-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2020-13250: Cache DoS / OOM #8023
Merged
hanshasselberg
merged 2 commits into
hashicorp:master
from
hanshasselberg:disable_http_cache
Jun 8, 2020
Merged
CVE-2020-13250: Cache DoS / OOM #8023
hanshasselberg
merged 2 commits into
hashicorp:master
from
hanshasselberg:disable_http_cache
Jun 8, 2020
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This allows the operator to disable agent caching for the http endpoint. It is on by default for backwards compatibility and if disabled will ignore the url parameter `cached`.
Co-authored-by: Matt Keeler <[email protected]>
hanshasselberg
force-pushed
the
disable_http_cache
branch
from
June 4, 2020 21:00
da434fc
to
5973e9f
Compare
mkeeler
approved these changes
Jun 5, 2020
hanshasselberg
added a commit
that referenced
this pull request
Jun 8, 2020
This allows the operator to disable agent caching for the http endpoint. It is on by default for backwards compatibility and if disabled will ignore the url parameter `cached`.
hanshasselberg
added a commit
that referenced
this pull request
Jun 8, 2020
This allows the operator to disable agent caching for the http endpoint. It is on by default for backwards compatibility and if disabled will ignore the url parameter `cached`.
hanshasselberg
added a commit
that referenced
this pull request
Jun 8, 2020
This allows the operator to disable agent caching for the http endpoint. It is on by default for backwards compatibility and if disabled will ignore the url parameter `cached`.
hanshasselberg
changed the title
Option to disable agent cache for HTTP endpoints
CVE-2020-13250: Cache DoS / OOM
Jun 10, 2020
hanshasselberg
added a commit
that referenced
this pull request
Jun 10, 2020
This allows the operator to disable agent caching for the http endpoint. It is on by default for backwards compatibility and if disabled will ignore the url parameter `cached`.
hanshasselberg
added a commit
that referenced
this pull request
Jun 10, 2020
* consul 1.7.4 * agent: add option to disable agent cache for HTTP endpoints (#8023) This allows the operator to disable agent caching for the http endpoint. It is on by default for backwards compatibility and if disabled will ignore the url parameter `cached`.
chaudum
referenced
this pull request
in grafana/loki
Oct 20, 2023
#10830) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/hashicorp/consul](https://togithub.com/hashicorp/consul) | replace | minor | `v1.5.1` -> `v1.14.5` | --- ### Denial of Service (DoS) in HashiCorp Consul [CVE-2020-7219](https://nvd.nist.gov/vuln/detail/CVE-2020-7219) / [GHSA-23jv-v6qj-3fhh](https://togithub.com/advisories/GHSA-23jv-v6qj-3fhh) <details> <summary>More information</summary> #### Details HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3. ##### Specific Go Packages Affected github.com/hashicorp/consul/agent/consul #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2020-7219](https://nvd.nist.gov/vuln/detail/CVE-2020-7219) - [https://github.com/hashicorp/consul/issues/7159](https://togithub.com/hashicorp/consul/issues/7159) - [https://www.hashicorp.com/blog/category/consul/](https://www.hashicorp.com/blog/category/consul/) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-23jv-v6qj-3fhh) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Incorrect Authorization in HashiCorp Consul [CVE-2020-7955](https://nvd.nist.gov/vuln/detail/CVE-2020-7955) / [GHSA-r9w6-rhh9-7v53](https://togithub.com/advisories/GHSA-r9w6-rhh9-7v53) <details> <summary>More information</summary> #### Details HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2020-7955](https://nvd.nist.gov/vuln/detail/CVE-2020-7955) - [https://github.com/hashicorp/consul/issues/7160](https://togithub.com/hashicorp/consul/issues/7160) - [https://www.hashicorp.com/blog/category/consul/](https://www.hashicorp.com/blog/category/consul/) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-r9w6-rhh9-7v53) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Allocation of Resources Without Limits or Throttling in Hashicorp Consul [CVE-2020-13250](https://nvd.nist.gov/vuln/detail/CVE-2020-13250) / [GHSA-rqjq-mrgx-85hp](https://togithub.com/advisories/GHSA-rqjq-mrgx-85hp) <details> <summary>More information</summary> #### Details HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. ##### Specific Go Packages Affected github.com/hashicorp/consul/agent/config ##### Fix The vulnerability is fixed in versions 1.6.6 and 1.7.4. #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2020-13250](https://nvd.nist.gov/vuln/detail/CVE-2020-13250) - [https://github.com/hashicorp/consul/pull/8023](https://togithub.com/hashicorp/consul/pull/8023) - [https://github.com/hashicorp/consul/commit/72f92ae7ca4cabc1dc3069362a9b64ef46941432](https://togithub.com/hashicorp/consul/commit/72f92ae7ca4cabc1dc3069362a9b64ef46941432) - [https://github.com/hashicorp/consul/blob/v1.6.6/CHANGELOG.md](https://togithub.com/hashicorp/consul/blob/v1.6.6/CHANGELOG.md) - [https://github.com/hashicorp/consul/blob/v1.7.4/CHANGELOG.md](https://togithub.com/hashicorp/consul/blob/v1.7.4/CHANGELOG.md) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-rqjq-mrgx-85hp) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### HashiCorp Consul Cross-site Scripting vulnerability [CVE-2020-25864](https://nvd.nist.gov/vuln/detail/CVE-2020-25864) / [GHSA-8xmx-h8rq-h94j](https://togithub.com/advisories/GHSA-8xmx-h8rq-h94j) <details> <summary>More information</summary> #### Details HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14. #### Severity - CVSS Score: 6.1 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2020-25864](https://nvd.nist.gov/vuln/detail/CVE-2020-25864) - [https://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368](https://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368) - [https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul) - [https://security.gentoo.org/glsa/202208-09](https://security.gentoo.org/glsa/202208-09) - [https://www.hashicorp.com/blog/category/consul](https://www.hashicorp.com/blog/category/consul) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-8xmx-h8rq-h94j) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### HashiCorp Consul Privilege Escalation Vulnerability [CVE-2021-37219](https://nvd.nist.gov/vuln/detail/CVE-2021-37219) / [GHSA-ccw8-7688-vqx4](https://togithub.com/advisories/GHSA-ccw8-7688-vqx4) <details> <summary>More information</summary> #### Details HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2. #### Severity - CVSS Score: 8.8 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2021-37219](https://nvd.nist.gov/vuln/detail/CVE-2021-37219) - [https://github.com/hashicorp/consul/pull/10925](https://togithub.com/hashicorp/consul/pull/10925) - [https://github.com/hashicorp/consul/commit/3357e57dac9aadabd476f7a14973e47f003c4cf0](https://togithub.com/hashicorp/consul/commit/3357e57dac9aadabd476f7a14973e47f003c4cf0) - [https://github.com/hashicorp/consul/commit/473edd1764b6739e2e4610ea5dede4c2bc6009d1](https://togithub.com/hashicorp/consul/commit/473edd1764b6739e2e4610ea5dede4c2bc6009d1) - [https://github.com/hashicorp/consul/commit/ccf8eb1947357434eb6e66303ddab79f4c9d4103](https://togithub.com/hashicorp/consul/commit/ccf8eb1947357434eb6e66303ddab79f4c9d4103) - [https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalation/29024](https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalation/29024) - [https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul) - [https://security.gentoo.org/glsa/202207-01](https://security.gentoo.org/glsa/202207-01) - [https://www.hashicorp.com/blog/category/consul](https://www.hashicorp.com/blog/category/consul) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-ccw8-7688-vqx4) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. [CVE-2021-38698](https://nvd.nist.gov/vuln/detail/CVE-2021-38698) / [GHSA-6hw5-6gcx-phmw](https://togithub.com/advisories/GHSA-6hw5-6gcx-phmw) <details> <summary>More information</summary> #### Details HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2. #### Severity - CVSS Score: 6.5 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2021-38698](https://nvd.nist.gov/vuln/detail/CVE-2021-38698) - [https://github.com/hashicorp/consul/pull/10824](https://togithub.com/hashicorp/consul/pull/10824) - [https://discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026](https://discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026) - [https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul) - [https://security.gentoo.org/glsa/202208-09](https://security.gentoo.org/glsa/202208-09) - [https://www.hashicorp.com/blog/category/consul](https://www.hashicorp.com/blog/category/consul) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-6hw5-6gcx-phmw) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector [CVE-2022-29153](https://nvd.nist.gov/vuln/detail/CVE-2022-29153) / [GHSA-q6h7-4qgw-2j9p](https://togithub.com/advisories/GHSA-q6h7-4qgw-2j9p) <details> <summary>More information</summary> #### Details A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that HTTP health check endpoints returning an HTTP redirect may be abused as a vector for server-side request forgery (SSRF). This vulnerability, CVE-2022-29153, was fixed in Consul 1.9.17, 1.10.10, and 1.11.5. #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2022-29153](https://nvd.nist.gov/vuln/detail/CVE-2022-29153) - [https://discuss.hashicorp.com](https://discuss.hashicorp.com) - [https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/](https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/) - [https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393](https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393) - [https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/) - [https://lists.fedoraproject.org/archives/list/[email protected]/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/](https://lists.fedoraproject.org/archives/list/[email protected]/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/) - [https://security.gentoo.org/glsa/202208-09](https://security.gentoo.org/glsa/202208-09) - [https://security.netapp.com/advisory/ntap-20220602-0005/](https://security.netapp.com/advisory/ntap-20220602-0005/) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-q6h7-4qgw-2j9p) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Hashicorp Consul Missing SSL Certificate Validation [CVE-2021-32574](https://nvd.nist.gov/vuln/detail/CVE-2021-32574) / [GHSA-25gf-8qrr-g78r](https://togithub.com/advisories/GHSA-25gf-8qrr-g78r) <details> <summary>More information</summary> #### Details HashiCorp Consul before 1.10.1 (and Consul Enterprise) has Missing SSL Certificate Validation. xds does not ensure that the Subject Alternative Name of an upstream is validated. #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2021-32574](https://nvd.nist.gov/vuln/detail/CVE-2021-32574) - [https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856](https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856) - [https://github.com/hashicorp/consul/releases/tag/v1.10.1](https://togithub.com/hashicorp/consul/releases/tag/v1.10.1) - [https://security.gentoo.org/glsa/202208-09](https://security.gentoo.org/glsa/202208-09) - [https://www.hashicorp.com/blog/category/consul](https://www.hashicorp.com/blog/category/consul) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-25gf-8qrr-g78r) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### HashiCorp Consul L7 deny intention results in an allow action [CVE-2021-36213](https://nvd.nist.gov/vuln/detail/CVE-2021-36213) / [GHSA-8h2g-r292-j8xh](https://togithub.com/advisories/GHSA-8h2g-r292-j8xh) <details> <summary>More information</summary> #### Details In HashiCorp Consul before 1.10.1 (and Consul Enterprise), xds can generate a situation where a single L7 deny intention (with a default deny policy) results in an allow action. #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2021-36213](https://nvd.nist.gov/vuln/detail/CVE-2021-36213) - [https://discuss.hashicorp.com/t/hcsec-2021-16-consul-s-application-aware-intentions-deny-action-fails-open-when-combined-with-default-deny-policy/26855](https://discuss.hashicorp.com/t/hcsec-2021-16-consul-s-application-aware-intentions-deny-action-fails-open-when-combined-with-default-deny-policy/26855) - [https://github.com/hashicorp/consul/](https://togithub.com/hashicorp/consul/) - [https://github.com/hashicorp/consul/releases/tag/v1.10.1](https://togithub.com/hashicorp/consul/releases/tag/v1.10.1) - [https://security.gentoo.org/glsa/202208-09](https://security.gentoo.org/glsa/202208-09) - [https://www.hashicorp.com/blog/category/consul](https://www.hashicorp.com/blog/category/consul) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-8h2g-r292-j8xh) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### HashiCorp Consul vulnerable to authorization bypass [CVE-2022-40716](https://nvd.nist.gov/vuln/detail/CVE-2022-40716) / [GHSA-m69r-9g56-7mv8](https://togithub.com/advisories/GHSA-m69r-9g56-7mv8) <details> <summary>More information</summary> #### Details HashiCorp Consul and Consul Enterprise versions prior to 1.11.9, 1.12.5, and 1.13.2 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. A specially crafted CSR sent directly to Consul’s internal server agent RPC endpoint can include multiple SAN URI values with additional service names. This issue has been fixed in versions 1.11.9, 1.12.5, and 1.13.2. There are no known workarounds. #### Severity - CVSS Score: 6.5 