Skip to main content

Chef Supermarket Release Notes

Chef Supermarket 4.2.89

Bug Fixes

Fixed icons in the UI not displaying correctly.

Enhancements

Improved Search Results

Deprecated cookbooks are now filtered from search results by default. To include deprecated cookbooks in search you can enable deprecated cookbooks in the advanced search options.

Chef Supermarket 4.2.82

Bug Fixes

  • Fixed the /search API endpoint to properly return the total number of cookbooks when the result has been paginated.
  • Resolved failures when processing cookbook quality metrics.

Enhancements

GitHub Enterprise Support

You can now set up Supermarket to use a corporate GitHub Enterprise installation in user profiles and to perform cookbook quality metrics scans instead of github.com. See the Supermarket configuration documentation for more information on using this new functionality.

Maintenance Message Banner Support

You can now set a test string in Supermarket that will be displayed on login for all users. This is a great way to announce regulatory security requirements or to communicate planned maintenance windows. The content of the text can be set with the default['supermarket']['announcement_text'] attribute.

SPDX Licenses

Supermarket cookbook pages now include links to the spdx.dev site describing the terms of each software license, so you can more easily evaluate cookbook licenses with your organizational requirements. See the supermarket-ctl documentation for more information on new commands to process SPDX data for existing cookbooks.

Cookbook Deprecation Reasons

Users can now set the reason a cookbook is deprecated instead of setting a replacement cookbook when setting a cookbook to deprecated.

Security

Ruby 2.7.5

Updated Ruby from 2.7.4 to 2.7.5 to resolve the following CVEs:

  • CVE-2021-41817
  • CVE-2021-41816
  • CVE-2021-41819

Sidekiq 6.3.1

Updated the Sidekiq job queuing engine used to run cookbook quality evaluation jobs from 4.2.10 to 6.3.1 to resolve CVE-2021-30151.

Redis 6.2.6

Updated the Redis database used for queuing quality metrics jobs from 6.2.5 to 6.2.6 to resolve the following CVEs:

  • CVE-2021-41099
  • CVE-2021-32762
  • CVE-2021-32687
  • CVE-2021-32675
  • CVE-2021-32672
  • CVE-2021-32628
  • CVE-2021-32627
  • CVE-2021-32626

actionpack 6.1.4.4

Updated the actionpack gem used by Supermarket’s Ruby on Rails engine to 6.1.4.4 to resolve CVE-2021-44528.

CA Certificates 10-26-2021

Updated the bundled CA Certificates file to the 10-26-2021 release, which includes three new CA certs.

Supermarket User

The supermarket user account that runs Supermarket is now created as a system account without a working shell for added security.

Improved HTTP Headers

Set the Permissions-Policy HTTP header to disable a user’s webcam and payment systems when browsing Supermarket.

Packaging

New Relic Removal

Supermarket no longer ships with New Relic integration for administrators.

RHEL 8 Build ID

Chef Infra Server packages no longer install a build ID file that would prevent installing other Chef packages such as Infra Client.

Chef Supermarket 4.1.28

Bug Fixes

  • A regression introduced in 4.0, which caused the cookbook version pulldown to fail to load has been resolved.

Enhancements

  • User profiles now display a Slack icon next to their Slack username.
  • Adopting or updating the maintainers for a cookbook now triggers a reevaluation of the quality score.
  • Minor branding updates have been made.
  • Embedded Chef Infra Client for supermarket-ctl reconfigure has been upgraded from 16.13 to 17.6.

Packaging

Smaller Size

Supermarket packages are now up to 15% smaller, with similar space savings for the Supermarket installation as well.

