## Backports This release backports several features and fixes from Chef Infra Client 18. ### Resource Updates This release backports the following resource updates from Chef Infra Client 18: - Added a `rubygems_url` property to the chef_client_config resource that allows users to specify URI as a source for Ruby gems. This could be an internal mirror of RubyGems for airgapped environments. ([#12978](https://github.com/chef/chef/pull/12978)) - Updated the rhsm_register resource so that it flushes the internal package cache after registering with Red Hat Satellite. ([#12909](https://github.com/chef/chef/pull/12909)) - Updated the chocolatey_package resource to handle changes introduced in Chocolatey CLI v2.0. ([#13928](https://github.com/chef/chef/pull/13928)) ### Security This release backports the following security updates from Chef Infra Client 18: - Fixed an issue where properties with `desired_state: false` and `sensitive: true` would report data to the resource reporter. ([#13817](https://github.com/chef/chef/pull/13817)) - Add the ability to set a default secret service and secret service configuration in the Secrets Manager. ([#12856](https://github.com/chef/chef/pull/12856)) #### OpenSSL Updated OpenSSL to 1.0.2zi ([#13911](https://github.com/chef/chef/pull/13911), [#14046](https://github.com/chef/chef/pull/14046)) to address the following CVEs : - CVE-2022-2068 - CVE-2023-3446 - CVE-2023-3817 - CVE-2023-2650 - CVE-2023-0465 - CVE-2023-0466 - CVE-2023-0464 - CVE-2023-0286 - CVE-2023-0215 - CVE-2022-4304 ### Bug fixes This release backports the following bug fixes from Chef Infra Client 18: - Fixed an issue where a PEM file is not generated when a new user created with `knife user create`. ([#12772](https://github.com/chef/chef/pull/12772)) - Fixed a performance issue when reading attributes from nodes. ([#12743](https://github.com/chef/chef/pull/12743)) - Fixed missing X-Vault-AWS-IAM-Server-ID header in the Secrets Management Integration helper when using AWS IAM to fetch secrets from HashiCorp Vault. ([#12957](https://github.com/chef/chef/pull/12957)) - Fixed a bug where ChefSpec fails to load Compliance Profiles in Compliance Phase that contain an InSpec profile. ([#12872](https://github.com/chef/chef/pull/12872)) #### Resource fixes - Fixed the chef_client_config resource which was rendering duplicate `ohai_disabled_plugins` and `ohai_optional_plugins` properties in the client.rb template. ([#12826](https://github.com/chef/chef/pull/12826)) - Fixed the macos_userdefaults resource where the `user` property was not being used when `host` property wasn’t passed. This update sets default values for `user` and `host` as the current user and any host. ([#12825](https://github.com/chef/chef/pull/12825)) - Fixed the locale resource which was regenerating locales on every Chef Infra run. ([#12905](https://github.com/chef/chef/pull/12905)) #### Windows Certificates We fixed an issue with private keys that are encrypted in the certificate store on a Windows node that is under management by two or more users or by an admin and the SYSTEM account. The private key could not be decrypted by a user other than the user that bootstrapped the node because the password is user-specific. We now use an initialization vector to encrypt the private key, which is stored in the Windows registry. This allows multiple users to decrypt a private key. ([#13552](https://github.com/chef/chef/pull/13552)) ## Packaging - Removed support for Debian 9. ([#13738](https://github.com/chef/chef/pull/13738)) - Removed support for i386 platforms. ([#13694](https://github.com/chef/chef/pull/13694)) - Removed support for Freebsd 11. ([#12870](https://github.com/chef/chef/pull/12870)) - Added support for Rocky Linux 8 and 9. ([#14048](https://github.com/chef/chef/pull/14048)) ## Dependencies - Bump dependencies for net-ssh 7.x for RHEL 9 and Ubuntu 22.04. ([#13332](https://github.com/chef/chef/pull/13332)) - Bump chef-vault to 4.1.11. ([#13583](https://github.com/chef/chef/pull/13583))