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2022-40716](https://nvd.nist.gov/vuln/detail/CVE-2022-40716) - [https://github.com/hashicorp/consul/pull/14579](https://togithub.com/hashicorp/consul/pull/14579) - [https://github.com/hashicorp/consul/commit/8f6fb4f6fe9488b8ec37da71ac503081d7d3760b](https://togithub.com/hashicorp/consul/commit/8f6fb4f6fe9488b8ec37da71ac503081d7d3760b) - [https://discuss.hashicorp.com](https://discuss.hashicorp.com) - [https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypass-with-malicious-certificate-signing-request/44628](https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypass-with-malicious-certificate-signing-request/44628) - [https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul) - [https://lists.fedoraproject.org/archives/list/[email protected]/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/](https://lists.fedoraproject.org/archives/list/[email protected]/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/) - [https://lists.fedoraproject.org/archives/list/[email protected]/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/](https://lists.fedoraproject.org/archives/list/[email protected]/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-m69r-9g56-7mv8) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Hashicorp Consul vulnerable to denial of service [CVE-2023-1297](https://nvd.nist.gov/vuln/detail/CVE-2023-1297) / [GHSA-c57c-7hrj-6q6v](https://togithub.com/advisories/GHSA-c57c-7hrj-6q6v) <details> <summary>More information</summary> #### Details Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial of service. This vulnerability was resolved in Consul 1.14.5, and 1.15.3 #### Severity - CVSS Score: 4.9 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2023-1297](https://nvd.nist.gov/vuln/detail/CVE-2023-1297) - [https://discuss.hashicorp.com/t/hcsec-2023-15-consul-cluster-peering-can-result-in-denial-of-service/54515](https://discuss.hashicorp.com/t/hcsec-2023-15-consul-cluster-peering-can-result-in-denial-of-service/54515) - [https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-c57c-7hrj-6q6v) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>hashicorp/consul (github.com/hashicorp/consul)</summary> ### [`v1.14.5`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.5) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.14.4...v1.14.5) #### 1.14.5 (March 7, 2023) SECURITY: - Upgrade to use Go 1.20.1. This resolves vulnerabilities [CVE-2022-41724](https://go.dev/issue/58001) in `crypto/tls` and [CVE-2022-41723](https://go.dev/issue/57855) in `net/http`. \[[GH-16263](https://togithub.com/hashicorp/consul/issues/16263)] IMPROVEMENTS: - container: Upgrade container image to use to Alpine 3.17. \[[GH-16358](https://togithub.com/hashicorp/consul/issues/16358)] - mesh: Add ServiceResolver RequestTimeout for route timeouts to make request timeouts configurable \[[GH-16495](https://togithub.com/hashicorp/consul/issues/16495)] BUG FIXES: - mesh: Fix resolution of service resolvers with subsets for external upstreams \[[GH-16499](https://togithub.com/hashicorp/consul/issues/16499)] - peering: Fix bug where services were incorrectly imported as connect-enabled. \[[GH-16339](https://togithub.com/hashicorp/consul/issues/16339)] - peering: Fix issue where mesh gateways would use the wrong address when contacting a remote peer with the same datacenter name. \[[GH-16257](https://togithub.com/hashicorp/consul/issues/16257)] - peering: Fix issue where secondary wan-federated datacenters could not be used as peering acceptors. \[[GH-16230](https://togithub.com/hashicorp/consul/issues/16230)] - proxycfg: fix a bug where terminating gateways were not cleaning up deleted service resolvers for their referenced services \[[GH-16498](https://togithub.com/hashicorp/consul/issues/16498)] ### [`v1.14.4`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.4) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.14.3...v1.14.4) #### 1.14.4 (January 26, 2023) BREAKING CHANGES: - connect: Fix configuration merging for transparent proxy upstreams. Proxy-defaults and service-defaults config entries were not correctly merged for implicit upstreams in transparent proxy mode and would result in some configuration not being applied. To avoid issues when upgrading, ensure that any proxy-defaults or service-defaults have correct configuration for upstreams, since all fields will now be properly used to configure proxies. \[[GH-16000](https://togithub.com/hashicorp/consul/issues/16000)] - peering: Newly created peering connections must use only lowercase characters in the `name` field. Existing peerings with uppercase characters will not be modified, but they may encounter issues in various circumstances. To maintain forward compatibility and avoid issues, it is recommended to destroy and re-create any invalid peering connections so that they do not have a name containing uppercase characters. \[[GH-15697](https://togithub.com/hashicorp/consul/issues/15697)] FEATURES: - connect: add flags `envoy-ready-bind-port` and `envoy-ready-bind-address` to the `consul connect envoy` command that allows configuration of readiness probe on proxy for any service kind. \[[GH-16015](https://togithub.com/hashicorp/consul/issues/16015)] - deps: update to latest go-discover to provide ECS auto-discover capabilities. \[[GH-13782](https://togithub.com/hashicorp/consul/issues/13782)] IMPROVEMENTS: - acl: relax permissions on the `WatchServers`, `WatchRoots` and `GetSupportedDataplaneFeatures` gRPC endpoints to accept *any* valid ACL token \[[GH-15346](https://togithub.com/hashicorp/consul/issues/15346)] - connect: Add support for ConsulResolver to specifies a filter expression \[[GH-15659](https://togithub.com/hashicorp/consul/issues/15659)] - grpc: Use new balancer implementation to reduce periodic WARN logs when shuffling servers. \[[GH-15701](https://togithub.com/hashicorp/consul/issues/15701)] - partition: **(Consul Enterprise only)** when loading service from on-disk config file or sending API request to agent endpoint, if the partition is unspecified, consul will default the partition in the request to agent's partition \[[GH-16024](https://togithub.com/hashicorp/consul/issues/16024)] BUG FIXES: - agent: Fix assignment of error when auto-reloading cert and key file changes. \[[GH-15769](https://togithub.com/hashicorp/consul/issues/15769)] - agent: Fix issue where the agent cache would incorrectly mark protobuf objects as updated. \[[GH-15866](https://togithub.com/hashicorp/consul/issues/15866)] - cli: Fix issue where `consul connect envoy` was unable to configure TLS over unix-sockets to gRPC. \[[GH-15913](https://togithub.com/hashicorp/consul/issues/15913)] - connect: **(Consul Enterprise only)** Fix issue where upstream configuration from proxy-defaults and service-defaults was not properly merged. This could occur when a mixture of empty-strings and "default" were used for the namespace or partition fields. - connect: Fix issue where service-resolver protocol checks incorrectly errored for failover peer targets. \[[GH-15833](https://togithub.com/hashicorp/consul/issues/15833)] - connect: Fix issue where watches on upstream failover peer targets did not always query the correct data. \[[GH-15865](https://togithub.com/hashicorp/consul/issues/15865)] - xds: fix bug where sessions for locally-managed services could fail with "this server has too many xDS streams open" \[[GH-15789](https://togithub.com/hashicorp/consul/issues/15789)] ### [`v1.14.3`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.3) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.14.2...v1.14.3) #### 1.14.3 (December 13, 2022) SECURITY: - Upgrade to use Go 1.19.4. This resolves a vulnerability where restricted files can be read on Windows. [CVE-2022-41720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41720) \[[GH-15705](https://togithub.com/hashicorp/consul/issues/15705)] - Upgrades `golang.org/x/net` to prevent a denial of service by excessive memory usage caused by HTTP2 requests. [CVE-2022-41717](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41717) \[[GH-15737](https://togithub.com/hashicorp/consul/issues/15737)] FEATURES: - ui: Add field for fallback server addresses to peer token generation form \[[GH-15555](https://togithub.com/hashicorp/consul/issues/15555)] IMPROVEMENTS: - connect: ensure all vault connect CA tests use limited privilege tokens \[[GH-15669](https://togithub.com/hashicorp/consul/issues/15669)] BUG FIXES: - agent: **(Enterprise Only)** Ensure configIntentionsConvertToList does not compare empty strings with populated strings when filtering intentions created prior to AdminPartitions. - connect: Fix issue where DialedDirectly configuration was not used by Consul Dataplane. \[[GH-15760](https://togithub.com/hashicorp/consul/issues/15760)] - connect: Fix peering failovers ignoring local mesh gateway configuration. \[[GH-15690](https://togithub.com/hashicorp/consul/issues/15690)] - connect: Fixed issue where using Vault 1.11+ as CA provider in a secondary datacenter would eventually break Intermediate CAs \[[GH-15661](https://togithub.com/hashicorp/consul/issues/15661)] ### [`v1.14.2`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.2) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.14.1...v1.14.2) #### 1.14.2 (November 30, 2022) FEATURES: - connect: Add local_idle_timeout_ms to allow configuring the Envoy route idle timeout on local_app connect: Add IdleTimeout to service-router to allow configuring the Envoy route idle timeout \[[GH-14340](https://togithub.com/hashicorp/consul/issues/14340)] - snapshot: **(Enterprise Only)** Add support for the snapshot agent to use an IAM role for authentication/authorization when managing snapshots in S3. IMPROVEMENTS: - dns: Add support for cluster peering `.service` and `.node` DNS queries. \[[GH-15596](https://togithub.com/hashicorp/consul/issues/15596)] BUG FIXES: - acl: avoid debug log spam in secondary datacenter servers due to management token not being initialized. \[[GH-15610](https://togithub.com/hashicorp/consul/issues/15610)] - agent: Fixed issue where blocking queries with short waits could timeout on the client \[[GH-15541](https://togithub.com/hashicorp/consul/issues/15541)] - ca: Fixed issue where using Vault as Connect CA with Vault-managed policies would error on start-up if the intermediate PKI mount existed but was empty \[[GH-15525](https://togithub.com/hashicorp/consul/issues/15525)] - cli: **(Enterprise Only)** Fix issue where `consul partition update` subcommand was not registered and therefore not available through the cli. - connect: Fixed issue where using Vault 1.11+ as CA provider would eventually break Intermediate CAs \[[GH-15217](https://togithub.com/hashicorp/consul/issues/15217)] \[[GH-15253](https://togithub.com/hashicorp/consul/issues/15253)] - namespace: **(Enterprise Only)** Fix a bug that caused blocking queries during namespace replication to timeout - peering: better represent non-passing states during peer check flattening \[[GH-15615](https://togithub.com/hashicorp/consul/issues/15615)] - peering: fix the limit of replication gRPC message; set to 8MB \[[GH-15503](https://togithub.com/hashicorp/consul/issues/15503)] ### [`v1.14.1`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.1) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.14.0...v1.14.1) #### 1.14.1 (November 21, 2022) BUG FIXES: - cli: Fix issue where `consul connect envoy` incorrectly uses the HTTPS API configuration for xDS connections. \[[GH-15466](https://togithub.com/hashicorp/consul/issues/15466)] - sdk: Fix SDK testutil backwards compatibility by only configuring grpc_tls port for new Consul versions. \[[GH-15423](https://togithub.com/hashicorp/consul/issues/15423)] ### [`v1.14.0`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.0) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.9...v1.14.0) #### 1.14.0 (November 15, 2022) BREAKING CHANGES: - config: Add new `ports.grpc_tls` configuration option. Introduce a new port to better separate TLS config from the existing `ports.grpc` config. The new `ports.grpc_tls` only supports TLS encrypted communication. The existing `ports.grpc` now only supports plain-text communication. \[[GH-15339](https://togithub.com/hashicorp/consul/issues/15339)] - config: update 1.14 config defaults: Enable `peering` and `connect` by default. \[[GH-15302](https://togithub.com/hashicorp/consul/issues/15302)] - config: update 1.14 config defaults: Set gRPC TLS port default value to 8503 \[[GH-15302](https://togithub.com/hashicorp/consul/issues/15302)] - connect: Removes support for Envoy 1.20 \[[GH-15093](https://togithub.com/hashicorp/consul/issues/15093)] - peering: Rename `PeerName` to `Peer` on prepared queries and exported services. \[[GH-14854](https://togithub.com/hashicorp/consul/issues/14854)] - xds: Convert service mesh failover to use Envoy's aggregate clusters. This changes the names of some [Envoy dynamic HTTP metrics](https://www.envoyproxy.io/docs/envoy/latest/configuration/upstream/cluster_manager/cluster_stats#dynamic-http-statistics). \[[GH-14178](https://togithub.com/hashicorp/consul/issues/14178)] SECURITY: - Ensure that data imported from peers is filtered by ACLs at the UI Nodes/Services endpoints [CVE-2022-3920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3920) \[[GH-15356](https://togithub.com/hashicorp/consul/issues/15356)] FEATURES: - DNS-proxy support via gRPC request. \[[GH-14811](https://togithub.com/hashicorp/consul/issues/14811)] - cli: Add -node-name flag to redirect-traffic command to support running in environments without