Security

OpenSSL 1.0.2zb

OpenSSL has been updated from 1.0.2za to 1.0.2zb to resolve issues with Let’s Encrypt certificates. cacerts

cacerts

The cacerts bundle has been updated to the 2021-09-30 release which removes older expired root certificates and adds the following new root certificates:

  • AC RAIZ FNMT-RCM SERVIDORES SEGUROS
  • GlobalSign Root R46
  • GlobalSign Root E46
  • GLOBALTRUST 2020
  • ANF Secure Server Root CA
  • Certum EC-384 CA
  • Certum Trusted Root CA

nokogiri

The nokogiri gem has been updated to 1.12.5 to resolve CVE-2021-41098.

puma

The puma gem has been updated from 5.5.0 to 5.5.2 to resolve CVE-2021-41136.

Chef Supermarket 4.0.21

Breaking Changes

  • Removed links to EOL Chef Provisioning drivers from the Tools tab. If you have existing Chef Provisioning Tools uploaded to Supermarket, they are no longer visible.
  • Removed CCLA and ICLA management through Supermarket. The supermarket-ctl upgrade command will drop any existing CLA-related PostgreSQL tables.
  • Removed Publish Metric from the Cookbook quality metric. Cookbooks no longer get a baseline quality score just for being published.

Bug Fixes

  • Updated the Octokit gem for interacting with GitHub to avoid deprecation e-mails from GitHub and failures running cookbook quality metrics after September 8th, 2021.
  • Fixed the dead links in Supermarket.
  • Removed links to the long-EOL’d botbotirc service.
  • Fixed incorrect user profile rendering with large numbers of cookbooks.
  • Fix search rendering on mobile browsers.

Enhancements

  • Updated the product names in Supermarket to match current product names.
  • Adjusted the search algorithm so deprecated cookbooks are at the bottom of search results.
  • Improved error messages, with more work coming to add messages for all required S3 environmental variables.
  • Curated the list of platforms in the search filter to show common platforms.
  • Added a prompt that requires users to confirm the action before removing themselves as collaborators from cookbooks.
  • Removed references to EOL ChefDK and Chef Provisioning products.
  • Set headers in the Automated release notification e-mails from Supermarket to avoid “Out of Office” replies from cookbook authors.

Packaging

Ubuntu 16.04 Removal

We no longer make Supermarket packages for Ubuntu 16.04, which went EOL April 2021.

RPM Package Digests

The file digest in Chef Infra Server RPM packages has been updated from MD5 to SHA256 to prevent installation failures on some FIPS-enabled systems.

Ubuntu FIPS Support

Ubuntu packages are now FIPS compliant for all your FedRAMP needs.

RHEL 8 Packages

RHEL 8 packages now have additional RHEL 8 optimizations and EL8 in the filename.

SLES Packages

We now produce Supermarket packages for SLES 12 and 15.

Security

TLS 1.0 and 1.1 Disabled By Default

TLS 1.2 is now the sole default for the node['supermarket']['ssl']['protocols'] configuration attribute. The previous default was 1.0, 1.1, and 1.2. This change provides a more secure setup out of the box. It may cause failures on very old operating systems or ChefDK releases.

Content Security Policy

We added Content Security Policy HTTP response headers to improve Supermarket security and reduce the chance of cross-site scripting attacks.

Server Header Removal

We removed the HTTP ‘Server’ header from responses to prevent identification of the underlying web server.

Redirection Improvements

We improved validation within URL redirects to avoid potential spoofing.

Rails 6.1.4

The Rails engine that powers Supermarket has been updated from 5.2.4.4 to 6.1.4. This new release adds significant new capabilities to Rails that will enable future development work. It also resolves the following CVEs:

  • CVE-2021-22903
  • CVE-2021-22902
  • CVE-2021-22904
  • CVE-2021-22885
  • CVE-2021-22881
  • CVE-2021-22880
  • CVE-2020-8166

Ruby 2.7.4

Ruby has been updated from 2.6.6 to 2.7.4 to improve performance and resolve the following CVEs:

  • CVE-2020-25613
  • CVE-2021-28965
  • CVE-2021-31810
  • CVE-2021-32066
  • CVE-2021-31799

PostgreSQL 9.3.25

PostgreSQL has been updated from 9.3.18 to 9.3.25 to resolve a large number of bugs, as well as the following CVEs:

  • CVE-2018-10915
  • CVE-2018-1058
  • CVE-2018-1053
  • CVE-2017-15098
  • CVE-2017-12172

OpenResty 1.19.9.1

Supermarket’s Nginx 1.18 web server has been replaced with OpenResty 1.19.9.1. OpenResty is an Nginx-based web server that offers additional modules and is used by the Chef Infra Server. This new release includes significant performance improvements, bug fixes, and a fix for CVE-2021-23017.

Curl 7.79

Curl has been updated from 7.75 to 7.79 to resolve the following CVEs:

  • CVE-2021-22897
  • CVE-2021-22898
  • CVE-2021-22901
  • CVE-2021-22922
  • CVE-2021-22923
  • CVE-2021-22924
  • CVE-2021-22925
  • CVE-2021-22926
  • CVE-2021-22945
  • CVE-2021-22946
  • CVE-2021-22947

Omniauth 2.0.4

The omniauth gem used by Supermarket has been updated from 1.9.1 to 2.0.4 to resolve CVE-2015-9284.

Redis 6.2.5

Redis has been updated from 3.0.7 to 6.2.5. This new release includes significant new capabilities and resolves the following CVEs:

  • CVE-2021-32761
  • CVE-2021-3470
  • CVE-2020-14147
  • CVE-2019-10193
  • CVE-2019-10192
  • CVE-2018-12453
  • CVE-2018-12326
  • CVE-2018-11219
  • CVE-2018-11218
  • CVE-2016-10517

OpenSSL 1.0.2za

OpenSSL has been updated from 1.0.2y to 1.0.2za to resolve CVE-2021-3712.

NodeJS Runtime Removal

Supermarket has switched from a full installation of EOL NodeJS 0.10.35 to an embedded release bundled within Ruby. This resolves a large number of CVEs and improves security by reducing the overall attack surface.

Python Runtime Removal

Removing NodeJS runtime from Supermarket made bundling Python 2.7 as part of Supermarket unnecessary. Removing Python 2.7 also resolves multiple CVEs and improves security by reducing the overall attack surface.

Chef Supermarket 3.4.8

Enhancements

Supermarket has been updated to support using external PostgreSQL releases version 9.6 and later allowing you to use up-to-date external PostgreSQL services such as Amazon RDS.

Security Updates

Activerecord

The activerecord gem has been updated from 5.2.4.4 to 5.2.4.5 to resolve CVE-2021-22880.

Redcarpet

The redcarpet gem has been updated from 3.4.0 to 3.5.1 to resolve GHSA-q3wr-qw3g-3p4h

Nokogiri

The nokogiri gem has been updated from 1.10.10 to 1.11.1 to resolve CVE-2020-26247

OpenSSL

The bundled OpenSSL library has been updated from 1.0.2u to 1.0.2y to resolve the following CVEs:

curl

The embedded curl CLI has been updated from 7.71.1 to 7.75.0 to resolve the following CVEs:

Chef Supermarket 3.4.1

Bug Fixes

  • disambiguate columns used in query ordering #1893 (robbkidd)
  • Fix exceptions thrown by displaying an error #1894 (robbkidd)
  • [omnibus] use YAML.dump to serialize simple hashes to disk #1896 (robbkidd)

Security Fixes

  • add HTTP strict transport security header when force SSL is enabled #1855 (robbkidd)

Maintenance Updates

Chef Supermarket 3.3.35

Security Fixes

These updates resolve CVE scanner audits. No vulnerabilities were found in Supermarket’s use of these components.

