hashicorp/consul CVE-2018-19653 CVE-2020-7219 CVE-2020-13250 CVE-2020-28053

[sergiodj]

Security scanning revealed that the version of https://github.com/hashicorp/consul being used by telegraf is affected by the following CVEs:

https://nvd.nist.gov/vuln/detail/CVE-2018-19653
https://nvd.nist.gov/vuln/detail/CVE-2020-7219
https://nvd.nist.gov/vuln/detail/CVE-2020-13250
https://nvd.nist.gov/vuln/detail/CVE-2020-28053

Based on the details provided by all of them, it seems that it should be enough to update the dependency to either one of the following versions: 1.6.10, 1.7.10, and 1.8.6.

[sergiodj]

Thanks a lot for fixing this!

Would it be possible to cut a new release containing these fixes, please? This was I can update the Ubuntu telegraf package right away :-). Thanks in advance!

[reimda]

Thanks a lot for fixing this!

Would it be possible to cut a new release containing these fixes, please? This was I can update the Ubuntu telegraf package right away :-). Thanks in advance!

We're planning to include them in 1.18.3, coming out around May 19. Until then you can use the package in the nightly builds: https://github.com/influxdata/telegraf/#nightly-builds