client agents. \[[GH-14933](https://togithub.com/hashicorp/consul/issues/14933)] - cli: Add `-consul-dns-port` flag to the `consul connect redirect-traffic` command to allow forwarding DNS traffic to a specific Consul DNS port. \[[GH-15050](https://togithub.com/hashicorp/consul/issues/15050)] - connect: Add Envoy connection balancing configuration fields. \[[GH-14616](https://togithub.com/hashicorp/consul/issues/14616)] - grpc: Added metrics for external gRPC server. Added `server_type=internal|external` label to gRPC metrics. \[[GH-14922](https://togithub.com/hashicorp/consul/issues/14922)] - http: Add new `get-or-empty` operation to the txn api. Refer to the [API docs](https://www.consul.io/api-docs/txn#kv-operations) for more information. \[[GH-14474](https://togithub.com/hashicorp/consul/issues/14474)] - peering: Add mesh gateway local mode support for cluster peering. \[[GH-14817](https://togithub.com/hashicorp/consul/issues/14817)] - peering: Add support for stale queries for trust bundle lookups \[[GH-14724](https://togithub.com/hashicorp/consul/issues/14724)] - peering: Add support to failover to services running on cluster peers. \[[GH-14396](https://togithub.com/hashicorp/consul/issues/14396)] - peering: Add support to redirect to services running on cluster peers with service resolvers. \[[GH-14445](https://togithub.com/hashicorp/consul/issues/14445)] - peering: Ensure un-exported services get deleted even if the un-export happens while cluster peering replication is down. \[[GH-14797](https://togithub.com/hashicorp/consul/issues/14797)] - peering: add support for routine peering control-plane traffic through mesh gateways \[[GH-14981](https://togithub.com/hashicorp/consul/issues/14981)] - sdk: Configure `iptables` to forward DNS traffic to a specific DNS port. \[[GH-15050](https://togithub.com/hashicorp/consul/issues/15050)] - telemetry: emit memberlist size metrics and broadcast queue depth metric. \[[GH-14873](https://togithub.com/hashicorp/consul/issues/14873)] - ui: Added support for central config merging \[[GH-14604](https://togithub.com/hashicorp/consul/issues/14604)] - ui: Create peerings detail page \[[GH-14947](https://togithub.com/hashicorp/consul/issues/14947)] - ui: Detect a TokenSecretID cookie and passthrough to localStorage \[[GH-14495](https://togithub.com/hashicorp/consul/issues/14495)] - ui: Display notice banner on nodes index page if synthetic nodes are being filtered. \[[GH-14971](https://togithub.com/hashicorp/consul/issues/14971)] - ui: Filter agentless (synthetic) nodes from the nodes list page. \[[GH-14970](https://togithub.com/hashicorp/consul/issues/14970)] - ui: Filter out node health checks on agentless service instances \[[GH-14986](https://togithub.com/hashicorp/consul/issues/14986)] - ui: Remove node meta on service instances when using agentless and consolidate external-source labels on service instances page if they all match. \[[GH-14921](https://togithub.com/hashicorp/consul/issues/14921)] - ui: Removed reference to node name on service instance page when using agentless \[[GH-14903](https://togithub.com/hashicorp/consul/issues/14903)] - ui: Use withCredentials for all HTTP API requests \[[GH-14343](https://togithub.com/hashicorp/consul/issues/14343)] - xds: servers will limit the number of concurrent xDS streams they can handle to balance the load across all servers \[[GH-14397](https://togithub.com/hashicorp/consul/issues/14397)] IMPROVEMENTS: - peering: Add peering datacenter and partition to initial handshake. \[[GH-14889](https://togithub.com/hashicorp/consul/issues/14889)] - xds: Added a rate limiter to the delivery of proxy config updates, to prevent updates to "global" resources such as wildcard intentions from overwhelming servers (see: `xds.update_max_per_second` config field) \[[GH-14960](https://togithub.com/hashicorp/consul/issues/14960)] - xds: Removed a bottleneck in Envoy config generation, enabling a higher number of dataplanes per server \[[GH-14934](https://togithub.com/hashicorp/consul/issues/14934)] - agent/hcp: add initial HashiCorp Cloud Platform integration \[[GH-14723](https://togithub.com/hashicorp/consul/issues/14723)] - agent: Added configuration option cloud.scada_address. \[[GH-14936](https://togithub.com/hashicorp/consul/issues/14936)] - api: Add filtering support to Catalog's List Services (v1/catalog/services) \[[GH-11742](https://togithub.com/hashicorp/consul/issues/11742)] - api: Increase max number of operations inside a transaction for requests to /v1/txn (128) \[[GH-14599](https://togithub.com/hashicorp/consul/issues/14599)] - auto-config: Relax the validation on auto-config JWT authorization to allow non-whitespace, non-quote characters in node names. \[[GH-15370](https://togithub.com/hashicorp/consul/issues/15370)] - config-entry: Validate that service-resolver `Failover`s and `Redirect`s only specify `Partition` and `Namespace` on Consul Enterprise. This prevents scenarios where OSS Consul would save service-resolvers that require Consul Enterprise. \[[GH-14162](https://togithub.com/hashicorp/consul/issues/14162)] - connect: Add Envoy 1.24.0 to support matrix \[[GH-15093](https://togithub.com/hashicorp/consul/issues/15093)] - connect: Bump Envoy 1.20 to 1.20.7, 1.21 to 1.21.5 and 1.22 to 1.22.5 \[[GH-14831](https://togithub.com/hashicorp/consul/issues/14831)] - connect: service-router destinations have gained a `RetryOn` field for specifying the conditions when Envoy should retry requests beyond specific status codes and generic connection failure which already exists. \[[GH-12890](https://togithub.com/hashicorp/consul/issues/12890)] - dns/peering: **(Enterprise Only)** Support addresses in the formats `<servicename>.virtual.<namespace>.ns.<partition>.ap.<peername>.peer.consul` and `<servicename>.virtual.<partition>.ap.<peername>.peer.consul`. This longer form address that allows specifying `.peer` would need to be used for tproxy DNS requests made within non-default partitions for imported services. - dns: **(Enterprise Only)** All enterprise locality labels are now optional in DNS lookups. For example, service lookups support the following format: `[<tag>.]<service>.service[.<namespace>.ns][.<partition>.ap][.<datacenter>.dc]<domain>`. \[[GH-14679](https://togithub.com/hashicorp/consul/issues/14679)] - integ test: fix flakiness due to test condition from retry app endoint \[[GH-15233](https://togithub.com/hashicorp/consul/issues/15233)] - metrics: Service RPC calls less than 1ms are now emitted as a decimal number. \[[GH-12905](https://togithub.com/hashicorp/consul/issues/12905)] - peering: adds an internally managed server certificate for automatic TLS between servers in peer clusters. \[[GH-14556](https://togithub.com/hashicorp/consul/issues/14556)] - peering: require TLS for peering connections using server cert signed by Connect CA \[[GH-14796](https://togithub.com/hashicorp/consul/issues/14796)] - peering: return information about the health of the peering when the leader is queried to read a peering. \[[GH-14747](https://togithub.com/hashicorp/consul/issues/14747)] - raft: Allow nonVoter to initiate an election to avoid having an election infinite loop when a Voter is converted to NonVoter \[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)] - raft: Cap maximum grpc wait time when heartbeating to heartbeatTimeout/2 \[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)] - raft: Fix a race condition where the snapshot file is closed without being opened \[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)] - telemetry: Added a `consul.xds.server.streamStart` metric to measure time taken to first generate xDS resources for an xDS stream. \[[GH-14957](https://togithub.com/hashicorp/consul/issues/14957)] - ui: Improve guidance around topology visualisation \[[GH-14527](https://togithub.com/hashicorp/consul/issues/14527)] - xds: Set `max_ejection_percent` on Envoy's outlier detection to 100% for peered services. \[[GH-14373](https://togithub.com/hashicorp/consul/issues/14373)] BUG FIXES: - checks: Do not set interval as timeout value \[[GH-14619](https://togithub.com/hashicorp/consul/issues/14619)] - checks: If set, use proxy address for automatically added sidecar check instead of service address. \[[GH-14433](https://togithub.com/hashicorp/consul/issues/14433)] - cli: Fix Consul kv CLI 'GET' flags 'keys' and 'recurse' to be set together \[[GH-13493](https://togithub.com/hashicorp/consul/issues/13493)] - connect: Fix issue where mesh-gateway settings were not properly inherited from configuration entries. \[[GH-15186](https://togithub.com/hashicorp/consul/issues/15186)] - connect: fixed bug where endpoint updates for new xDS clusters could block for 15s before being sent to Envoy. \[[GH-15083](https://togithub.com/hashicorp/consul/issues/15083)] - connect: strip port from DNS SANs for ingress gateway leaf certificate to avoid an invalid hostname error when using the Vault provider. \[[GH-15320](https://togithub.com/hashicorp/consul/issues/15320)] - debug: fixed bug that caused consul debug CLI to error on ACL-disabled clusters \[[GH-15155](https://togithub.com/hashicorp/consul/issues/15155)] - deps: update go-memdb, fixing goroutine leak \[[GH-15010](https://togithub.com/hashicorp/consul/issues/15010)] \[[GH-15068](https://togithub.com/hashicorp/consul/issues/15068)] - grpc: Merge proxy-defaults and service-defaults in GetEnvoyBootstrapParams response. \[[GH-14869](https://togithub.com/hashicorp/consul/issues/14869)] - metrics: Add duplicate metrics that have only a single "consul\_" prefix for all existing metrics with double ("consul_consul\_") prefix, with the intent to standardize on single prefixes. \[[GH-14475](https://togithub.com/hashicorp/consul/issues/14475)] - namespace: **(Enterprise Only)** Fixed a bug where a client may incorrectly log that namespaces were not enabled in the local datacenter - peering: Fix a bug that resulted in /v1/agent/metrics returning an error. \[[GH-15178](https://togithub.com/hashicorp/consul/issues/15178)] - peering: fix nil pointer in calling handleUpdateService \[[GH-15160](https://togithub.com/hashicorp/consul/issues/15160)] - peering: fix the error of wan address isn't taken by the peering token. \[[GH-15065](https://togithub.com/hashicorp/consul/issues/15065)] - peering: when wan address is set, peering stream should use the wan address. \[[GH-15108](https://togithub.com/hashicorp/consul/issues/15108)] - proxycfg(mesh-gateway): Fix issue where deregistered services are not removed from mesh-gateway clusters. \[[GH-15272](https://togithub.com/hashicorp/consul/issues/15272)] - server: fix goroutine/memory leaks in the xDS subsystem (these were present regardless of whether or not xDS was in-use) \[[GH-14916](https://togithub.com/hashicorp/consul/issues/14916)] - server: fixes the error trying to source proxy configuration for http checks, in case of proxies using consul-dataplane. \[[GH-14924](https://togithub.com/hashicorp/consul/issues/14924)] - xds: Central service configuration (proxy-defaults and service-defaults) is now correctly applied to Consul Dataplane proxies \[[GH-14962](https://togithub.com/hashicorp/consul/issues/14962)] NOTES: - deps: Upgrade to use Go 1.19.2 \[[GH-15090](https://togithub.com/hashicorp/consul/issues/15090)] ### [`v1.13.9`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.9) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.8...v1.13.9) #### 1.13.9 (June 26, 2023) BREAKING CHANGES: - connect: Disable peering by default in connect proxies for Consul 1.13. This change was made to prevent inefficient polling queries from having a negative impact on server performance. Peering in Consul 1.13 is an experimental feature and is not recommended for use in production environments. If you still wish to use the experimental peering feature, ensure [`peering.enabled = true`](https://developer.hashicorp.com/consul/docs/v1.13.x/agent/config/config-files#peering_enabled) is set on all clients and servers. \[[GH-17731](https://togithub.com/hashicorp/consul/issues/17731)] SECURITY: - Update to UBI base image to 9.2. \[[GH-17513](https://togithub.com/hashicorp/consul/issues/17513)] FEATURES: - server: **(Enterprise Only)** allow automatic license utilization reporting. \[[GH-5102](https://togithub.com/hashicorp/consul/issues/5102)] IMPROVEMENTS: - debug: change default setting of consul debug command. now default duration is 5ms and default log level is 'TRACE' \[[GH-17596](https://togithub.com/hashicorp/consul/issues/17596)] - systemd: set service type to notify. \[[GH-16845](https://togithub.com/hashicorp/consul/issues/16845)] BUG FIXES: - cache: fix a few minor goroutine leaks in leaf certs and the agent cache \[[GH-17636](https://togithub.com/hashicorp/consul/issues/17636)] - namespaces: **(Enterprise only)** fixes a bug where namespaces are stuck in a deferred deletion state indefinitely under some conditions. Also fixes the Consul query metadata present in the HTTP headers of the namespace read and list endpoints. - namespaces: adjusts the return type from HTTP list API to return the `api` module representation of a namespace. This fixes an error with the `consul namespace list` command when a namespace has a deferred deletion timestamp. - peering: Fix a bug that caused server agents to continue cleaning up peering resources even after loss of leadership. \[[GH-17483](https://togithub.com/hashicorp/consul/issues/17483)] ### [`v1.13.8`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.8) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.7...v1.13.8) #### 1.13.8 (May 16, 