Enhancements

  • add support for enabling Server Side Encryption when storing cookbooks in AWS S3 #1888 (bdwyertech)
  • add packages for Amazon Linux 2 to the pipeline #1875 (tas50)

Maintenance Updates

  • update Foodcritic from 14.3 to 16.3 #1881 (tas50)
  • update Cookstyle / Chefstyle to the latest #1882 (tas50)
  • require Chef 14+ in omnibus now #1883 (tas50)

Chef Supermarket 3.3.26

Security Fixes

Merged Pull Requests

  • Remove bundler-audit from tests; we're auditing with GitHub #1861 (tas50)
  • Resolve upcoming OpenSSL Ruby library deprecation of algorithm constants #1860 (tas50)

Chef Supermarket 3.3.20

Security Fixes

Merged Pull Requests

Chef Supermarket 3.3.7

Security Fixes

Merged Pull Requests

Chef Supermarket 3.3.3

Security Fixes

Bug Fixes

  • fix 'tarball' is corrupt: "\x80\x00\x00\x00\x0E:\xBFD" is not an octal string upload error when cookbook tarball uid/gid is very large #1810 (robbkidd)

Chef Supermarket 3.3.1

A big thanks goes out to Pavel Kazhavets for contributing the fix for enabling AWS IAM roles for S3 bucket cookbook storage. IAM user keys are no longer required!

Enhancements

Chef Supermarket 3.2.2

Security Fixes

Chef Supermarket 3.2.0

This release does not have any release notes.

Chef Supermarket 3.1.96

Security Fixes

  • update Rails to 5.0.7.1 #1784 (robbkidd)
  • update rack (& other gems) in the omnibus build environment #1785 (robbkidd)
  • update rack for CVE-2018-16471 #1782 (robbkidd)
  • RFC072 Artifact Yanking: disallow cookbook removal by owner (not enabled by default onprem … yet) #1789 (robbkidd)

Merged Pull Requests

  • update omnibus to use latest enterprise cookbook #1788 (robbkidd)

Chef Supermarket 3.1.91

Bug Fixes

  • Fix search engines knowing the correct cookbook create/update datetimes #1779 (rmoriz) - Thanks to rmoriz for a fix to cookbook display dates that should help discovery in search engine ranking!

Security Updates

Merged Pull Requests

Chef Supermarket 3.1.81

Security Fixes

Bug Fixes

  • replace periodic job scheduler with one that is maintained #1756 (robbkidd)

Merged Pull Requests

  • reorganize the fieri subcomponent to make supermarket more container friendly #1704 (robbkidd)
  • habitat skeleton to get started #1761 (jtimberman)
  • change "knife cookbook site" references to "knife supermarket" #1762 (tas50)

Chef Supermarket 3.1.72

Security Fixes

  • fix markdown rendering links and images with unsafe protocols #1746 (robbkidd)

Merged Pull Requests

Chef Supermarket 3.1.70

This release does not have any release notes.

Chef Supermarket 3.1.68

This release does not have any release notes.

Chef Supermarket 3.1.63

This release does not have any release notes.

Chef Supermarket 3.1.62

This release does not have any release notes.

Chef Supermarket 3.1.61

This release does not have any release notes.

Chef Supermarket 3.1.56

This release does not have any release notes.

Chef Supermarket 3.1.51

This release does not have any release notes.

Chef Supermarket 3.1.50

This release does not have any release notes.

Chef Supermarket 3.1.47

This release does not have any release notes.

Chef Supermarket 3.1.42

This release does not have any release notes.

Chef Supermarket 3.1.41

This release does not have any release notes.

Chef Supermarket 3.1.34

This release does not have any release notes.

Chef Supermarket 3.1.31

This release does not have any release notes.

Chef Supermarket 3.1.29

This release does not have any release notes.

Chef Supermarket 3.1.28

This release does not have any release notes.

Chef Supermarket 3.1.25

This release does not have any release notes.

Chef Supermarket 3.1.23

This release does not have any release notes.

Chef Supermarket 3.1.22

This release does not have any release notes.

Chef Supermarket 3.1.14

This release does not have any release notes.

Chef Supermarket 3.1.10

This release does not have any release notes.

