Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update module github.com/hashicorp/consul to v1.14.5 [SECURITY] (main) #10830

Merged

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 9, 2023

Mend Renovate

This PR contains the following updates:

Package Type Update Change
github.com/hashicorp/consul replace minor v1.5.1 -> v1.14.5

Denial of Service (DoS) in HashiCorp Consul

CVE-2020-7219 / GHSA-23jv-v6qj-3fhh

More information

Details

HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3.

Specific Go Packages Affected

github.com/hashicorp/consul/agent/consul

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Incorrect Authorization in HashiCorp Consul

CVE-2020-7955 / GHSA-r9w6-rhh9-7v53

More information

Details

HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Allocation of Resources Without Limits or Throttling in Hashicorp Consul

CVE-2020-13250 / GHSA-rqjq-mrgx-85hp

More information

Details

HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service.

Specific Go Packages Affected

github.com/hashicorp/consul/agent/config

Fix

The vulnerability is fixed in versions 1.6.6 and 1.7.4.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


HashiCorp Consul Cross-site Scripting vulnerability

CVE-2020-25864 / GHSA-8xmx-h8rq-h94j

More information

Details

HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


HashiCorp Consul Privilege Escalation Vulnerability

CVE-2021-37219 / GHSA-ccw8-7688-vqx4

More information

Details

HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2.

Severity

  • CVSS Score: 8.8 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic.

CVE-2021-38698 / GHSA-6hw5-6gcx-phmw

More information

Details

HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector

CVE-2022-29153 / GHSA-q6h7-4qgw-2j9p

More information

Details

A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that HTTP health check endpoints returning an HTTP redirect may be abused as a vector for server-side request forgery (SSRF). This vulnerability, CVE-2022-29153, was fixed in Consul 1.9.17, 1.10.10, and 1.11.5.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Hashicorp Consul Missing SSL Certificate Validation

CVE-2021-32574 / GHSA-25gf-8qrr-g78r

More information

Details

HashiCorp Consul before 1.10.1 (and Consul Enterprise) has Missing SSL Certificate Validation. xds does not ensure that the Subject Alternative Name of an upstream is validated.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


HashiCorp Consul L7 deny intention results in an allow action

CVE-2021-36213 / GHSA-8h2g-r292-j8xh

More information

Details

In HashiCorp Consul before 1.10.1 (and Consul Enterprise), xds can generate a situation where a single L7 deny intention (with a default deny policy) results in an allow action.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


HashiCorp Consul vulnerable to authorization bypass

CVE-2022-40716 / GHSA-m69r-9g56-7mv8

More information

Details

HashiCorp Consul and Consul Enterprise versions prior to 1.11.9, 1.12.5, and 1.13.2 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. A specially crafted CSR sent directly to Consul’s internal server agent RPC endpoint can include multiple SAN URI values with additional service names. This issue has been fixed in versions 1.11.9, 1.12.5, and 1.13.2. There are no known workarounds.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Hashicorp Consul vulnerable to denial of service

CVE-2023-1297 / GHSA-c57c-7hrj-6q6v

More information

Details

Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial of service. This vulnerability was resolved in Consul 1.14.5, and 1.15.3

Severity

  • CVSS Score: 4.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

hashicorp/consul (github.com/hashicorp/consul)

v1.14.5

Compare Source

1.14.5 (March 7, 2023)

SECURITY:

IMPROVEMENTS:

  • container: Upgrade container image to use to Alpine 3.17. [GH-16358]
  • mesh: Add ServiceResolver RequestTimeout for route timeouts to make request timeouts configurable [GH-16495]

BUG FIXES:

  • mesh: Fix resolution of service resolvers with subsets for external upstreams [GH-16499]
  • peering: Fix bug where services were incorrectly imported as connect-enabled. [GH-16339]
  • peering: Fix issue where mesh gateways would use the wrong address when contacting a remote peer with the same datacenter name. [GH-16257]
  • peering: Fix issue where secondary wan-federated datacenters could not be used as peering acceptors. [GH-16230]
  • proxycfg: fix a bug where terminating gateways were not cleaning up deleted service resolvers for their referenced services [GH-16498]

v1.14.4

Compare Source

1.14.4 (January 26, 2023)