2023) SECURITY: - Upgrade to use Go 1.20.1. This resolves vulnerabilities [CVE-2022-41724](https://go.dev/issue/58001) in `crypto/tls` and [CVE-2022-41723](https://go.dev/issue/57855) in `net/http`. \[[GH-16263](https://togithub.com/hashicorp/consul/issues/16263)] - Upgrade to use Go 1.20.4. This resolves vulnerabilities [CVE-2023-24537](https://togithub.com/advisories/GHSA-9f7g-gqwh-jpf5)(`go/scanner`), [CVE-2023-24538](https://togithub.com/advisories/GHSA-v4m2-x4rp-hv22)(`html/template`), [CVE-2023-24534](https://togithub.com/advisories/GHSA-8v5j-pwr7-w5f8)(`net/textproto`) and [CVE-2023-24536](https://togithub.com/advisories/GHSA-9f7g-gqwh-jpf5)(`mime/multipart`). Also, `golang.org/x/net` has been updated to v0.7.0 to resolve CVEs [CVE-2022-41721](https://togithub.com/advisories/GHSA-fxg5-wq6x-vr4w), [CVE-2022-27664](https://togithub.com/advisories/GHSA-69cg-p879-7622) and [CVE-2022-41723](https://togithub.com/advisories/GHSA-vvpx-j8f3-3w6h.) \[[GH-17240](https://togithub.com/hashicorp/consul/issues/17240)] IMPROVEMENTS: - api: updated the go module directive to 1.18. \[[GH-15297](https://togithub.com/hashicorp/consul/issues/15297)] - connect: update supported envoy versions to 1.20.7, 1.21.6, 1.22.11, 1.23.8 \[[GH-16891](https://togithub.com/hashicorp/consul/issues/16891)] - sdk: updated the go module directive to 1.18. \[[GH-15297](https://togithub.com/hashicorp/consul/issues/15297)] BUG FIXES: - Fix an bug where decoding some Config structs with unset pointer fields could fail with `reflect: call of reflect.Value.Type on zero Value`. \[[GH-17048](https://togithub.com/hashicorp/consul/issues/17048)] - audit-logging: (Enterprise only) Fix a bug where `/agent/monitor` and `/agent/metrics` endpoints return a `Streaming not supported` error when audit logs are enabled. This also fixes the delay receiving logs when running `consul monitor` against an agent with audit logs enabled. \[[GH-16700](https://togithub.com/hashicorp/consul/issues/16700)] - ca: Fixes a bug where updating Vault CA Provider config would cause TLS issues in the service mesh \[[GH-16592](https://togithub.com/hashicorp/consul/issues/16592)] - connect: Fix multiple inefficient behaviors when querying service health. \[[GH-17241](https://togithub.com/hashicorp/consul/issues/17241)] - grpc: ensure grpc resolver correctly uses lan/wan addresses on servers \[[GH-17270](https://togithub.com/hashicorp/consul/issues/17270)] - peering: Fixes a bug that can lead to peering service deletes impacting the state of local services \[[GH-16570](https://togithub.com/hashicorp/consul/issues/16570)] - xds: Fix possible panic that can when generating clusters before the root certificates have been fetched. \[[GH-17185](https://togithub.com/hashicorp/consul/issues/17185)] ### [`v1.13.7`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.7) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.6...v1.13.7) #### 1.13.7 (March 7, 2023) SECURITY: - Upgrade to use Go 1.19.6. This resolves vulnerabilities [CVE-2022-41724](https://go.dev/issue/58001) in `crypto/tls` and [CVE-2022-41723](https://go.dev/issue/57855) in `net/http`. \[[GH-16299](https://togithub.com/hashicorp/consul/issues/16299)] IMPROVEMENTS: - xds: Removed a bottleneck in Envoy config generation. \[[GH-16269](https://togithub.com/hashicorp/consul/issues/16269)] - container: Upgrade container image to use to Alpine 3.17. \[[GH-16358](https://togithub.com/hashicorp/consul/issues/16358)] - mesh: Add ServiceResolver RequestTimeout for route timeouts to make request timeouts configurable \[[GH-16495](https://togithub.com/hashicorp/consul/issues/16495)] BUG FIXES: - mesh: Fix resolution of service resolvers with subsets for external upstreams \[[GH-16499](https://togithub.com/hashicorp/consul/issues/16499)] - proxycfg: fix a bug where terminating gateways were not cleaning up deleted service resolvers for their referenced services \[[GH-16498](https://togithub.com/hashicorp/consul/issues/16498)] ### [`v1.13.6`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.6) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.5...v1.13.6) #### 1.13.6 (January 26, 2023) FEATURES: - connect: add flags `envoy-ready-bind-port` and `envoy-ready-bind-address` to the `consul connect envoy` command that allows configuration of readiness probe on proxy for any service kind. \[[GH-16015](https://togithub.com/hashicorp/consul/issues/16015)] - deps: update to latest go-discover to provide ECS auto-discover capabilities. \[[GH-13782](https://togithub.com/hashicorp/consul/issues/13782)] IMPROVEMENTS: - grpc: Use new balancer implementation to reduce periodic WARN logs when shuffling servers. \[[GH-15701](https://togithub.com/hashicorp/consul/issues/15701)] - partition: **(Consul Enterprise only)** when loading service from on-disk config file or sending API request to agent endpoint, if the partition is unspecified, consul will default the partition in the request to agent's partition \[[GH-16024](https://togithub.com/hashicorp/consul/issues/16024)] BUG FIXES: - agent: Fix assignment of error when auto-reloading cert and key file changes. \[[GH-15769](https://togithub.com/hashicorp/consul/issues/15769)] ### [`v1.13.5`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.5) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.4...v1.13.5) #### 1.13.5 (December 13, 2022) SECURITY: - Upgrade to use Go 1.18.9. This resolves a vulnerability where restricted files can be read on Windows. [CVE-2022-41720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41720) \[[GH-15706](https://togithub.com/hashicorp/consul/issues/15706)] - Upgrades `golang.org/x/net` to prevent a denial of service by excessive memory usage caused by HTTP2 requests. [CVE-2022-41717](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41717) \[[GH-15743](https://togithub.com/hashicorp/consul/issues/15743)] IMPROVEMENTS: - connect: ensure all vault connect CA tests use limited privilege tokens \[[GH-15669](https://togithub.com/hashicorp/consul/issues/15669)] BUG FIXES: - agent: **(Enterprise Only)** Ensure configIntentionsConvertToList does not compare empty strings with populated strings when filtering intentions created prior to AdminPartitions. - cli: **(Enterprise Only)** Fix issue where `consul partition update` subcommand was not registered and therefore not available through the cli. - connect: Fixed issue where using Vault 1.11+ as CA provider in a secondary datacenter would eventually break Intermediate CAs \[[GH-15661](https://togithub.com/hashicorp/consul/issues/15661)] ### [`v1.13.4`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.4) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.3...v1.13.4) #### 1.13.4 (November 30, 2022) IMPROVEMENTS: - auto-config: Relax the validation on auto-config JWT authorization to allow non-whitespace, non-quote characters in node names. \[[GH-15370](https://togithub.com/hashicorp/consul/issues/15370)] - raft: Allow nonVoter to initiate an election to avoid having an election infinite loop when a Voter is converted to NonVoter \[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)] - raft: Cap maximum grpc wait time when heartbeating to heartbeatTimeout/2 \[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)] - raft: Fix a race condition where the snapshot file is closed without being opened \[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)] BUG FIXES: - agent: Fixed issue where blocking queries with short waits could timeout on the client \[[GH-15541](https://togithub.com/hashicorp/consul/issues/15541)] - ca: Fixed issue where using Vault as Connect CA with Vault-managed policies would error on start-up if the intermediate PKI mount existed but was empty \[[GH-15525](https://togithub.com/hashicorp/consul/issues/15525)] - connect: Fixed issue where using Vault 1.11+ as CA provider would eventually break Intermediate CAs \[[GH-15217](https://togithub.com/hashicorp/consul/issues/15217)] \[[GH-15253](https://togithub.com/hashicorp/consul/issues/15253)] - connect: fixed bug where endpoint updates for new xDS clusters could block for 15s before being sent to Envoy. \[[GH-15083](https://togithub.com/hashicorp/consul/issues/15083)] - connect: strip port from DNS SANs for ingress gateway leaf certificate to avoid an invalid hostname error when using the Vault provider. \[[GH-15320](https://togithub.com/hashicorp/consul/issues/15320)] - debug: fixed bug that caused consul debug CLI to error on ACL-disabled clusters \[[GH-15155](https://togithub.com/hashicorp/consul/issues/15155)] - deps: update go-memdb, fixing goroutine leak \[[GH-15010](https://togithub.com/hashicorp/consul/issues/15010)] \[[GH-15068](https://togithub.com/hashicorp/consul/issues/15068)] - namespace: **(Enterprise Only)** Fix a bug that caused blocking queries during namespace replication to timeout - namespace: **(Enterprise Only)** Fixed a bug where a client may incorrectly log that namespaces were not enabled in the local datacenter - peering: better represent non-passing states during peer check flattening \[[GH-15615](https://togithub.com/hashicorp/consul/issues/15615)] - peering: fix the error of wan address isn't taken by the peering token. \[[GH-15065](https://togithub.com/hashicorp/consul/issues/15065)] - peering: when wan address is set, peering stream should use the wan address. \[[GH-15108](https://togithub.com/hashicorp/consul/issues/15108)] ### [`v1.13.3`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.3) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.2...v1.13.3) #### 1.13.3 (October 19, 2022) FEATURES: - agent: Added a new config option `rpc_client_timeout` to tune timeouts for client RPC requests \[[GH-14965](https://togithub.com/hashicorp/consul/issues/14965)] - config-entry(ingress-gateway): Added support for `max_connections` for upstream clusters \[[GH-14749](https://togithub.com/hashicorp/consul/issues/14749)] IMPROVEMENTS: - connect/ca: Log a warning message instead of erroring when attempting to update the intermediate pki mount when using the Vault provider. \[[GH-15035](https://togithub.com/hashicorp/consul/issues/15035)] - connect: Added gateway options to Envoy proxy config for enabling tcp keepalives on terminating gateway upstreams and mesh gateways in remote datacenters. \[[GH-14800](https://togithub.com/hashicorp/consul/issues/14800)] - connect: Bump Envoy 1.20 to 1.20.7, 1.21 to 1.21.5 and 1.22 to 1.22.5 \[[GH-14828](https://togithub.com/hashicorp/consul/issues/14828)] - licensing: **(Enterprise Only)** Consul Enterprise production licenses do not degrade or terminate Consul upon expiration. They will only fail when trying to upgrade to a newer version of Consul. Evaluation licenses still terminate. \[[GH-1990](https://togithub.com/hashicorp/consul/issues/1990)] BUG FIXES: - agent: avoid leaking the alias check runner goroutine when the check is de-registered \[[GH-14935](https://togithub.com/hashicorp/consul/issues/14935)] - ca: fix a masked bug in leaf cert generation that would not be notified of root cert rotation after the first one \[[GH-15005](https://togithub.com/hashicorp/consul/issues/15005)] - cache: prevent goroutine leak in agent cache \[[GH-14908](https://togithub.com/hashicorp/consul/issues/14908)] - checks: Fixed a bug that prevented registration of UDP health checks from agent configuration files, such as service definition files with embedded health check definitions. \[[GH-14885](https://togithub.com/hashicorp/consul/issues/14885)] - connect: Fixed a bug where transparent proxy does not correctly spawn listeners for upstreams to service-resolvers. \[[GH-14751](https://togithub.com/hashicorp/consul/issues/14751)] - snapshot-agent: **(Enterprise only)** Fix a bug when a session is not found in Consul, which leads the agent to panic. ### [`v1.13.2`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.2) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.1...v1.13.2) #### 1.13.2 (September 20, 2022) SECURITY: - auto-config: Added input validation for auto-config JWT authorization checks. Prior to this change, it was possible for malicious actors to construct requests which incorrectly pass custom JWT claim validation for the `AutoConfig.InitialConfiguration` endpoint. Now, only a subset of characters are allowed for the input before evaluating the bexpr. \[[GH-14577](https://togithub.com/hashicorp/consul/issues/14577)] - connect: Added URI length checks to ConnectCA CSR requests. Prior to this change, it was possible for a malicious actor to designate multiple SAN URI values in a call to the `ConnectCA.Sign` endpoint. The endpoint now only allows for exactly one SAN URI to be specified. \[[GH-14579](https://togithub.com/hashicorp/consul/issues/14579)] FEATURES: - cli: Adds new subcommands for `peering` workflows. Refer to the [CLI docs](https://www.consul.io/commands/peering) for more information. \[[GH-14423](https://togithub.com/hashicorp/consul/issues/14423)] - connect: Server address changes are streamed to peers \[[GH-14285](https://togithub.com/hashicorp/consul/issues/14285)] - service-defaults: Added support for `local_request_timeout_ms` and `local_connect_timeout_ms` in servicedefaults config entry \[[GH-14395](https://togithub.com/hashicorp/consul/issues/14395)] IMPROVEMENTS: - connect: Bump latest Envoy to 1.23.1 in test matrix \[[GH-14573](https://togithub.com/hashicorp/consul/issues/14573)] - connect: expose new tracing configuration on envoy \[[GH-13998](https://togithub.com/hashicorp/consul/issues/13998)] - envoy: adds additional Envoy outlier ejection parameters to passive health check configurations. \[[GH-14238](https://togithub.com/hashicorp/consul/issues/14238)] - metrics: add labels of segment, partition, network area, network (lan or wan) to serf and memberlist metrics \[[GH-14161](https://togithub.com/hashicorp/consul/issues/14161)] - peering: Validate peering tokens for server name conflicts \[[GH-14563](https://togithub.com/hashicorp/consul/issues/14563)] - snapshot agent: **(Enterprise only)** Add support for path-based addressing when using s3 backend. - ui: Reuse connections for requests to /v1/internal/ui/metrics-proxy/ \[[GH-14521](https://togithub.com/hashicorp/consul/issues/14521)] BUG FIXES: - agent: Fixes an issue where an agent that fails to start due to bad addresses won't clean up any existing liste </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/grafana/loki). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4xOS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
