## Updates The Chef Manage UI has received minor updates to branding, emails, and external URLs: - Links lead to the latest pages - Brand logos match Chef Infra Client / Chef Infra Server - Community Slack replaces the link to the defunct IRC channel - Chef Questions replaces the legacy mailing list ## Package Improvements ### Smaller Package Size The Chef Manage packaging is optimized, reducing both the package and the on-disk install size by half. ### RHEL 6 Package Removal Chef Manage packages are no longer produced for EOL RHEL 6. ### RPM Package Digests The file digest in Chef Infra RPM packages is updated from M5 to SHA256 to prevent installation failures on some FIPS-enabled systems. ## Security Enhancements ### User Signup Enhancements Users can no longer change their email during the signup process to avoid validation. ### MTLS Support Support MTLS in Chef Infra Server ### E-mail Verification User email verification is enforced for all user email address changes. ### Ruby 2.7.4 Updated Ruby from 2.6.6 to 2.7.4 to resolve a large number of bugs as well as the following CVEs: - CVE-2021-28966 - CVE-2021-28965 - CVE-2020-25613 - CVE-2021-31810 - CVE-2021-32066 - CVE-2021-31799 ### Rails 6.1.4.1 Updated the Rails framework used by Chef Manage from 5.2.4.4 to 6.1.4.1. This new release includes performance improvements, new capabilities, and resolves the following CVEs: - CVE-2021-22902 - CVE-2021-22903 - CVE-2021-22885 - CVE-2021-22904 ### OpenSSL 1.0.2zb Updated OpenSSL from 1.0.2w to 1.0.2zb to resolve issues with Let's Encrypt certificates and to resolve CVE-2021-3712. ### cacerts Updated the cacerts bundle to the 2021-09-30 release, which removes older expired root certificates and adds the following new root certificates: - AC RAIZ FNMT-RCM SERVIDORES SEGUROS - GlobalSign Root R46 - GlobalSign Root E46 - GLOBALTRUST 2020 - ANF Secure Server Root CA - Certum EC-384 CA - Certum Trusted Root CA ### nokogiri 1.12.5 Update the nokogiri gem to 1.12.5 to resolve CVE-2021-41098. ### libarchive 3.5.2 Update the libarchive library from 3.4.3 to 3.5.2 to resolve security vulnerabilities in libarchive's handling of symbolic links.