BREAKING CHANGES:

  • connect: Fix configuration merging for transparent proxy upstreams. Proxy-defaults and service-defaults config entries were not correctly merged for implicit upstreams in transparent proxy mode and would result in some configuration not being applied. To avoid issues when upgrading, ensure that any proxy-defaults or service-defaults have correct configuration for upstreams, since all fields will now be properly used to configure proxies. [GH-16000]
  • peering: Newly created peering connections must use only lowercase characters in the name field. Existing peerings with uppercase characters will not be modified, but they may encounter issues in various circumstances. To maintain forward compatibility and avoid issues, it is recommended to destroy and re-create any invalid peering connections so that they do not have a name containing uppercase characters. [GH-15697]

FEATURES:

  • connect: add flags envoy-ready-bind-port and envoy-ready-bind-address to the consul connect envoy command that allows configuration of readiness probe on proxy for any service kind. [GH-16015]
  • deps: update to latest go-discover to provide ECS auto-discover capabilities. [GH-13782]

IMPROVEMENTS:

  • acl: relax permissions on the WatchServers, WatchRoots and GetSupportedDataplaneFeatures gRPC endpoints to accept any valid ACL token [GH-15346]
  • connect: Add support for ConsulResolver to specifies a filter expression [GH-15659]
  • grpc: Use new balancer implementation to reduce periodic WARN logs when shuffling servers. [GH-15701]
  • partition: (Consul Enterprise only) when loading service from on-disk config file or sending API request to agent endpoint,
    if the partition is unspecified, consul will default the partition in the request to agent's partition [GH-16024]

BUG FIXES:

  • agent: Fix assignment of error when auto-reloading cert and key file changes. [GH-15769]
  • agent: Fix issue where the agent cache would incorrectly mark protobuf objects as updated. [GH-15866]
  • cli: Fix issue where consul connect envoy was unable to configure TLS over unix-sockets to gRPC. [GH-15913]
  • connect: (Consul Enterprise only) Fix issue where upstream configuration from proxy-defaults and service-defaults was not properly merged. This could occur when a mixture of empty-strings and "default" were used for the namespace or partition fields.
  • connect: Fix issue where service-resolver protocol checks incorrectly errored for failover peer targets. [GH-15833]
  • connect: Fix issue where watches on upstream failover peer targets did not always query the correct data. [GH-15865]
  • xds: fix bug where sessions for locally-managed services could fail with "this server has too many xDS streams open" [GH-15789]

v1.14.3

Compare Source

1.14.3 (December 13, 2022)

SECURITY:

  • Upgrade to use Go 1.19.4. This resolves a vulnerability where restricted files can be read on Windows. CVE-2022-41720 [GH-15705]
  • Upgrades golang.org/x/net to prevent a denial of service by excessive memory usage caused by HTTP2 requests. CVE-2022-41717 [GH-15737]

FEATURES:

  • ui: Add field for fallback server addresses to peer token generation form [GH-15555]

IMPROVEMENTS:

  • connect: ensure all vault connect CA tests use limited privilege tokens [GH-15669]

BUG FIXES:

  • agent: (Enterprise Only) Ensure configIntentionsConvertToList does not compare empty strings with populated strings when filtering intentions created prior to AdminPartitions.
  • connect: Fix issue where DialedDirectly configuration was not used by Consul Dataplane. [GH-15760]
  • connect: Fix peering failovers ignoring local mesh gateway configuration. [GH-15690]
  • connect: Fixed issue where using Vault 1.11+ as CA provider in a secondary datacenter would eventually break Intermediate CAs [GH-15661]

v1.14.2

Compare Source

1.14.2 (November 30, 2022)

FEATURES:

  • connect: Add local_idle_timeout_ms to allow configuring the Envoy route idle timeout on local_app
    connect: Add IdleTimeout to service-router to allow configuring the Envoy route idle timeout [GH-14340]
  • snapshot: (Enterprise Only) Add support for the snapshot agent to use an IAM role for authentication/authorization when managing snapshots in S3.