rhnasc
referenced
this pull request
in inloco/loki
Apr 12, 2024
grafana#10830) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/hashicorp/consul](https://togithub.com/hashicorp/consul) | replace | minor | `v1.5.1` -> `v1.14.5` | --- ### Denial of Service (DoS) in HashiCorp Consul [CVE-2020-7219](https://nvd.nist.gov/vuln/detail/CVE-2020-7219) / [GHSA-23jv-v6qj-3fhh](https://togithub.com/advisories/GHSA-23jv-v6qj-3fhh) <details> <summary>More information</summary> #### Details HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3. ##### Specific Go Packages Affected github.com/hashicorp/consul/agent/consul #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2020-7219](https://nvd.nist.gov/vuln/detail/CVE-2020-7219) - [https://github.com/hashicorp/consul/issues/7159](https://togithub.com/hashicorp/consul/issues/7159) - [https://www.hashicorp.com/blog/category/consul/](https://www.hashicorp.com/blog/category/consul/) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-23jv-v6qj-3fhh) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Incorrect Authorization in HashiCorp Consul [CVE-2020-7955](https://nvd.nist.gov/vuln/detail/CVE-2020-7955) / [GHSA-r9w6-rhh9-7v53](https://togithub.com/advisories/GHSA-r9w6-rhh9-7v53) <details> <summary>More information</summary> #### Details HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2020-7955](https://nvd.nist.gov/vuln/detail/CVE-2020-7955) - [https://github.com/hashicorp/consul/issues/7160](https://togithub.com/hashicorp/consul/issues/7160) - [https://www.hashicorp.com/blog/category/consul/](https://www.hashicorp.com/blog/category/consul/) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-r9w6-rhh9-7v53) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Allocation of Resources Without Limits or Throttling in Hashicorp Consul [CVE-2020-13250](https://nvd.nist.gov/vuln/detail/CVE-2020-13250) / [GHSA-rqjq-mrgx-85hp](https://togithub.com/advisories/GHSA-rqjq-mrgx-85hp) <details> <summary>More information</summary> #### Details HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. ##### Specific Go Packages Affected github.com/hashicorp/consul/agent/config ##### Fix The vulnerability is fixed in versions 1.6.6 and 1.7.4. #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2020-13250](https://nvd.nist.gov/vuln/detail/CVE-2020-13250) - [https://github.com/hashicorp/consul/pull/8023](https://togithub.com/hashicorp/consul/pull/8023) - [https://github.com/hashicorp/consul/commit/72f92ae7ca4cabc1dc3069362a9b64ef46941432](https://togithub.com/hashicorp/consul/commit/72f92ae7ca4cabc1dc3069362a9b64ef46941432) - [https://github.com/hashicorp/consul/blob/v1.6.6/CHANGELOG.md](https://togithub.com/hashicorp/consul/blob/v1.6.6/CHANGELOG.md) - [https://github.com/hashicorp/consul/blob/v1.7.4/CHANGELOG.md](https://togithub.com/hashicorp/consul/blob/v1.7.4/CHANGELOG.md) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-rqjq-mrgx-85hp) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### HashiCorp Consul Cross-site Scripting vulnerability [CVE-2020-25864](https://nvd.nist.gov/vuln/detail/CVE-2020-25864) / [GHSA-8xmx-h8rq-h94j](https://togithub.com/advisories/GHSA-8xmx-h8rq-h94j) <details> <summary>More information</summary> #### Details HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14. #### Severity - CVSS Score: 6.1 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2020-25864](https://nvd.nist.gov/vuln/detail/CVE-2020-25864) - [https://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368](https://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368) - [https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul) - [https://security.gentoo.org/glsa/202208-09](https://security.gentoo.org/glsa/202208-09) - [https://www.hashicorp.com/blog/category/consul](https://www.hashicorp.com/blog/category/consul) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-8xmx-h8rq-h94j) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### HashiCorp Consul Privilege Escalation Vulnerability [CVE-2021-37219](https://nvd.nist.gov/vuln/detail/CVE-2021-37219) / [GHSA-ccw8-7688-vqx4](https://togithub.com/advisories/GHSA-ccw8-7688-vqx4) <details> <summary>More information</summary> #### Details HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2. #### Severity - CVSS Score: 8.8 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2021-37219](https://nvd.nist.gov/vuln/detail/CVE-2021-37219) - [https://github.com/hashicorp/consul/pull/10925](https://togithub.com/hashicorp/consul/pull/10925) - [https://github.com/hashicorp/consul/commit/3357e57dac9aadabd476f7a14973e47f003c4cf0](https://togithub.com/hashicorp/consul/commit/3357e57dac9aadabd476f7a14973e47f003c4cf0) - [https://github.com/hashicorp/consul/commit/473edd1764b6739e2e4610ea5dede4c2bc6009d1](https://togithub.com/hashicorp/consul/commit/473edd1764b6739e2e4610ea5dede4c2bc6009d1) - [https://github.com/hashicorp/consul/commit/ccf8eb1947357434eb6e66303ddab79f4c9d4103](https://togithub.com/hashicorp/consul/commit/ccf8eb1947357434eb6e66303ddab79f4c9d4103) - [https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalation/29024](https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalation/29024) - [https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul) - [https://security.gentoo.org/glsa/202207-01](https://security.gentoo.org/glsa/202207-01) - [https://www.hashicorp.com/blog/category/consul](https://www.hashicorp.com/blog/category/consul) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-ccw8-7688-vqx4) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. [CVE-2021-38698](https://nvd.nist.gov/vuln/detail/CVE-2021-38698) / [GHSA-6hw5-6gcx-phmw](https://togithub.com/advisories/GHSA-6hw5-6gcx-phmw) <details> <summary>More information</summary> #### Details HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2. #### Severity - CVSS Score: 6.5 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2021-38698](https://nvd.nist.gov/vuln/detail/CVE-2021-38698) - [https://github.com/hashicorp/consul/pull/10824](https://togithub.com/hashicorp/consul/pull/10824) - [https://discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026](https://discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026) - [https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul) - [https://security.gentoo.org/glsa/202208-09](https://security.gentoo.org/glsa/202208-09) - [https://www.hashicorp.com/blog/category/consul](https://www.hashicorp.com/blog/category/consul) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-6hw5-6gcx-phmw) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector [CVE-2022-29153](https://nvd.nist.gov/vuln/detail/CVE-2022-29153) / [GHSA-q6h7-4qgw-2j9p](https://togithub.com/advisories/GHSA-q6h7-4qgw-2j9p) <details> <summary>More information</summary> #### Details A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that HTTP health check endpoints returning an HTTP redirect may be abused as a vector for server-side request forgery (SSRF). This vulnerability, CVE-2022-29153, was fixed in Consul 1.9.17, 1.10.10, and 1.11.5. #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2022-29153](https://nvd.nist.gov/vuln/detail/CVE-2022-29153) - [https://discuss.hashicorp.com](https://discuss.hashicorp.com) - [https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/](https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/) - [https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393](https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393) - [https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/) - [https://lists.fedoraproject.org/archives/list/[email protected]/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/](https://lists.fedoraproject.org/archives/list/[email protected]/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/) - [https://security.gentoo.org/glsa/202208-09](https://security.gentoo.org/glsa/202208-09) - [https://security.netapp.com/advisory/ntap-20220602-0005/](https://security.netapp.com/advisory/ntap-20220602-0005/) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-q6h7-4qgw-2j9p) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Hashicorp Consul Missing SSL Certificate Validation [CVE-2021-32574](https://nvd.nist.gov/vuln/detail/CVE-2021-32574) / [GHSA-25gf-8qrr-g78r](https://togithub.com/advisories/GHSA-25gf-8qrr-g78r) <details> <summary>More information</summary> #### Details HashiCorp Consul before 1.10.1 (and Consul Enterprise) has Missing SSL Certificate Validation. xds does not ensure that the Subject Alternative Name of an upstream is validated. #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2021-32574](https://nvd.nist.gov/vuln/detail/CVE-2021-32574) - [https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856](https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856) - [https://github.com/hashicorp/consul/releases/tag/v1.10.1](https://togithub.com/hashicorp/consul/releases/tag/v1.10.1) - [https://security.gentoo.org/glsa/202208-09](https://security.gentoo.org/glsa/202208-09) - [https://www.hashicorp.com/blog/category/consul](https://www.hashicorp.com/blog/category/consul) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-25gf-8qrr-g78r) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### HashiCorp Consul L7 deny intention results in an allow action [CVE-2021-36213](https://nvd.nist.gov/vuln/detail/CVE-2021-36213) / [GHSA-8h2g-r292-j8xh](https://togithub.com/advisories/GHSA-8h2g-r292-j8xh) <details> <summary>More information</summary> #### Details In HashiCorp Consul before 1.10.1 (and Consul Enterprise), xds can generate a situation where a single L7 deny intention (with a default deny policy) results in an allow action. #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2021-36213](https://nvd.nist.gov/vuln/detail/CVE-2021-36213) - [https://discuss.hashicorp.com/t/hcsec-2021-16-consul-s-application-aware-intentions-deny-action-fails-open-when-combined-with-default-deny-policy/26855](https://discuss.hashicorp.com/t/hcsec-2021-16-consul-s-application-aware-intentions-deny-action-fails-open-when-combined-with-default-deny-policy/26855) - [https://github.com/hashicorp/consul/](https://togithub.com/hashicorp/consul/) - [https://github.com/hashicorp/consul/releases/tag/v1.10.1](https://togithub.com/hashicorp/consul/releases/tag/v1.10.1) - [https://security.gentoo.org/glsa/202208-09](https://security.gentoo.org/glsa/202208-09) - [https://www.hashicorp.com/blog/category/consul](https://www.hashicorp.com/blog/category/consul) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-8h2g-r292-j8xh) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### HashiCorp Consul vulnerable to authorization bypass [CVE-2022-40716](https://nvd.nist.gov/vuln/detail/CVE-2022-40716) / [GHSA-m69r-9g56-7mv8](https://togithub.com/advisories/GHSA-m69r-9g56-7mv8) <details> <summary>More information</summary> #### Details HashiCorp Consul and Consul Enterprise versions prior to 1.11.9, 1.12.5, and 1.13.2 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. A specially crafted CSR sent directly to Consul’s internal server agent RPC endpoint can include multiple SAN URI values with additional service names. This issue has been fixed in versions 1.11.9, 1.12.5, and 1.13.2. There are no known workarounds. #### Severity - CVSS Score: 6.5 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2022-40716](https://nvd.nist.gov/vuln/detail/CVE-2022-40716) - [https://github.com/hashicorp/consul/pull/14579](https://togithub.com/hashicorp/consul/pull/14579) - [https://github.com/hashicorp/consul/commit/8f6fb4f6fe9488b8ec37da71ac503081d7d3760b](https://togithub.com/hashicorp/consul/commit/8f6fb4f6fe9488b8ec37da71ac503081d7d3760b) - [https://discuss.hashicorp.com](https://discuss.hashicorp.com) - [https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypass-with-malicious-certificate-signing-request/44628](https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypass-with-malicious-certificate-signing-request/44628) - [https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul) - [https://lists.fedoraproject.org/archives/list/[email protected]/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/](https://lists.fedoraproject.org/archives/list/[email protected]/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/) - [https://lists.fedoraproject.org/archives/list/[email protected]/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/](https://lists.fedoraproject.org/archives/list/[email protected]/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-m69r-9g56-7mv8) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Hashicorp Consul vulnerable to denial of service [CVE-2023-1297](https://nvd.nist.gov/vuln/detail/CVE-2023-1297) / [GHSA-c57c-7hrj-6q6v](https://togithub.com/advisories/GHSA-c57c-7hrj-6q6v) <details> <summary>More information</summary> #### Details Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial of service. This vulnerability was resolved in Consul 1.14.5, and 1.15.3 #### Severity - CVSS Score: 4.9 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2023-1297](https://nvd.nist.gov/vuln/detail/CVE-2023-1297) - [https://discuss.hashicorp.com/t/hcsec-2023-15-consul-cluster-peering-can-result-in-denial-of-service/54515](https://discuss.hashicorp.com/t/hcsec-2023-15-consul-cluster-peering-can-result-in-denial-of-service/54515) - [https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-c57c-7hrj-6q6v) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>hashicorp/consul (github.com/hashicorp/consul)</summary> ### [`v1.14.5`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.5) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.14.4...v1.14.5) #### 1.14.5 (March 7, 2023) SECURITY: - Upgrade to use Go 1.20.1. This resolves vulnerabilities [CVE-2022-41724](https://go.dev/issue/58001) in `crypto/tls` and [CVE-2022-41723](https://go.dev/issue/57855) in `net/http`. \[[GH-16263](https://togithub.com/hashicorp/consul/issues/16263)] IMPROVEMENTS: - container: Upgrade container image to use to Alpine 3.17. \[[GH-16358](https://togithub.com/hashicorp/consul/issues/16358)] - mesh: Add ServiceResolver RequestTimeout for route timeouts to make request timeouts configurable \[[GH-16495](https://togithub.com/hashicorp/consul/issues/16495)] BUG FIXES: - mesh: Fix resolution of service resolvers with subsets for external upstreams \[[GH-16499](https://togithub.com/hashicorp/consul/issues/16499)] - peering: Fix bug where services were incorrectly imported as connect-enabled. \[[GH-16339](https://togithub.com/hashicorp/consul/issues/16339)] - peering: Fix issue where mesh gateways would use the wrong address when contacting a remote peer with the same datacenter name. \[[GH-16257](https://togithub.com/hashicorp/consul/issues/16257)] - peering: Fix issue where secondary wan-federated datacenters could not be used as peering acceptors. \[[GH-16230](https://togithub.com/hashicorp/consul/issues/16230)] - proxycfg: fix a bug where terminating gateways were not cleaning up deleted service resolvers for their referenced services \[[GH-16498](https://togithub.com/hashicorp/consul/issues/16498)] ### [`v1.14.4`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.4) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.14.3...v1.14.4) #### 1.14.4 (January 26, 2023) BREAKING CHANGES: - connect: Fix configuration merging for transparent proxy upstreams. Proxy-defaults and service-defaults config entries were not correctly merged for implicit upstreams in transparent proxy mode and would result in some configuration not being applied. To avoid issues when upgrading, ensure that any proxy-defaults or service-defaults have correct configuration for upstreams, since all fields will now be properly used to configure proxies. \[[GH-16000](https://togithub.com/hashicorp/consul/issues/16000)] - peering: Newly created peering connections must use only lowercase characters in the `name` field. Existing peerings with uppercase characters will not be modified, but they may encounter issues in various circumstances. To maintain forward compatibility and avoid issues, it is recommended to destroy and re-create any invalid peering connections so that they do not have a name containing uppercase characters. \[[GH-15697](https://togithub.com/hashicorp/consul/issues/15697)] FEATURES: - connect: add flags `envoy-ready-bind-port` and `envoy-ready-bind-address` to the `consul connect envoy` command that allows configuration of readiness probe on proxy for any service kind. \[[GH-16015](https://togithub.com/hashicorp/consul/issues/16015)] - deps: update to latest go-discover to provide ECS auto-discover capabilities. \[[GH-13782](https://togithub.com/hashicorp/consul/issues/13782)] IMPROVEMENTS: - acl: relax permissions on the `WatchServers`, `WatchRoots` and `GetSupportedDataplaneFeatures` gRPC endpoints to accept *any* valid ACL token \[[GH-15346](https://togithub.com/hashicorp/consul/issues/15346)] - connect: Add support for ConsulResolver to specifies a filter expression \[[GH-15659](https://togithub.com/hashicorp/consul/issues/15659)] - grpc: Use new balancer implementation to reduce periodic WARN logs when shuffling servers. \[[GH-15701](https://togithub.com/hashicorp/consul/issues/15701)] - partition: **(Consul Enterprise only)** when loading service from on-disk config file or sending API request to agent endpoint, if the partition is unspecified, consul will default the partition in the request to agent's partition \[[GH-16024](https://togithub.com/hashicorp/consul/issues/16024)] BUG FIXES: - agent: Fix assignment of error when auto-reloading cert and key file changes. \[[GH-15769](https://togithub.com/hashicorp/consul/issues/15769)] - agent: Fix issue where the agent cache would incorrectly mark protobuf objects as updated. \[[GH-15866](https://togithub.com/hashicorp/consul/issues/15866)] - cli: Fix issue where `consul connect envoy` was unable to configure TLS over unix-sockets to gRPC. \[[GH-15913](https://togithub.com/hashicorp/consul/issues/15913)] - connect: **(Consul Enterprise only)** Fix issue where upstream configuration from proxy-defaults and service-defaults was not properly merged. This could occur when a mixture of empty-strings and "default" were used for the namespace or partition fields. - connect: Fix issue where service-resolver protocol checks incorrectly errored for failover peer targets. \[[GH-15833](https://togithub.com/hashicorp/consul/issues/15833)] - connect: Fix issue where watches on upstream failover peer targets did not always query the correct data. \[[GH-15865](https://togithub.com/hashicorp/consul/issues/15865)] - xds: fix bug where sessions for locally-managed services could fail with "this server has too many xDS streams open" \[[GH-15789](https://togithub.com/hashicorp/consul/issues/15789)] ### [`v1.14.3`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.3) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.14.2...v1.14.3) #### 1.14.3 (December 13, 2022) SECURITY: - Upgrade to use Go 1.19.4. This resolves a vulnerability where restricted files can be read on Windows. [CVE-2022-41720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41720) \[[GH-15705](https://togithub.com/hashicorp/consul/issues/15705)] - Upgrades `golang.org/x/net` to prevent a denial of service by excessive memory usage caused by HTTP2 requests. [CVE-2022-41717](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41717) \[[GH-15737](https://togithub.com/hashicorp/consul/issues/15737)] FEATURES: - ui: Add field for fallback server addresses to peer token generation form \[[GH-15555](https://togithub.com/hashicorp/consul/issues/15555)] IMPROVEMENTS: - connect: ensure all vault connect CA tests use limited privilege tokens \[[GH-15669](https://togithub.com/hashicorp/consul/issues/15669)] BUG FIXES: - agent: **(Enterprise Only)** Ensure configIntentionsConvertToList does not compare empty strings with populated strings when filtering intentions created prior to AdminPartitions. - connect: Fix issue where DialedDirectly configuration was not used by Consul Dataplane. \[[GH-15760](https://togithub.com/hashicorp/consul/issues/15760)] - connect: Fix peering failovers ignoring local mesh gateway configuration. \[[GH-15690](https://togithub.com/hashicorp/consul/issues/15690)] - connect: Fixed issue where using Vault 1.11+ as CA provider in a secondary datacenter would eventually break Intermediate CAs \[[GH-15661](https://togithub.com/hashicorp/consul/issues/15661)] ### [`v1.14.2`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.2) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.14.1...v1.14.2) #### 1.14.2 (November 30, 2022) FEATURES: - connect: Add local_idle_timeout_ms to allow configuring the Envoy route idle timeout on local_app connect: Add IdleTimeout to service-router to allow configuring the Envoy route idle timeout \[[GH-14340](https://togithub.com/hashicorp/consul/issues/14340)] - snapshot: **(Enterprise Only)** Add support for the snapshot agent to use an IAM role for authentication/authorization when managing snapshots in S3. IMPROVEMENTS: - dns: Add support for cluster peering `.service` and `.node` DNS queries. \[[GH-15596](https://togithub.com/hashicorp/consul/issues/15596)] BUG FIXES: - acl: avoid debug log spam in secondary datacenter servers due to management token not being initialized. \[[GH-15610](https://togithub.com/hashicorp/consul/issues/15610)] - agent: Fixed issue where blocking queries with short waits could timeout on the client \[[GH-15541](https://togithub.com/hashicorp/consul/issues/15541)] - ca: Fixed issue where using Vault as Connect CA with Vault-managed policies would error on start-up if the intermediate PKI mount existed but was empty \[[GH-15525](https://togithub.com/hashicorp/consul/issues/15525)] - cli: **(Enterprise Only)** Fix issue where `consul partition update` subcommand was not registered and therefore not available through the cli. - connect: Fixed issue where using Vault 1.11+ as CA provider would eventually break Intermediate CAs \[[GH-15217](https://togithub.com/hashicorp/consul/issues/15217)] \[[GH-15253](https://togithub.com/hashicorp/consul/issues/15253)] - namespace: **(Enterprise Only)** Fix a bug that caused blocking queries during namespace replication to timeout - peering: better represent non-passing states during peer check flattening \[[GH-15615](https://togithub.com/hashicorp/consul/issues/15615)] - peering: fix the limit of replication gRPC message; set to 8MB \[[GH-15503](https://togithub.com/hashicorp/consul/issues/15503)] ### [`v1.14.1`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.1) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.14.0...v1.14.1) #### 1.14.1 (November 21, 2022) BUG FIXES: - cli: Fix issue where `consul connect envoy` incorrectly uses the HTTPS API configuration for xDS connections. \[[GH-15466](https://togithub.com/hashicorp/consul/issues/15466)] - sdk: Fix SDK testutil backwards compatibility by only configuring grpc_tls port for new Consul versions. \[[GH-15423](https://togithub.com/hashicorp/consul/issues/15423)] ### [`v1.14.0`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.0) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.9...v1.14.0) #### 1.14.0 (November 15, 2022) BREAKING CHANGES: - config: Add new `ports.grpc_tls` configuration option. Introduce a new port to better separate TLS config from the existing `ports.grpc` config. The new `ports.grpc_tls` only supports TLS encrypted communication. The existing `ports.grpc` now only supports plain-text communication. \[[GH-15339](https://togithub.com/hashicorp/consul/issues/15339)] - config: update 1.14 config defaults: Enable `peering` and `connect` by default. \[[GH-15302](https://togithub.com/hashicorp/consul/issues/15302)] - config: update 1.14 config defaults: Set gRPC TLS port default value to 8503 \[[GH-15302](https://togithub.com/hashicorp/consul/issues/15302)] - connect: Removes support for Envoy 1.20 \[[GH-15093](https://togithub.com/hashicorp/consul/issues/15093)] - peering: Rename `PeerName` to `Peer` on prepared queries and exported services. \[[GH-14854](https://togithub.com/hashicorp/consul/issues/14854)] - xds: Convert service mesh failover to use Envoy's aggregate clusters. This changes the names of some [Envoy dynamic HTTP metrics](https://www.envoyproxy.io/docs/envoy/latest/configuration/upstream/cluster_manager/cluster_stats#dynamic-http-statistics). \[[GH-14178](https://togithub.com/hashicorp/consul/issues/14178)] SECURITY: - Ensure that data imported from peers is filtered by ACLs at the UI Nodes/Services endpoints [CVE-2022-3920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3920) \[[GH-15356](https://togithub.com/hashicorp/consul/issues/15356)] FEATURES: - DNS-proxy support via gRPC request. \[[GH-14811](https://togithub.com/hashicorp/consul/issues/14811)] - cli: Add -node-name flag to redirect-traffic command to support running in environments without client agents. \[[GH-14933](https://togithub.com/hashicorp/consul/issues/14933)] - cli: Add `-consul-dns-port` flag to the `consul connect redirect-traffic` command to allow forwarding DNS traffic to a specific Consul DNS port. \[[GH-15050](https://togithub.com/hashicorp/consul/issues/15050)] - connect: Add Envoy connection balancing configuration fields. \[[GH-14616](https://togithub.com/hashicorp/consul/issues/14616)] - grpc: Added metrics for external gRPC server. Added `server_type=internal|external` label to gRPC metrics. \[[GH-14922](https://togithub.com/hashicorp/consul/issues/14922)] - http: Add new `get-or-empty` operation to the txn api. Refer to the [API docs](https://www.consul.io/api-docs/txn#kv-operations) for more information. \[[GH-14474](https://togithub.com/hashicorp/consul/issues/14474)] - peering: Add mesh gateway local mode support for cluster peering. \[[GH-14817](https://togithub.com/hashicorp/consul/issues/14817)] - peering: Add support for stale queries for trust bundle lookups \[[GH-14724](https://togithub.com/hashicorp/consul/issues/14724)] - peering: Add support to failover to services running on cluster peers. \[[GH-14396](https://togithub.com/hashicorp/consul/issues/14396)] - peering: Add support to redirect to services running on cluster peers with service