Releases: hashicorp/consul
Releases · hashicorp/consul
v1.20.0
1.20.0 (October 14, 2024)
SECURITY:
- Explicitly set 'Content-Type' header to mitigate XSS vulnerability. [GH-21704]
- Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. [GH-21711]
- UI: Remove codemirror linting due to package dependency [GH-21726]
- Upgrade Go to use 1.22.7. This addresses CVE
CVE-2024-34155 [GH-21705] - Upgrade to support aws/aws-sdk-go
v1.55.5 or higher
. This resolves CVEs
CVE-2020-8911 and
CVE-2020-8912. [GH-21684] - ui: Pin a newer resolution of Braces [GH-21710]
- ui: Pin a newer resolution of Codemirror [GH-21715]
- ui: Pin a newer resolution of Markdown-it [GH-21717]
- ui: Pin a newer resolution of ansi-html [GH-21735]
FEATURES:
- grafana: added the dashboards service-to-service dashboard, service dashboard, and consul dataplane dashboard [GH-21806]
- server: remove v2 tenancy, catalog, and mesh experiments [GH-21592]
IMPROVEMENTS:
- security: upgrade ubi base image to 9.4 [GH-21750]
- connect: Add Envoy 1.31 and 1.30 to support matrix [GH-21616]
BUG FIXES:
- jwt-provider: change dns lookup family from the default of AUTO which would prefer ipv6 to ALL if LOGICAL_DNS is used or PREFER_IPV4 if STRICT_DNS is used to gracefully handle transitions to ipv6. [GH-21703]
v1.20.0-rc1
1.20.0-rc1 (September 19, 2024)
SECURITY:
- Explicitly set 'Content-Type' header to mitigate XSS vulnerability. [GH-21704]
- Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. [GH-21711]
- UI: Remove codemirror linting due to package dependency [GH-21726]
- Upgrade Go to use 1.22.7. This addresses CVE
CVE-2024-34155 [GH-21705] - Upgrade to support aws/aws-sdk-go
v1.55.5 or higher
. This resolves CVEs
CVE-2020-8911 and
CVE-2020-8912. [GH-21684] - ui: Pin a newer resolution of Braces [GH-21710]
- ui: Pin a newer resolution of Codemirror [GH-21715]
- ui: Pin a newer resolution of Markdown-it [GH-21717]
- ui: Pin a newer resolution of ansi-html [GH-21735]
FEATURES:
- server: remove v2 tenancy, catalog, and mesh experiments [GH-21592]
IMPROVEMENTS:
- security: upgrade ubi base image to 9.4 [GH-21750]
- connect: Add Envoy 1.31 and 1.30 to support matrix [GH-21616]
BUG FIXES:
- jwt-provider: change dns lookup family from the default of AUTO which would prefer ipv6 to ALL if LOGICAL_DNS is used or PREFER_IPV4 if STRICT_DNS is used to gracefully handle transitions to ipv6. [GH-21703]
v1.19.2
1.19.2 (August 26, 2024)
SECURITY:
- ui: Upgrade modules with d3-color as a dependency to address denial of service issue in d3-color < 3.1.0 [GH-21588]
IMPROVEMENTS:
- Use Envoy's default for a route's validate_clusters option, which is false. This fixes a case where non-existent clusters could cause a route to no longer route to any of its backends, including existing ones. [GH-21587]
BUG FIXES:
- api-gateway: (Enterprise only) ensure clusters are properly created for JWT providers with a remote URI for the JWKS endpoint [GH-21604]
v1.18.4 (Enterprise)
1.18.4 Enterprise (August 26, 2024)
Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.
SECURITY:
- ui: Upgrade modules with d3-color as a dependency to address denial of service issue in d3-color < 3.1.0
IMPROVEMENTS:
- Use Envoy's default for a route's validate_clusters option, which is false. This fixes a case where non-existent clusters could cause a route to no longer route to any of its backends, including existing ones. [GH-21587]
v1.17.7 (Enterprise)
1.17.7 Enterprise (August 26, 2024)
SECURITY:
- ui: Upgrade modules with d3-color as a dependency to address denial of service issue in d3-color < 3.1.0
IMPROVEMENTS:
- Use Envoy's default for a route's validate_clusters option, which is false. This fixes a case where non-existent clusters could cause a route to no longer route to any of its backends, including existing ones. [GH-21587]
v1.15.14 (Enterprise)
1.15.14 Enterprise (August 26, 2024)
Enterprise LTS: Consul Enterprise 1.15 is a Long-Term Support (LTS) release.
SECURITY:
- ui: Upgrade modules with d3-color as a dependency to address denial of service issue in d3-color < 3.1.0 [GH-21588]
IMPROVEMENTS:
- Use Envoy's default for a route's validate_clusters option, which is false. This fixes a case where non-existent clusters could cause a route to no longer route to any of its backends, including existing ones. [GH-21587]
v1.19.1
1.19.1 (July 11, 2024)
SECURITY:
- Upgrade envoy module dependencies to version 1.27.7, 1.28.5 and 1.29.7 or higher to resolve CVE-2024-39305 [GH-21524]
- Upgrade go version to 1.22.5 to address CVE-2024-24791 [GH-21507]
- Upgrade go-retryablehttp to address CVE-2024-6104 [GH-21384]
- agent: removed reflected cross-site scripting vulnerability [GH-21342]
- ui: Pin and namespace sub-module dependencies related to the Consul UI [GH-21378]
IMPROVEMENTS:
- mesh: update supported envoy version 1.29.5 in addition to 1.28.4, 1.27.6. [GH-21277]
BUG FIXES:
- core: Fix multiple incorrect type conversion for potential overflows [GH-21251]
- core: Fix panic runtime error on AliasCheck [GH-21339]
- dns: Fix a regression where DNS SRV questions were returning duplicate hostnames instead of encoded IPs.
This affected Nomad integrations with Consul. [GH-21361] - dns: Fix a regression where DNS tags using the standard lookup syntax,
tag.name.service.consul
, were being disregarded. [GH-21361] - dns: Fixes a spam log message "Failed to parse TTL for prepared query..."
that was always being logged on each prepared query evaluation. [GH-21381] - terminating-gateway: (Enterprise Only) Fixed issue where enterprise metadata applied to linked services was the terminating-gateways enterprise metadata and not the linked services enterprise metadata. [GH-21382]
- txn: Fix a bug where mismatched Consul server versions could result in undetected data loss for when using newer Transaction verbs. [GH-21519]
v1.18.3 (Enterprise)
1.18.3 Enterprise (July 11, 2024)
Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.
SECURITY:
- Upgrade envoy module dependencies to version 1.27.7, 1.28.5 and 1.29.7 or higher to resolve CVE-2024-39305 [GH-21524]
- Upgrade go version to 1.22.5 to address CVE-2024-24791 [GH-21507]
- Upgrade go-retryablehttp to address CVE-2024-6104 [GH-21384]
- agent: removed reflected cross-site scripting vulnerability [GH-21342]
- ui: Pin and namespace sub-module dependencies related to the Consul UI [GH-21378]
IMPROVEMENTS:
- mesh: update supported envoy version 1.29.4
- mesh: update supported envoy version 1.29.5 in addition to 1.28.4, 1.27.6. [GH-21277]
- upgrade go version to v1.22.3. [GH-21113]
- upgrade go version to v1.22.4. [GH-21265]
BUG FIXES:
- core: Fix multiple incorrect type conversion for potential overflows [GH-21251]
- core: Fix panic runtime error on AliasCheck [GH-21339]
- dns: Fixes a spam log message "Failed to parse TTL for prepared query..."
that was always being logged on each prepared query evaluation. [GH-21381] - terminating-gateway: (Enterprise Only) Fixed issue where enterprise metadata applied to linked services was the terminating-gateways enterprise metadata and not the linked services enterprise metadata. [GH-21382]
- txn: Fix a bug where mismatched Consul server versions could result in undetected data loss for when using newer Transaction verbs. [GH-21519]
- v2dns: Fix a regression where DNS SRV questions were returning duplicate hostnames instead of encoded IPs.
This affected Nomad integrations with Consul. [GH-21361] - v2dns: Fix a regression where DNS tags using the standard lookup syntax,
tag.name.service.consul
, were being disregarded. [GH-21361]
v1.17.6 (Enterprise)
1.17.6 Enterprise (July 11, 2024)
SECURITY:
- Upgrade envoy module dependencies to version 1.27.7, 1.28.5 and 1.29.7 or higher to resolve CVE-2024-39305 [GH-21524]
- Upgrade go version to 1.22.5 to address CVE-2024-24791 [GH-21507]
- Upgrade go-retryablehttp to address CVE-2024-6104 [GH-21384]
- agent: removed reflected cross-site scripting vulnerability [GH-21342]
- ui: Pin and namespace sub-module dependencies related to the Consul UI [GH-21378]
IMPROVEMENTS:
BUG FIXES:
- core: Fix panic runtime error on AliasCheck [GH-21339]
- terminating-gateway: (Enterprise Only) Fixed issue where enterprise metadata applied to linked services was the terminating-gateways enterprise metadata and not the linked services enterprise metadata. [GH-21382]
- txn: Fix a bug where mismatched Consul server versions could result in undetected data loss for when using newer Transaction verbs. [GH-21519]
v1.15.13 (Enterprise)
1.15.13 Enterprise (July 11, 2024)
Enterprise LTS: Consul Enterprise 1.15 is a Long-Term Support (LTS) release.
SECURITY:
- Upgrade envoy module dependencies to version 1.27.7, 1.28.5 and 1.29.7 or higher to resolve CVE-2024-39305 [GH-21524]
- Upgrade go version to 1.22.5 to address CVE-2024-24791 [GH-21507]
- Upgrade go-retryablehttp to address CVE-2024-6104 [GH-21384]
- agent: removed reflected cross-site scripting vulnerability [GH-21342]
- ui: Pin and namespace sub-module dependencies related to the Consul UI [GH-21378]
IMPROVEMENTS:
- mesh: update supported envoy version 1.29.4
- upgrade go version to v1.22.3. [GH-21113]
- upgrade go version to v1.22.4. [GH-21265]
BUG FIXES:
- core: Fix panic runtime error on AliasCheck [GH-21339]
- terminating-gateway: (Enterprise Only) Fixed issue where enterprise metadata applied to linked services was the terminating-gateways enterprise metadata and not the linked services enterprise metadata. [GH-21382]
- txn: Fix a bug where mismatched Consul server versions could result in undetected data loss for when using newer Transaction verbs. [GH-21519]