IMPROVEMENTS:

  • dns: Add support for cluster peering .service and .node DNS queries. [GH-15596]

BUG FIXES:

  • acl: avoid debug log spam in secondary datacenter servers due to management token not being initialized. [GH-15610]
  • agent: Fixed issue where blocking queries with short waits could timeout on the client [GH-15541]
  • ca: Fixed issue where using Vault as Connect CA with Vault-managed policies would error on start-up if the intermediate PKI mount existed but was empty [GH-15525]
  • cli: (Enterprise Only) Fix issue where consul partition update subcommand was not registered and therefore not available through the cli.
  • connect: Fixed issue where using Vault 1.11+ as CA provider would eventually break Intermediate CAs [GH-15217] [GH-15253]
  • namespace: (Enterprise Only) Fix a bug that caused blocking queries during namespace replication to timeout
  • peering: better represent non-passing states during peer check flattening [GH-15615]
  • peering: fix the limit of replication gRPC message; set to 8MB [GH-15503]

v1.14.1

Compare Source

1.14.1 (November 21, 2022)

BUG FIXES:

  • cli: Fix issue where consul connect envoy incorrectly uses the HTTPS API configuration for xDS connections. [GH-15466]
  • sdk: Fix SDK testutil backwards compatibility by only configuring grpc_tls port for new Consul versions. [GH-15423]

v1.14.0

Compare Source

1.14.0 (November 15, 2022)

BREAKING CHANGES:

  • config: Add new ports.grpc_tls configuration option.
    Introduce a new port to better separate TLS config from the existing ports.grpc config.
    The new ports.grpc_tls only supports TLS encrypted communication.
    The existing ports.grpc now only supports plain-text communication. [GH-15339]
  • config: update 1.14 config defaults: Enable peering and connect by default. [GH-15302]
  • config: update 1.14 config defaults: Set gRPC TLS port default value to 8503 [GH-15302]
  • connect: Removes support for Envoy 1.20 [GH-15093]
  • peering: Rename PeerName to Peer on prepared queries and exported services. [GH-14854]
  • xds: Convert service mesh failover to use Envoy's aggregate clusters. This
    changes the names of some Envoy dynamic HTTP metrics. [GH-14178]

SECURITY:

  • Ensure that data imported from peers is filtered by ACLs at the UI Nodes/Services endpoints CVE-2022-3920 [GH-15356]

FEATURES:

  • DNS-proxy support via gRPC request. [GH-14811]
  • cli: Add -node-name flag to redirect-traffic command to support running in environments without client agents. [GH-14933]
  • cli: Add -consul-dns-port flag to the consul connect redirect-traffic command to allow forwarding DNS traffic to a specific Consul DNS port. [GH-15050]
  • connect: Add Envoy connection balancing configuration fields. [GH-14616]
  • grpc: Added metrics for external gRPC server. Added server_type=internal|external label to gRPC metrics. [GH-14922]
  • http: Add new get-or-empty operation to the txn api. Refer to the API docs for more information. [GH-14474]
  • peering: Add mesh gateway local mode support for cluster peering. [GH-14817]
  • peering: Add support for stale queries for trust bundle lookups [GH-14724]
  • peering: Add support to failover to services running on cluster peers. [GH-14396]
  • peering: Add support to redirect to services running on cluster peers with service resolvers. [GH-14445]
  • peering: Ensure un-exported services get deleted even if the un-export happens while cluster peering replication is down. [GH-14797]
  • peering: add support for routine peering control-plane traffic through mesh gateways [GH-14981]
  • sdk: Configure iptables to forward DNS traffic to a specific DNS port. [GH-15050]
  • telemetry: emit memberlist size metrics and broadcast queue depth metric. [GH-14873]
  • ui: Added support for central config merging [GH-14604]
  • ui: Create peerings detail page [GH-14947]
  • ui: Detect a TokenSecretID cookie and passthrough to localStorage [GH-14495]
  • ui: Display notice banner on nodes index page if synthetic nodes are being filtered. [GH-14971]
  • ui: Filter agentless (synthetic) nodes from the nodes list page. [GH-14970]
  • ui: Filter out node health checks on agentless service instances [GH-14986]
  • ui: Remove node meta on service instances when using agentless and consolidate external-source labels on service instances page if they all match. [GH-14921]
  • ui: Removed reference to node name on service instance page when using agentless [GH-14903]
  • ui: Use withCredentials for all HTTP API requests [GH-14343]
  • xds: servers will limit the number of concurrent xDS streams they can handle to balance the load across all servers [GH-14397]