resolvers. \[[GH-14445](https://togithub.com/hashicorp/consul/issues/14445)] - peering: Ensure un-exported services get deleted even if the un-export happens while cluster peering replication is down. \[[GH-14797](https://togithub.com/hashicorp/consul/issues/14797)] - peering: add support for routine peering control-plane traffic through mesh gateways \[[GH-14981](https://togithub.com/hashicorp/consul/issues/14981)] - sdk: Configure `iptables` to forward DNS traffic to a specific DNS port. \[[GH-15050](https://togithub.com/hashicorp/consul/issues/15050)] - telemetry: emit memberlist size metrics and broadcast queue depth metric. \[[GH-14873](https://togithub.com/hashicorp/consul/issues/14873)] - ui: Added support for central config merging \[[GH-14604](https://togithub.com/hashicorp/consul/issues/14604)] - ui: Create peerings detail page \[[GH-14947](https://togithub.com/hashicorp/consul/issues/14947)] - ui: Detect a TokenSecretID cookie and passthrough to localStorage \[[GH-14495](https://togithub.com/hashicorp/consul/issues/14495)] - ui: Display notice banner on nodes index page if synthetic nodes are being filtered. \[[GH-14971](https://togithub.com/hashicorp/consul/issues/14971)] - ui: Filter agentless (synthetic) nodes from the nodes list page. \[[GH-14970](https://togithub.com/hashicorp/consul/issues/14970)] - ui: Filter out node health checks on agentless service instances \[[GH-14986](https://togithub.com/hashicorp/consul/issues/14986)] - ui: Remove node meta on service instances when using agentless and consolidate external-source labels on service instances page if they all match. \[[GH-14921](https://togithub.com/hashicorp/consul/issues/14921)] - ui: Removed reference to node name on service instance page when using agentless \[[GH-14903](https://togithub.com/hashicorp/consul/issues/14903)] - ui: Use withCredentials for all HTTP API requests \[[GH-14343](https://togithub.com/hashicorp/consul/issues/14343)] - xds: servers will limit the number of concurrent xDS streams they can handle to balance the load across all servers \[[GH-14397](https://togithub.com/hashicorp/consul/issues/14397)] IMPROVEMENTS: - peering: Add peering datacenter and partition to initial handshake. \[[GH-14889](https://togithub.com/hashicorp/consul/issues/14889)] - xds: Added a rate limiter to the delivery of proxy config updates, to prevent updates to "global" resources such as wildcard intentions from overwhelming servers (see: `xds.update_max_per_second` config field) \[[GH-14960](https://togithub.com/hashicorp/consul/issues/14960)] - xds: Removed a bottleneck in Envoy config generation, enabling a higher number of dataplanes per server \[[GH-14934](https://togithub.com/hashicorp/consul/issues/14934)] - agent/hcp: add initial HashiCorp Cloud Platform integration \[[GH-14723](https://togithub.com/hashicorp/consul/issues/14723)] - agent: Added configuration option cloud.scada_address. \[[GH-14936](https://togithub.com/hashicorp/consul/issues/14936)] - api: Add filtering support to Catalog's List Services (v1/catalog/services) \[[GH-11742](https://togithub.com/hashicorp/consul/issues/11742)] - api: Increase max number of operations inside a transaction for requests to /v1/txn (128) \[[GH-14599](https://togithub.com/hashicorp/consul/issues/14599)] - auto-config: Relax the validation on auto-config JWT authorization to allow non-whitespace, non-quote characters in node names. \[[GH-15370](https://togithub.com/hashicorp/consul/issues/15370)] - config-entry: Validate that service-resolver `Failover`s and `Redirect`s only specify `Partition` and `Namespace` on Consul Enterprise. This prevents scenarios where OSS Consul would save service-resolvers that require Consul Enterprise. \[[GH-14162](https://togithub.com/hashicorp/consul/issues/14162)] - connect: Add Envoy 1.24.0 to support matrix \[[GH-15093](https://togithub.com/hashicorp/consul/issues/15093)] - connect: Bump Envoy 1.20 to 1.20.7, 1.21 to 1.21.5 and 1.22 to 1.22.5 \[[GH-14831](https://togithub.com/hashicorp/consul/issues/14831)] - connect: service-router destinations have gained a `RetryOn` field for specifying the conditions when Envoy should retry requests beyond specific status codes and generic connection failure which already exists. \[[GH-12890](https://togithub.com/hashicorp/consul/issues/12890)] - dns/peering: **(Enterprise Only)** Support addresses in the formats `<servicename>.virtual.<namespace>.ns.<partition>.ap.<peername>.peer.consul` and `<servicename>.virtual.<partition>.ap.<peername>.peer.consul`. This longer form address that allows specifying `.peer` would need to be used for tproxy DNS requests made within non-default partitions for imported services. - dns: **(Enterprise Only)** All enterprise locality labels are now optional in DNS lookups. For example, service lookups support the following format: `[<tag>.]<service>.service[.<namespace>.ns][.<partition>.ap][.<datacenter>.dc]<domain>`. \[[GH-14679](https://togithub.com/hashicorp/consul/issues/14679)] - integ test: fix flakiness due to test condition from retry app endoint \[[GH-15233](https://togithub.com/hashicorp/consul/issues/15233)] - metrics: Service RPC calls less than 1ms are now emitted as a decimal number. \[[GH-12905](https://togithub.com/hashicorp/consul/issues/12905)] - peering: adds an internally managed server certificate for automatic TLS between servers in peer clusters. \[[GH-14556](https://togithub.com/hashicorp/consul/issues/14556)] - peering: require TLS for peering connections using server cert signed by Connect CA \[[GH-14796](https://togithub.com/hashicorp/consul/issues/14796)] - peering: return information about the health of the peering when the leader is queried to read a peering. \[[GH-14747](https://togithub.com/hashicorp/consul/issues/14747)] - raft: Allow nonVoter to initiate an election to avoid having an election infinite loop when a Voter is converted to NonVoter \[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)] - raft: Cap maximum grpc wait time when heartbeating to heartbeatTimeout/2 \[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)] - raft: Fix a race condition where the snapshot file is closed without being opened \[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)] - telemetry: Added a `consul.xds.server.streamStart` metric to measure time taken to first generate xDS resources for an xDS stream. \[[GH-14957](https://togithub.com/hashicorp/consul/issues/14957)] - ui: Improve guidance around topology visualisation \[[GH-14527](https://togithub.com/hashicorp/consul/issues/14527)] - xds: Set `max_ejection_percent` on Envoy's outlier detection to 100% for peered services. \[[GH-14373](https://togithub.com/hashicorp/consul/issues/14373)] BUG FIXES: - checks: Do not set interval as timeout value \[[GH-14619](https://togithub.com/hashicorp/consul/issues/14619)] - checks: If set, use proxy address for automatically added sidecar check instead of service address. \[[GH-14433](https://togithub.com/hashicorp/consul/issues/14433)] - cli: Fix Consul kv CLI 'GET' flags 'keys' and 'recurse' to be set together \[[GH-13493](https://togithub.com/hashicorp/consul/issues/13493)] - connect: Fix issue where mesh-gateway settings were not properly inherited from configuration entries. \[[GH-15186](https://togithub.com/hashicorp/consul/issues/15186)] - connect: fixed bug where endpoint updates for new xDS clusters could block for 15s before being sent to Envoy. \[[GH-15083](https://togithub.com/hashicorp/consul/issues/15083)] - connect: strip port from DNS SANs for ingress gateway leaf certificate to avoid an invalid hostname error when using the Vault provider. \[[GH-15320](https://togithub.com/hashicorp/consul/issues/15320)] - debug: fixed bug that caused consul debug CLI to error on ACL-disabled clusters \[[GH-15155](https://togithub.com/hashicorp/consul/issues/15155)] - deps: update go-memdb, fixing goroutine leak \[[GH-15010](https://togithub.com/hashicorp/consul/issues/15010)] \[[GH-15068](https://togithub.com/hashicorp/consul/issues/15068)] - grpc: Merge proxy-defaults and service-defaults in GetEnvoyBootstrapParams response. \[[GH-14869](https://togithub.com/hashicorp/consul/issues/14869)] - metrics: Add duplicate metrics that have only a single "consul\_" prefix for all existing metrics with double ("consul_consul\_") prefix, with the intent to standardize on single prefixes. \[[GH-14475](https://togithub.com/hashicorp/consul/issues/14475)] - namespace: **(Enterprise Only)** Fixed a bug where a client may incorrectly log that namespaces were not enabled in the local datacenter - peering: Fix a bug that resulted in /v1/agent/metrics returning an error. \[[GH-15178](https://togithub.com/hashicorp/consul/issues/15178)] - peering: fix nil pointer in calling handleUpdateService \[[GH-15160](https://togithub.com/hashicorp/consul/issues/15160)] - peering: fix the error of wan address isn't taken by the peering token. \[[GH-15065](https://togithub.com/hashicorp/consul/issues/15065)] - peering: when wan address is set, peering stream should use the wan address. \[[GH-15108](https://togithub.com/hashicorp/consul/issues/15108)] - proxycfg(mesh-gateway): Fix issue where deregistered services are not removed from mesh-gateway clusters. \[[GH-15272](https://togithub.com/hashicorp/consul/issues/15272)] - server: fix goroutine/memory leaks in the xDS subsystem (these were present regardless of whether or not xDS was in-use) \[[GH-14916](https://togithub.com/hashicorp/consul/issues/14916)] - server: fixes the error trying to source proxy configuration for http checks, in case of proxies using consul-dataplane. \[[GH-14924](https://togithub.com/hashicorp/consul/issues/14924)] - xds: Central service configuration (proxy-defaults and service-defaults) is now correctly applied to Consul Dataplane proxies \[[GH-14962](https://togithub.com/hashicorp/consul/issues/14962)] NOTES: - deps: Upgrade to use Go 1.19.2 \[[GH-15090](https://togithub.com/hashicorp/consul/issues/15090)] ### [`v1.13.9`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.9) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.8...v1.13.9) #### 1.13.9 (June 26, 2023) BREAKING CHANGES: - connect: Disable peering by default in connect proxies for Consul 1.13. This change was made to prevent inefficient polling queries from having a negative impact on server performance. Peering in Consul 1.13 is an experimental feature and is not recommended for use in production environments. If you still wish to use the experimental peering feature, ensure [`peering.enabled = true`](https://developer.hashicorp.com/consul/docs/v1.13.x/agent/config/config-files#peering_enabled) is set on all clients and servers. \[[GH-17731](https://togithub.com/hashicorp/consul/issues/17731)] SECURITY: - Update to UBI base image to 9.2. \[[GH-17513](https://togithub.com/hashicorp/consul/issues/17513)] FEATURES: - server: **(Enterprise Only)** allow automatic license utilization reporting. \[[GH-5102](https://togithub.com/hashicorp/consul/issues/5102)] IMPROVEMENTS: - debug: change default setting of consul debug command. now default duration is 5ms and default log level is 'TRACE' \[[GH-17596](https://togithub.com/hashicorp/consul/issues/17596)] - systemd: set service type to notify. \[[GH-16845](https://togithub.com/hashicorp/consul/issues/16845)] BUG FIXES: - cache: fix a few minor goroutine leaks in leaf certs and the agent cache \[[GH-17636](https://togithub.com/hashicorp/consul/issues/17636)] - namespaces: **(Enterprise only)** fixes a bug where namespaces are stuck in a deferred deletion state indefinitely under some conditions. Also fixes the Consul query metadata present in the HTTP headers of the namespace read and list endpoints. - namespaces: adjusts the return type from HTTP list API to return the `api` module representation of a namespace. This fixes an error with the `consul namespace list` command when a namespace has a deferred deletion timestamp. - peering: Fix a bug that caused server agents to continue cleaning up peering resources even after loss of leadership. \[[GH-17483](https://togithub.com/hashicorp/consul/issues/17483)] ### [`v1.13.8`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.8) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.7...v1.13.8) #### 1.13.8 (May 16, 2023) SECURITY: - Upgrade to use Go 1.20.1. This resolves vulnerabilities [CVE-2022-41724](https://go.dev/issue/58001) in `crypto/tls` and [CVE-2022-41723](https://go.dev/issue/57855) in `net/http`. \[[GH-16263](https://togithub.com/hashicorp/consul/issues/16263)] - Upgrade to use Go 1.20.4. This resolves vulnerabilities [CVE-2023-24537](https://togithub.com/advisories/GHSA-9f7g-gqwh-jpf5)(`go/scanner`), [CVE-2023-24538](https://togithub.com/advisories/GHSA-v4m2-x4rp-hv22)(`html/template`), [CVE-2023-24534](https://togithub.com/advisories/GHSA-8v5j-pwr7-w5f8)(`net/textproto`) and [CVE-2023-24536](https://togithub.com/advisories/GHSA-9f7g-gqwh-jpf5)(`mime/multipart`). Also, `golang.org/x/net` has been updated to v0.7.0 to resolve CVEs [CVE-2022-41721](https://togithub.com/advisories/GHSA-fxg5-wq6x-vr4w), [CVE-2022-27664](https://togithub.com/advisories/GHSA-69cg-p879-7622) and [CVE-2022-41723](https://togithub.com/advisories/GHSA-vvpx-j8f3-3w6h.) \[[GH-17240](https://togithub.com/hashicorp/consul/issues/17240)] IMPROVEMENTS: - api: updated the go module directive to 1.18. \[[GH-15297](https://togithub.com/hashicorp/consul/issues/15297)] - connect: update supported envoy versions to 1.20.7, 1.21.6, 1.22.11, 1.23.8 \[[GH-16891](https://togithub.com/hashicorp/consul/issues/16891)] - sdk: updated the go module directive to 