701e291510eacdc6c06d626b9fa5350d25",
    "name": "some_policy_name",
    "run_list": [
    "recipe[policyfile_demo::default]"
    ],
    "cookbook_locks": {
    "policyfile_demo": {
        "identifier": "f04cc40faf628253fe7d9566d66a1733fb1afbe9",
        "version": "1.2.3"
    }
    },
    "policy_group_list": ["some_policy_group"]
}
```

## Improvements

- Improved logging in `chef-server-ctl reconfigure`.

## Bug Fixes

- Fixed a failure to install server add-ons on Amazon Linux 2.

## Packaging

### Ubuntu 16.04

Ubuntu 16.04 was only mostly EOL. Now that Ubunto 16.04 is no longer EOL, we are once again producing Chef Infra Server packages for it.

## Security

### nginx Process As Non-Root User

The Chef Infra Server `nginx` process can now be run as a non-root user for improved security. To enable this set `nginx['nginx_no_root']` to `true`.

### x-ops-api-info Header Disabled by Default

We disabled the `x-ops-api-info` header by default because included information on the running release of Chef Infra Server, which could aid attackers in determining potential vulnerabilities. You can enable this header in your configuration with the new option: `default['private_chef']['opscode-erchef']['include_x_ops_api_info']`.

### Email Changes via OC-ID

User email changes via the OC-ID API now send confirmation e-mails to ensure the user owns the e-mail.

### PostgreSQL 13.4

The embedded PostgreSQL install has been updated from 13.3 to 13.4. This new release improves reliability and resolves the following CVEs:

- CVE-2021-3677
- CVE-2021-3449

### Nokogiri 1.12.5

Nokogiri has been updated from 1.11.7 to 1.12.5 in order to resolve CVE-2021-41098. This CVE only impacted users of JRuby, which Chef Infra Server does not use, but the older release would show up on vulnerability scanners as an issue to resolve.

### OpenSSL 1.0.2zb

OpenSSL has been updated from 1.0.2za to 1.0.2zb to resolve issues with Let's Encrypt certificates. 

### cacerts

The cacerts bundle has been updated to the 2021-07-25 release. This update removes older expired root certificates and adds the following new root certificates:

- AC RAIZ FNMT-RCM SERVIDORES SEGUROS
- GlobalSign Root R46
- GlobalSign Root E46
- GLOBALTRUST 2020
- ANF Secure Server Root CA
- Certum EC-384 CA
- Certum Trusted Root CA