Chef Supermarket 3.1.6

This release does not have any release notes.

Chef Supermarket 3.1.4

This release does not have any release notes.

Chef Supermarket 3.1.1

This release does not have any release notes.

Chef Supermarket 3.1.0

This release does not have any release notes.

Chef Supermarket 3.0.2

This release does not have any release notes.

Chef Supermarket 3.0.0

This release does not have any release notes.

Chef Supermarket 2.9.30

This release does not have any release notes.

Chef Supermarket 2.9.29

This release does not have any release notes.

Chef Supermarket 2.9.21

This release does not have any release notes.

Chef Supermarket 2.9.15

This release does not have any release notes.

Chef Supermarket 2.9.7

This release does not have any release notes.

Chef Supermarket 2.9.3

This release does not have any release notes.

Chef Supermarket 2.8.61

This release does not have any release notes.

Chef Supermarket 2.8.43

This release does not have any release notes.

Chef Supermarket 2.8.34

This release does not have any release notes.

Chef Supermarket 2.8.30

This release does not have any release notes.

Chef Supermarket 2.8.27

This release does not have any release notes.

Chef Supermarket 2.8.25

This release does not have any release notes.

Chef Supermarket 2.8.15

This release does not have any release notes.

Chef Supermarket 2.8.3

This release does not have any release notes.

Chef Supermarket 2.8.2

This release does not have any release notes.

Chef Supermarket 2.8.1

This release does not have any release notes.

Chef Supermarket 2.8.0

This release does not have any release notes.

Chef Supermarket 2.7.4

This release does not have any release notes.

Chef Supermarket 2.7.3

This release does not have any release notes.

Chef Supermarket 2.7.2

This release does not have any release notes.

Chef Supermarket 2.6.1

This release does not have any release notes.

Chef Supermarket 2.6.0

This release does not have any release notes.

Chef Supermarket 2.5.2

This release does not have any release notes.

Chef Supermarket 2.5.0

This release does not have any release notes.

Chef Supermarket 2.4.2

This release does not have any release notes.

Chef Supermarket 2.4.1

This release does not have any release notes.

Chef Supermarket 2.4.0

This release does not have any release notes.

Chef Supermarket 2.3.3

This release does not have any release notes.

Chef Supermarket 2.3.2

This release does not have any release notes.

Chef Supermarket 2.3.0

This release does not have any release notes.

Chef Supermarket 2.2.2

This release does not have any release notes.

Chef Supermarket 2.2.1

This release does not have any release notes.

Chef Supermarket 2.1.4-alpha.0

This release does not have any release notes.

Chef Supermarket 2.1.3-alpha.0

This release does not have any release notes.

Chef Supermarket 2.1.2-alpha.0

This release does not have any release notes.

Chef Supermarket 2.1.1-alpha.0

This release does not have any release notes.

Chef Supermarket 2.1.0-alpha.0

This release does not have any release notes.

Chef Supermarket 2.0.2-alpha.0

This release does not have any release notes.

Chef Supermarket 2.0.1-alpha.0

This release does not have any release notes.

Chef Supermarket 2.0.0-alpha.0

This release does not have any release notes.

Chef Supermarket 1.12.0-alpha.0

This release does not have any release notes.

Chef Supermarket 1.11.0-alpha.0

This release does not have any release notes.

Chef Supermarket 1.10.1-alpha.0

This release does not have any release notes.

Chef Supermarket 1.10.0-alpha.0

This release does not have any release notes.

Chef Supermarket 1.9.0-alpha.0

This release does not have any release notes.

Chef Supermarket 1.8.0-alpha.0

This release does not have any release notes.

Chef Supermarket 1.6.0-alpha.0

This release does not have any release notes.

Chef Supermarket 1.5.0-alpha.0

This release does not have any release notes.

Chef Supermarket 1.3.0-alpha.0

This release does not have any release notes.

Was this page helpful?

×









Search Results