1.18. \[[GH-15297](https://togithub.com/hashicorp/consul/issues/15297)] BUG FIXES: - Fix an bug where decoding some Config structs with unset pointer fields could fail with `reflect: call of reflect.Value.Type on zero Value`. \[[GH-17048](https://togithub.com/hashicorp/consul/issues/17048)] - audit-logging: (Enterprise only) Fix a bug where `/agent/monitor` and `/agent/metrics` endpoints return a `Streaming not supported` error when audit logs are enabled. This also fixes the delay receiving logs when running `consul monitor` against an agent with audit logs enabled. \[[GH-16700](https://togithub.com/hashicorp/consul/issues/16700)] - ca: Fixes a bug where updating Vault CA Provider config would cause TLS issues in the service mesh \[[GH-16592](https://togithub.com/hashicorp/consul/issues/16592)] - connect: Fix multiple inefficient behaviors when querying service health. \[[GH-17241](https://togithub.com/hashicorp/consul/issues/17241)] - grpc: ensure grpc resolver correctly uses lan/wan addresses on servers \[[GH-17270](https://togithub.com/hashicorp/consul/issues/17270)] - peering: Fixes a bug that can lead to peering service deletes impacting the state of local services \[[GH-16570](https://togithub.com/hashicorp/consul/issues/16570)] - xds: Fix possible panic that can when generating clusters before the root certificates have been fetched. \[[GH-17185](https://togithub.com/hashicorp/consul/issues/17185)] ### [`v1.13.7`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.7) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.6...v1.13.7) #### 1.13.7 (March 7, 2023) SECURITY: - Upgrade to use Go 1.19.6. This resolves vulnerabilities [CVE-2022-41724](https://go.dev/issue/58001) in `crypto/tls` and [CVE-2022-41723](https://go.dev/issue/57855) in `net/http`. \[[GH-16299](https://togithub.com/hashicorp/consul/issues/16299)] IMPROVEMENTS: - xds: Removed a bottleneck in Envoy config generation. \[[GH-16269](https://togithub.com/hashicorp/consul/issues/16269)] - container: Upgrade container image to use to Alpine 3.17. \[[GH-16358](https://togithub.com/hashicorp/consul/issues/16358)] - mesh: Add ServiceResolver RequestTimeout for route timeouts to make request timeouts configurable \[[GH-16495](https://togithub.com/hashicorp/consul/issues/16495)] BUG FIXES: - mesh: Fix resolution of service resolvers with subsets for external upstreams \[[GH-16499](https://togithub.com/hashicorp/consul/issues/16499)] - proxycfg: fix a bug where terminating gateways were not cleaning up deleted service resolvers for their referenced services \[[GH-16498](https://togithub.com/hashicorp/consul/issues/16498)] ### [`v1.13.6`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.6) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.5...v1.13.6) #### 1.13.6 (January 26, 2023) FEATURES: - connect: add flags `envoy-ready-bind-port` and `envoy-ready-bind-address` to the `consul connect envoy` command that allows configuration of readiness probe on proxy for any service kind. \[[GH-16015](https://togithub.com/hashicorp/consul/issues/16015)] - deps: update to latest go-discover to provide ECS auto-discover capabilities. \[[GH-13782](https://togithub.com/hashicorp/consul/issues/13782)] IMPROVEMENTS: - grpc: Use new balancer implementation to reduce periodic WARN logs when shuffling servers. \[[GH-15701](https://togithub.com/hashicorp/consul/issues/15701)] - partition: **(Consul Enterprise only)** when loading service from on-disk config file or sending API request to agent endpoint, if the partition is unspecified, consul will default the partition in the request to agent's partition \[[GH-16024](https://togithub.com/hashicorp/consul/issues/16024)] BUG FIXES: - agent: Fix assignment of error when auto-reloading cert and key file changes. \[[GH-15769](https://togithub.com/hashicorp/consul/issues/15769)] ### [`v1.13.5`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.5) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.4...v1.13.5) #### 1.13.5 (December 13, 2022) SECURITY: - Upgrade to use Go 1.18.9. This resolves a vulnerability where restricted files can be read on Windows. [CVE-2022-41720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41720) \[[GH-15706](https://togithub.com/hashicorp/consul/issues/15706)] - Upgrades `golang.org/x/net` to prevent a denial of service by excessive memory usage caused by HTTP2 requests. [CVE-2022-41717](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41717) \[[GH-15743](https://togithub.com/hashicorp/consul/issues/15743)] IMPROVEMENTS: - connect: ensure all vault connect CA tests use limited privilege tokens \[[GH-15669](https://togithub.com/hashicorp/consul/issues/15669)] BUG FIXES: - agent: **(Enterprise Only)** Ensure configIntentionsConvertToList does not compare empty strings with populated strings when filtering intentions created prior to AdminPartitions. - cli: **(Enterprise Only)** Fix issue where `consul partition update` subcommand was not registered and therefore not available through the cli. - connect: Fixed issue where using Vault 1.11+ as CA provider in a secondary datacenter would eventually break Intermediate CAs \[[GH-15661](https://togithub.com/hashicorp/consul/issues/15661)] ### [`v1.13.4`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.4) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.3...v1.13.4) #### 1.13.4 (November 30, 2022) IMPROVEMENTS: - auto-config: Relax the validation on auto-config JWT authorization to allow non-whitespace, non-quote characters in node names. \[[GH-15370](https://togithub.com/hashicorp/consul/issues/15370)] - raft: Allow nonVoter to initiate an election to avoid having an election infinite loop when a Voter is converted to NonVoter \[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)] - raft: Cap maximum grpc wait time when heartbeating to heartbeatTimeout/2 \[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)] - raft: Fix a race condition where the snapshot file is closed without being opened \[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)] BUG FIXES: - agent: Fixed issue where blocking queries with short waits could timeout on the client \[[GH-15541](https://togithub.com/hashicorp/consul/issues/15541)] - ca: Fixed issue where using Vault as Connect CA with Vault-managed policies would error on start-up if the intermediate PKI mount existed but was empty \[[GH-15525](https://togithub.com/hashicorp/consul/issues/15525)] - connect: Fixed issue where using Vault 1.11+ as CA provider would eventually break Intermediate CAs \[[GH-15217](https://togithub.com/hashicorp/consul/issues/15217)] \[[GH-15253](https://togithub.com/hashicorp/consul/issues/15253)] - connect: fixed bug where endpoint updates for new xDS clusters could block for 15s before being sent to Envoy. \[[GH-15083](https://togithub.com/hashicorp/consul/issues/15083)] - connect: strip port from DNS SANs for ingress gateway leaf certificate to avoid an invalid hostname error when using the Vault provider. \[[GH-15320](https://togithub.com/hashicorp/consul/issues/15320)] - debug: fixed bug that caused consul debug CLI to error on ACL-disabled clusters \[[GH-15155](https://togithub.com/hashicorp/consul/issues/15155)] - deps: update go-memdb, fixing goroutine leak \[[GH-15010](https://togithub.com/hashicorp/consul/issues/15010)] \[[GH-15068](https://togithub.com/hashicorp/consul/issues/15068)] - namespace: **(Enterprise Only)** Fix a bug that caused blocking queries during namespace replication to timeout - namespace: **(Enterprise Only)** Fixed a bug where a client may incorrectly log that namespaces were not enabled in the local datacenter - peering: better represent non-passing states during peer check flattening \[[GH-15615](https://togithub.com/hashicorp/consul/issues/15615)] - peering: fix the error of wan address isn't taken by the peering token. \[[GH-15065](https://togithub.com/hashicorp/consul/issues/15065)] - peering: when wan address is set, peering stream should use the wan address. \[[GH-15108](https://togithub.com/hashicorp/consul/issues/15108)] ### [`v1.13.3`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.3) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.2...v1.13.3) #### 1.13.3 (October 19, 2022) FEATURES: - agent: Added a new config option `rpc_client_timeout` to tune timeouts for client RPC requests \[[GH-14965](https://togithub.com/hashicorp/consul/issues/14965)] - config-entry(ingress-gateway): Added support for `max_connections` for upstream clusters \[[GH-14749](https://togithub.com/hashicorp/consul/issues/14749)] IMPROVEMENTS: - connect/ca: Log a warning message instead of erroring when attempting to update the intermediate pki mount when using the Vault provider. \[[GH-15035](https://togithub.com/hashicorp/consul/issues/15035)] - connect: Added gateway options to Envoy proxy config for enabling tcp keepalives on terminating gateway upstreams and mesh gateways in remote datacenters. \[[GH-14800](https://togithub.com/hashicorp/consul/issues/14800)] - connect: Bump Envoy 1.20 to 1.20.7, 1.21 to 1.21.5 and 1.22 to 1.22.5 \[[GH-14828](https://togithub.com/hashicorp/consul/issues/14828)] - licensing: **(Enterprise Only)** Consul Enterprise production licenses do not degrade or terminate Consul upon expiration. They will only fail when trying to upgrade to a newer version of Consul. Evaluation licenses still terminate. \[[GH-1990](https://togithub.com/hashicorp/consul/issues/1990)] BUG FIXES: - agent: avoid leaking the alias check runner goroutine when the check is de-registered \[[GH-14935](https://togithub.com/hashicorp/consul/issues/14935)] - ca: fix a masked bug in leaf cert generation that would not be notified of root cert rotation after the first one \[[GH-15005](https://togithub.com/hashicorp/consul/issues/15005)] - cache: prevent goroutine leak in agent cache \[[GH-14908](https://togithub.com/hashicorp/consul/issues/14908)] - checks: Fixed a bug that prevented registration of UDP health checks from agent configuration files, such as service definition files with embedded health check definitions. \[[GH-14885](https://togithub.com/hashicorp/consul/issues/14885)] - connect: Fixed a bug where transparent proxy does not correctly spawn listeners for upstreams to service-resolvers. \[[GH-14751](https://togithub.com/hashicorp/consul/issues/14751)] - snapshot-agent: **(Enterprise only)** Fix a bug when a session is not found in Consul, which leads the agent to panic. ### [`v1.13.2`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.2) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.1...v1.13.2) #### 1.13.2 (September 20, 2022) SECURITY: - auto-config: Added input validation for auto-config JWT authorization checks. Prior to this change, it was possible for malicious actors to construct requests which incorrectly pass custom JWT claim validation for the `AutoConfig.InitialConfiguration` endpoint. Now, only a subset of characters are allowed for the input before evaluating the bexpr. \[[GH-14577](https://togithub.com/hashicorp/consul/issues/14577)] - connect: Added URI length checks to ConnectCA CSR requests. Prior to this change, it was possible for a malicious actor to designate multiple SAN URI values in a call to the `ConnectCA.Sign` endpoint. The endpoint now only allows for exactly one SAN URI to be specified. \[[GH-14579](https://togithub.com/hashicorp/consul/issues/14579)] FEATURES: - cli: Adds new subcommands for `peering` workflows. Refer to the [CLI docs](https://www.consul.io/commands/peering) for more information. \[[GH-14423](https://togithub.com/hashicorp/consul/issues/14423)] - connect: Server address changes are streamed to peers \[[GH-14285](https://togithub.com/hashicorp/consul/issues/14285)] - service-defaults: Added support for `local_request_timeout_ms` and `local_connect_timeout_ms` in servicedefaults config entry \[[GH-14395](https://togithub.com/hashicorp/consul/issues/14395)] IMPROVEMENTS: - connect: Bump latest Envoy to 1.23.1 in test matrix \[[GH-14573](https://togithub.com/hashicorp/consul/issues/14573)] - connect: expose new tracing configuration on envoy \[[GH-13998](https://togithub.com/hashicorp/consul/issues/13998)] - envoy: adds additional Envoy outlier ejection parameters to passive health check configurations. \[[GH-14238](https://togithub.com/hashicorp/consul/issues/14238)] - metrics: add labels of segment, partition, network area, network (lan or wan) to serf and memberlist metrics \[[GH-14161](https://togithub.com/hashicorp/consul/issues/14161)] - peering: Validate peering tokens for server name conflicts \[[GH-14563](https://togithub.com/hashicorp/consul/issues/14563)] - snapshot agent: **(Enterprise only)** Add support for path-based addressing when using s3 backend. - ui: Reuse connections for requests to /v1/internal/ui/metrics-proxy/ \[[GH-14521](https://togithub.com/hashicorp/consul/issues/14521)] BUG FIXES: - agent: Fixes an issue where an agent that fails to start due to bad addresses won't clean up any existing liste </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/grafana/loki). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4xOS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Consul’s DNS and HTTP API expose a caching feature susceptible to DoS.
Background
Consul v1.2.0 introduced an agent cache to ease management of proxy configuration on the agents, allowing caching in the HTTP API. Later v1.4.3 included the ability to turn on using the agent cache for DNS queries. While the cache has the ability to expire, or evict old entries, it does not have the ability to limit the cache’s size.
Remediation
Steps to remediate: