Skip to content

Commit cfbb717

Browse files
committed
Editing
Signed-off-by: Ian Maddaus <ian.maddaus@progress.com>
1 parent fc410b5 commit cfbb717

1 file changed

Lines changed: 7 additions & 42 deletions

File tree

content/release_notes/server.md

Lines changed: 7 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -23,48 +23,13 @@ Released on TBD
2323

2424
### Security
2525

26-
#### JWT empty-key HMAC bypass
26+
- Updated `jwt` from 3.1.2 to 3.2.0 in `oc-id` and `chef-server-ctl`.
27+
- Updated `addressable` from 2.8.7 to 2.9.0 in `oc-id` and `chef-server-ctl`.
28+
- Updated Erlang/OTP from 26.2.2 to 26.2.5.
29+
- Updated Rack from 3.2.4 to 3.2.6.
30+
- The `/version` API endpoint no longer exposes internal library names and version details.
2731

28-
Updated `jwt` from 3.1.2 to 3.2.0 in `oc-id` and `chef-server-ctl` to resolve an authentication
29-
bypass vulnerability affecting versions prior to 3.2.0.
30-
31-
- CVE-2026-45363
32-
33-
#### Addressable URI Template ReDoS
34-
35-
Updated `addressable` from 2.8.7 to 2.9.0 in `oc-id` and `chef-server-ctl` to fully remediate a
36-
regular expression denial of service (ReDoS) vulnerability in URI template matching.
37-
38-
- CVE-2026-35611
39-
40-
#### Erlang Security Updates
41-
42-
Updated Erlang/OTP from 26.2.2 to 26.2.5, which resolves the following CVEs:
43-
44-
- CVE-2025-32433
45-
- CVE-2025-30211
46-
- CVE-2025-26618
47-
- CVE-2025-48041
48-
- CVE-2025-48038
49-
- CVE-2025-48039
50-
- CVE-2025-48040
51-
- CVE-2025-4748
52-
- CVE-2024-53846
53-
- CVE-2025-46712
54-
55-
#### Rack security update
56-
57-
Updated Rack from 3.2.4 to 3.2.6 to resolve the following CVEs:
58-
59-
- CVE-2025-9230
60-
- CVE-2025-9231
61-
- CVE-2025-9232
62-
63-
#### Reduced information disclosure at `/version` endpoint
64-
65-
The `/version` API endpoint no longer exposes internal library names and version details.
66-
67-
### Bug Fixes
32+
### Bug fixes
6833

6934
- Fixed an incorrect log rotation configuration in the Bifrost service where the request logger
7035
was writing to `crash.log` instead of `requests.log`. ([#4188](https://github.com/chef/chef-server/pull/4188))
@@ -83,7 +48,7 @@ The `/version` API endpoint no longer exposes internal library names and version
8348
missing or invalid, a 90-day trial period begins from the time of upgrade.
8449
([#4152](https://github.com/chef/chef-server/pull/4152))
8550

86-
### Updated Components
51+
### Updated components
8752

8853
- Chef Infra Client updated from 18.8.46 to 18.10.17.
8954
- knife updated from 18.8.68 to 19.0.105.

0 commit comments

Comments
 (0)