## Bug Fixes - Removed ERROR logs when retrying failed communication with the Chef Infra Server. - Several Ruby failures on Windows have been resolved. - The `cookbook_name` variable is now available in templates as expected. - YAML recipes can now end in `.yaml` and `.yml`. - The data collector for sending data to Chef Automate now respects attribute `allowlist` and `denylist` configurations. - An edge condition in the deprecations system could cause failures running Chef Infra Client. - Chef Vault has been updated to allow storing key data. ## Chef InSpec 4.41.20 Chef InSpec has been updated from 4.38.9 to 4.41.20 with the following improvements: - New Open Policy Agent resources `opa_cli` and `opa_api`. - New `mongodb_session` resource. - The `mssql_session` resource now allows named connections by no longer forcing a port. - The PostgreSQL resources (`postgres_session`, `postgres_conf`, `postgres_hba_conf`, and `postgres_ident_conf`) now work with Windows. - Fixed a bug where the year in an expiration date was misinterpreted in waiver files. - Added support for Alibaba Cloud Linux 3 to the Chef InSpec `service` resource. - Replaced the WMI command-line (WMIC) utility in the Chef InSpec `security_identifier` resource with Common Information Model (CIM) cmdlets as the WMIC utility will be deprecated soon. - Fixed range-based filtering in filter tables. - Fixed an issue in the Chef InSpec `apache_conf` resource when the ServerRoot is not specified in the Apache configuration file. - Fixed an error in the Chef InSpec `postgres_session` resource where the resource was unable to connect to a database. - Fixed an error in the Chef InSpec `apache_conf` resource where it would overwrite any Apache configurations from the main Apache configuration file with configurations from any included configuration files. - Fixed an error where the Chef InSpec `security_policy` resource returned a comma-separated string of local groups (rather than SIDs) instead of an array. - Updated the Git fetcher to handle profiles with a default Git branch that is not `master`. ## Resource Updates ### archive_file We improved the `archive_file` resource has by upgrading the `libarchive` library it uses, which includes the following improvements: - Support for PWB and v7 binary CPIO formats. - Support for the deflate algorithm in symbolic link decompression with zip files. - Various bug fixes when working with CAB, ZIP, 7zip, and RAR files. ### chef_client_config Updated the chef_client_config resource to properly format the `client.rb` config when the user sets the `ohai_optional_plugins` or `ohai_disabled_plugins` properties. Thanks for reporting this issue [@caneylan](https://github.com/caneylan). ### homebrew_cask The `homebrew_cask` resource now supports Homebrew Casks with '-' or '@' in their name. Thanks for this fix [@byplayer](https://github.com/byplayer)! The resource also now passes the `homebrew_path` when creating or deleting taps. This change prevents failures when running Homebrew in a non-standard location or on an M1 system. Thanks for this fix [@mattlqx](https://github.com/mattlqx)! ### mount The `mount` resource no longer strips trailing `/` values when the mount point is just `/`. Thanks for this fix [@jiokmiso](https://github.com/jiokmiso)! ### powershell_package Updated the powershell_package resource to allow passing an array of install options via the `options` property. Thanks for reporting this issue [@kimbernator](https://github.com/kimbernator) ### rhsm_subscription The `rhsm_subscription` resource now flushes all DNF or YUM caches after adding a new subscription so that subsequent package installs can use packages from the subscription. Thanks for fixing this [@jasonwbarnett](https://github.com/jasonwbarnett)! ### systemd_unit The `systemd_unit` resource now generates valid unit files when passing a hash of data. Thanks for reporting this issue [@gregkare](https://github.com/gregkare) ### ulimit The `ulimit` resource now supports setting `sensitive true` to prevent logging ulimit data as it is written to disk. ### windows_security_policy The `windows_security_policy` resource has been refactored to improve reliability and now supports setting `AuditPolicyChange` and `LockoutDuration`. ### windows_uac The `windows_uac` resource now sets the proper registry key value when using the `consent_behavior_users` property. Thanks for reporting this [@ahembree](https://github.com/ahembree)! ### windows_user_privilege The `windows_user_privilege` resource no longer fails with an error stating that the `privilege` property needs to be set, even if it is set. ## Security ### OpenSSL 1.0.2za OpenSSL has been updated from 1.0.2y to 1.0.2za on non-macOS systems to resolve [CVE-2021-3712](https://nvd.nist.gov/vuln/detail/CVE-2021-3712). ### OpenSSL 1.1.1l OpenSSL has been updated from 1.1.1k to 1.1.1l on macOS systems to resolve the following CVEs: - [CVE-2021-3711](https://nvd.nist.gov/vuln/detail/CVE-2021-3711) - [CVE-2021-3712](https://nvd.nist.gov/vuln/detail/CVE-2021-3712) ### libarchive 3.5.2 Updated the libarchive library that powers the `archive_file` resource from 3.5.1 to 3.5.2 to resolve security vulnerabilities in libarchive's handling of symbolic links. ## Package Improvements ### Intel macOS Monterey Packages We now produce Chef Infra Client packages for Apple's macOS Monterey preview release on Intel architecture in addition to M1 architecture. ## Deprecations ### Policyfile Compatibility Mode The Chef Infra Server 11 era Policyfile Compatibility Mode is now deprecated. Users should upgrade to a newer release of Chef Infra Server 12+ that supports Policyfiles natively. With Chef Infra Server upgraded, you can remove `policy_document_native_api` from the `client.rb` config file or set it to `true`. ### Attribute Whitelists We deprecated the attribute whitelist feature in favor of attribute allowlists. Users will need to update whitelist configurations in their `client.rb` configuration file to be `allowlist` configurations.