@@ -23,48 +23,13 @@ Released on TBD
2323
2424### Security
2525
26- #### JWT empty-key HMAC bypass
26+ - Updated ` jwt ` from 3.1.2 to 3.2.0 in ` oc-id ` and ` chef-server-ctl ` .
27+ - Updated ` addressable ` from 2.8.7 to 2.9.0 in ` oc-id ` and ` chef-server-ctl ` .
28+ - Updated Erlang/OTP from 26.2.2 to 26.2.5.
29+ - Updated Rack from 3.2.4 to 3.2.6.
30+ - The ` /version ` API endpoint no longer exposes internal library names and version details.
2731
28- Updated ` jwt ` from 3.1.2 to 3.2.0 in ` oc-id ` and ` chef-server-ctl ` to resolve an authentication
29- bypass vulnerability affecting versions prior to 3.2.0.
30-
31- - CVE-2026 -45363
32-
33- #### Addressable URI Template ReDoS
34-
35- Updated ` addressable ` from 2.8.7 to 2.9.0 in ` oc-id ` and ` chef-server-ctl ` to fully remediate a
36- regular expression denial of service (ReDoS) vulnerability in URI template matching.
37-
38- - CVE-2026 -35611
39-
40- #### Erlang Security Updates
41-
42- Updated Erlang/OTP from 26.2.2 to 26.2.5, which resolves the following CVEs:
43-
44- - CVE-2025 -32433
45- - CVE-2025 -30211
46- - CVE-2025 -26618
47- - CVE-2025 -48041
48- - CVE-2025 -48038
49- - CVE-2025 -48039
50- - CVE-2025 -48040
51- - CVE-2025 -4748
52- - CVE-2024 -53846
53- - CVE-2025 -46712
54-
55- #### Rack security update
56-
57- Updated Rack from 3.2.4 to 3.2.6 to resolve the following CVEs:
58-
59- - CVE-2025 -9230
60- - CVE-2025 -9231
61- - CVE-2025 -9232
62-
63- #### Reduced information disclosure at ` /version ` endpoint
64-
65- The ` /version ` API endpoint no longer exposes internal library names and version details.
66-
67- ### Bug Fixes
32+ ### Bug fixes
6833
6934- Fixed an incorrect log rotation configuration in the Bifrost service where the request logger
7035 was writing to ` crash.log ` instead of ` requests.log ` . ([ #4188 ] ( https://github.com/chef/chef-server/pull/4188 ) )
@@ -83,7 +48,7 @@ The `/version` API endpoint no longer exposes internal library names and version
8348 missing or invalid, a 90-day trial period begins from the time of upgrade.
8449 ([ #4152 ] ( https://github.com/chef/chef-server/pull/4152 ) )
8550
86- ### Updated Components
51+ ### Updated components
8752
8853- Chef Infra Client updated from 18.8.46 to 18.10.17.
8954- knife updated from 18.8.68 to 19.0.105.
0 commit comments