IMPROVEMENTS:

  • peering: Add peering datacenter and partition to initial handshake. [GH-14889]
  • xds: Added a rate limiter to the delivery of proxy config updates, to prevent updates to "global" resources such as wildcard intentions from overwhelming servers (see: xds.update_max_per_second config field) [GH-14960]
  • xds: Removed a bottleneck in Envoy config generation, enabling a higher number of dataplanes per server [GH-14934]
  • agent/hcp: add initial HashiCorp Cloud Platform integration [GH-14723]
  • agent: Added configuration option cloud.scada_address. [GH-14936]
  • api: Add filtering support to Catalog's List Services (v1/catalog/services) [GH-11742]
  • api: Increase max number of operations inside a transaction for requests to /v1/txn (128) [GH-14599]
  • auto-config: Relax the validation on auto-config JWT authorization to allow non-whitespace, non-quote characters in node names. [GH-15370]
  • config-entry: Validate that service-resolver Failovers and Redirects only
    specify Partition and Namespace on Consul Enterprise. This prevents scenarios
    where OSS Consul would save service-resolvers that require Consul Enterprise. [GH-14162]
  • connect: Add Envoy 1.24.0 to support matrix [GH-15093]
  • connect: Bump Envoy 1.20 to 1.20.7, 1.21 to 1.21.5 and 1.22 to 1.22.5 [GH-14831]
  • connect: service-router destinations have gained a RetryOn field for specifying the conditions when Envoy should retry requests beyond specific status codes and generic connection failure which already exists. [GH-12890]
  • dns/peering: (Enterprise Only) Support addresses in the formats <servicename>.virtual.<namespace>.ns.<partition>.ap.<peername>.peer.consul and <servicename>.virtual.<partition>.ap.<peername>.peer.consul. This longer form address that allows specifying .peer would need to be used for tproxy DNS requests made within non-default partitions for imported services.
  • dns: (Enterprise Only) All enterprise locality labels are now optional in DNS lookups. For example, service lookups support the following format: [<tag>.]<service>.service[.<namespace>.ns][.<partition>.ap][.<datacenter>.dc]<domain>. [GH-14679]
  • integ test: fix flakiness due to test condition from retry app endoint [GH-15233]
  • metrics: Service RPC calls less than 1ms are now emitted as a decimal number. [GH-12905]
  • peering: adds an internally managed server certificate for automatic TLS between servers in peer clusters. [GH-14556]
  • peering: require TLS for peering connections using server cert signed by Connect CA [GH-14796]
  • peering: return information about the health of the peering when the leader is queried to read a peering. [GH-14747]
  • raft: Allow nonVoter to initiate an election to avoid having an election infinite loop when a Voter is converted to NonVoter [GH-14897]
  • raft: Cap maximum grpc wait time when heartbeating to heartbeatTimeout/2 [GH-14897]
  • raft: Fix a race condition where the snapshot file is closed without being opened [GH-14897]
  • telemetry: Added a consul.xds.server.streamStart metric to measure time taken to first generate xDS resources for an xDS stream. [GH-14957]
  • ui: Improve guidance around topology visualisation [GH-14527]
  • xds: Set max_ejection_percent on Envoy's outlier detection to 100% for peered services. [GH-14373]

BUG FIXES:

  • checks: Do not set interval as timeout value [GH-14619]
  • checks: If set, use proxy address for automatically added sidecar check instead of service address. [GH-14433]
  • cli: Fix Consul kv CLI 'GET' flags 'keys' and 'recurse' to be set together [GH-13493]
  • connect: Fix issue where mesh-gateway settings were not properly inherited from configuration entries. [GH-15186]
  • connect: fixed bug where endpoint updates for new xDS clusters could block for 15s before being sent to Envoy. [GH-15083]
  • connect: strip port from DNS SANs for ingress gateway leaf certificate to avoid an invalid hostname error when using the Vault provider. [GH-15320]
  • debug: fixed bug that caused consul debug CLI to error on ACL-disabled clusters [GH-15155]
  • deps: update go-memdb, fixing goroutine leak [GH-15010] [GH-15068]
  • grpc: Merge proxy-defaults and service-defaults in GetEnvoyBootstrapParams response. [GH-14869]
  • metrics: Add duplicate metrics that have only a single "consul_" prefix for all existing metrics with double ("consul_consul_") prefix, with the intent to standardize on single prefixes. [GH-14475]
  • namespace: (Enterprise Only) Fixed a bug where a client may incorrectly log that namespaces were not enabled in the local datacenter
  • peering: Fix a bug that resulted in /v1/agent/metrics returning an error. [GH-15178]
  • peering: fix nil pointer in calling handleUpdateService [GH-15160]
  • peering: fix the error of wan address isn't taken by the peering token. [GH-15065]
  • peering: when wan address is set, peering stream should use the wan address. [GH-15108]
  • proxycfg(mesh-gateway): Fix issue where deregistered services are not removed from mesh-gateway clusters. [GH-15272]
  • server: fix goroutine/memory leaks in the xDS subsystem (these were present regardless of whether or not xDS was in-use) [GH-14916]
  • server: fixes the error trying to source proxy configuration for http checks, in case of proxies using consul-dataplane. [GH-14924]
  • xds: Central service configuration (proxy-defaults and service-defaults) is now correctly applied to Consul Dataplane proxies [GH-14962]

NOTES:

  • deps: Upgrade to use Go 1.19.2 [GH-15090]

v1.13.9

Compare Source

1.13.9 (June 26, 2023)

BREAKING CHANGES:

  • connect: Disable peering by default in connect proxies for Consul 1.13. This change was made to prevent inefficient polling
    queries from having a negative impact on server performance. Peering in Consul 1.13 is an experimental feature and is not
    recommended for use in production environments. If you still wish to use the experimental peering feature, ensure
    peering.enabled = true
    is set on all clients and servers. [GH-17731]

SECURITY:

  • Update to UBI base image to 9.2. [GH-17513]

FEATURES:

  • server: (Enterprise Only) allow automatic license utilization reporting. [GH-5102]

IMPROVEMENTS:

  • debug: change default setting of consul debug command. now default duration is 5ms and default log level is 'TRACE' [GH-17596]
  • systemd: set service type to notify. [GH-16845]

BUG FIXES:

  • cache: fix a few minor goroutine leaks in leaf certs and the agent cache [GH-17636]
  • namespaces: (Enterprise only) fixes a bug where namespaces are stuck in a deferred deletion state indefinitely under some conditions.
    Also fixes the Consul query metadata present in the HTTP headers of the namespace read and list endpoints.
  • namespaces: adjusts the return type from HTTP list API to return the api module representation of a namespace.
    This fixes an error with the consul namespace list command when a namespace has a deferred deletion timestamp.
  • peering: Fix a bug that caused server agents to continue cleaning up peering resources even after loss of leadership. [GH-17483]

v1.13.8

Compare Source

1.13.8 (May 16, 2023)

SECURITY:

IMPROVEMENTS:

  • api: updated the go module directive to 1.18. [GH-15297]
  • connect: update supported envoy versions to 1.20.7, 1.21.6, 1.22.11, 1.23.8 [GH-16891]
  • sdk: updated the go module directive to 1.18. [GH-15297]

BUG FIXES:

  • Fix an bug where decoding some Config structs with unset pointer fields could fail with reflect: call of reflect.Value.Type on zero Value. [GH-17048]
  • audit-logging: (Enterprise only) Fix a bug where /agent/monitor and /agent/metrics endpoints return a Streaming not supported error when audit logs are enabled. This also fixes the delay receiving logs when running consul monitor against an agent with audit logs enabled. [GH-16700]
  • ca: Fixes a bug where updating Vault CA Provider config would cause TLS issues in the service mesh [GH-16592]
  • connect: Fix multiple inefficient behaviors when querying service health. [GH-17241]
  • grpc: ensure grpc resolver correctly uses lan/wan addresses on servers [GH-17270]
  • peering: Fixes a bug that can lead to peering service deletes impacting the state of local services [GH-16570]
  • xds: Fix possible panic that can when generating clusters before the root certificates have been fetched. [GH-17185]

v1.13.7

Compare Source

1.13.7 (March 7, 2023)

SECURITY:

IMPROVEMENTS:

  • xds: Removed a bottleneck in Envoy config generation. [GH-16269]
  • container: Upgrade container image to use to Alpine 3.17. [GH-16358]
  • mesh: Add ServiceResolver RequestTimeout for route timeouts to make request timeouts configurable [GH-16495]

BUG FIXES:

  • mesh: Fix resolution of service resolvers with subsets for external upstreams [GH-16499]
  • proxycfg: fix a bug where terminating gateways were not cleaning up deleted service resolvers for their referenced services [GH-16498]

v1.13.6

Compare Source

1.13.6 (January 26, 2023)

FEATURES:

  • connect: add flags envoy-ready-bind-port and envoy-ready-bind-address to the consul connect envoy command that allows configuration of readiness probe on proxy for any service kind. [GH-16015]
  • deps: update to latest go-discover to provide ECS auto-discover capabilities. [GH-13782]

IMPROVEMENTS:

  • grpc: Use new balancer implementation to reduce periodic WARN logs when shuffling servers. [GH-15701]
  • partition: (Consul Enterprise only) when loading service from on-disk config file or sending API request to agent endpoint,
    if the partition is unspecified, consul will default the partition in the request to agent's partition [GH-16024]

BUG FIXES:

  • agent: Fix assignment of error when auto-reloading cert and key file changes. [GH-15769]

v1.13.5

Compare Source

1.13.5 (December 13, 2022)

SECURITY:

  • Upgrade to use Go 1.18.9. This resolves a vulnerability where restricted files can be read on Windows. CVE-2022-41720 [GH-15706]
  • Upgrades golang.org/x/net to prevent a denial of service by excessive memory usage caused by HTTP2 requests. CVE-2022-41717 [GH-15743]

IMPROVEMENTS:

  • connect: ensure all vault connect CA tests use limited privilege tokens [GH-15669]

BUG FIXES:

  • agent: (Enterprise Only) Ensure configIntentionsConvertToList does not compare empty strings with populated strings when filtering intentions created prior to AdminPartitions.
  • cli: (Enterprise Only) Fix issue where consul partition update subcommand was not registered and therefore not available through the cli.
  • connect: Fixed issue where using Vault 1.11+ as CA provider in a secondary datacenter would eventually break Intermediate CAs [GH-15661]

v1.13.4

Compare Source

1.13.4 (November 30, 2022)

IMPROVEMENTS:

  • auto-config: Relax the validation on auto-config JWT authorization to allow non-whitespace, non-quote characters in node names. [GH-15370]
  • raft: Allow nonVoter to initiate an election to avoid having an election infinite loop when a Voter is converted to NonVoter [GH-14897]
  • raft: Cap maximum grpc wait time when heartbeating to heartbeatTimeout/2 [GH-14897]
  • raft: Fix a race condition where the snapshot file is closed without being opened [GH-14897]

BUG FIXES:

  • agent: Fixed issue where blocking queries with short waits could timeout on the client [GH-15541]
  • ca: Fixed issue where using Vault as Connect CA with Vault-managed policies would error on start-up if the intermediate PKI mount existed but was empty [GH-15525]
  • connect: Fixed issue where using Vault 1.11+ as CA provider would eventually break Intermediate CAs [GH-15217] [GH-15253]
  • connect: fixed bug where endpoint updates for new xDS clusters could block for 15s before being sent to Envoy. [GH-15083]
  • connect: strip port from DNS SANs for ingress gateway leaf certificate to avoid an invalid hostname error when using the Vault provider. [GH-15320]
  • debug: fixed bug that caused consul debug CLI to error on ACL-disabled clusters [GH-15155]
  • deps: update go-memdb, fixing goroutine leak [GH-15010] [GH-15068]
  • namespace: (Enterprise Only) Fix a bug that caused blocking queries during namespace replication to timeout
  • namespace: (Enterprise Only) Fixed a bug where a client may incorrectly log that namespaces were not enabled in the local datacenter
  • peering: better represent non-passing states during peer check flattening [GH-15615]
  • peering: fix the error of wan address isn't taken by the peering token. [GH-15065]
  • peering: when wan address is set, peering stream should use the wan address. [GH-15108]

v1.13.3

Compare Source

1.13.3 (October 19, 2022)

FEATURES:

  • agent: Added a new config option rpc_client_timeout to tune timeouts for client RPC requests [GH-14965]
  • config-entry(ingress-gateway): Added support for max_connections for upstream clusters [GH-14749]

IMPROVEMENTS:

  • connect/ca: Log a warning message instead of erroring when attempting to update the intermediate pki mount when using the Vault provider. [GH-15035]
  • connect: Added gateway options to Envoy proxy config for enabling tcp keepalives on terminating gateway upstreams and mesh gateways in remote datacenters. [GH-14800]
  • connect: Bump Envoy 1.20 to 1.20.7, 1.21 to 1.21.5 and 1.22 to 1.22.5 [GH-14828]
  • licensing: (Enterprise Only) Consul Enterprise production licenses do not degrade or terminate Consul upon expiration. They will only fail when trying to upgrade to a newer version of Consul. Evaluation licenses still terminate. [GH-1990]

BUG FIXES:

  • agent: avoid leaking the alias check runner goroutine when the check is de-registered [GH-14935]
  • ca: fix a masked bug in leaf cert generation that would not be notified of root cert rotation after the first one [GH-15005]
  • cache: prevent goroutine leak in agent cache [GH-14908]
  • checks: Fixed a bug that prevented registration of UDP health checks from agent configuration files, such as service definition files with embedded health check definitions. [GH-14885]
  • connect: Fixed a bug where transparent proxy does not correctly spawn listeners for upstreams to service-resolvers. [GH-14751]
  • snapshot-agent: (Enterprise only) Fix a bug when a session is not found in Consul, which leads the agent to panic.

v1.13.2

Compare Source

1.13.2 (September 20, 2022)

SECURITY:

  • auto-config: Added input validation for auto-config JWT authorization checks. Prior to this change, it was possible for malicious actors to construct requests which incorrectly pass custom JWT claim validation for the AutoConfig.InitialConfiguration endpoint. Now, only a subset of characters are allowed for the input before evaluating the bexpr. [GH-14577]
  • connect: Added URI length checks to ConnectCA CSR requests. Prior to this change, it was possible for a malicious actor to designate multiple SAN URI values in a call to the ConnectCA.Sign endpoint. The endpoint now only allows for exactly one SAN URI to be specified. [GH-14579]

FEATURES:

  • cli: Adds new subcommands for peering workflows. Refer to the CLI docs for more information. [GH-14423]
  • connect: Server address changes are streamed to peers [GH-14285]
  • service-defaults: Added support for local_request_timeout_ms and
    local_connect_timeout_ms in servicedefaults config entry [GH-14395]

IMPROVEMENTS:

  • connect: Bump latest Envoy to 1.23.1 in test matrix [GH-14573]
  • connect: expose new tracing configuration on envoy [GH-13998]
  • envoy: adds additional Envoy outlier ejection parameters to passive health check configurations. [GH-14238]
  • metrics: add labels of segment, partition, network area, network (lan or wan) to serf and memberlist metrics [GH-14161]
  • peering: Validate peering tokens for server name conflicts [GH-14563]
  • snapshot agent: (Enterprise only) Add support for path-based addressing when using s3 backend.
  • ui: Reuse connections for requests to /v1/internal/ui/metrics-proxy/ [GH-14521]

BUG FIXES:

  • agent: Fixes an issue where an agent that fails to start due to bad addresses won't clean up any existing liste

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot requested a review from a team as a code owner October 9, 2023 13:58
@renovate renovate bot added area/security dependencies Pull requests that update a dependency file labels Oct 9, 2023
@renovate renovate bot changed the title chore(deps): update module github.com/hashicorp/consul to v1.14.5 [security] (main) chore(deps): update module github.com/hashicorp/consul to v1.14.5 [security] (main) - autoclosed Oct 9, 2023
@renovate renovate bot closed this Oct 9, 2023
@renovate renovate bot deleted the deps-update/main-go-github.com/hashicorp/consul-vulnerability branch October 9, 2023 14:13
@renovate renovate bot changed the title chore(deps): update module github.com/hashicorp/consul to v1.14.5 [security] (main) - autoclosed chore(deps): update module github.com/hashicorp/consul to v1.14.5 [security] (main) Oct 9, 2023
@renovate renovate bot reopened this Oct 9, 2023
@renovate renovate bot restored the deps-update/main-go-github.com/hashicorp/consul-vulnerability branch October 9, 2023 14:55
@renovate renovate bot force-pushed the deps-update/main-go-github.com/hashicorp/consul-vulnerability branch from 2233881 to 26dc0bf Compare October 9, 2023 15:01
@renovate renovate bot changed the title chore(deps): update module github.com/hashicorp/consul to v1.14.5 [security] (main) chore(deps): update module github.com/hashicorp/consul to v1.14.5 [security] (main) - autoclosed Oct 9, 2023
@renovate renovate bot closed this Oct 9, 2023
@renovate renovate bot deleted the deps-update/main-go-github.com/hashicorp/consul-vulnerability branch October 9, 2023 19:17
@renovate renovate bot changed the title chore(deps): update module github.com/hashicorp/consul to v1.14.5 [security] (main) - autoclosed chore(deps): update module github.com/hashicorp/consul to v1.14.5 [security] (main) Oct 10, 2023
@renovate renovate bot reopened this Oct 10, 2023
@renovate renovate bot restored the deps-update/main-go-github.com/hashicorp/consul-vulnerability branch October 10, 2023 01:09
@renovate renovate bot force-pushed the deps-update/main-go-github.com/hashicorp/consul-vulnerability branch from 26dc0bf to 121a583 Compare October 10, 2023 01:12
@renovate renovate bot changed the title chore(deps): update module github.com/hashicorp/consul to v1.14.5 [security] (main) chore(deps): update module github.com/hashicorp/consul to v1.14.5 [security] (main) - autoclosed Oct 10, 2023
@renovate renovate bot closed this Oct 10, 2023
@renovate renovate bot deleted the deps-update/main-go-github.com/hashicorp/consul-vulnerability branch October 10, 2023 03:50
@renovate renovate bot changed the title chore(deps): update module github.com/hashicorp/consul to v1.14.5 [security] (main) - autoclosed chore(deps): update module github.com/hashicorp/consul to v1.14.5 [security] (main) Oct 10, 2023
@renovate renovate bot reopened this Oct 10, 2023
@renovate renovate bot restored the deps-update/main-go-github.com/hashicorp/consul-vulnerability branch October 10, 2023 05:07
@renovate renovate bot force-pushed the deps-update/main-go-github.com/hashicorp/consul-vulnerability branch from 121a583 to c9c37bc Compare October 10, 2023 05:12
@renovate renovate bot changed the title chore(deps): update module github.com/hashicorp/consul to v1.14.5 [security] (main) chore(deps): update module github.com/hashicorp/consul to v1.14.5 [security] (main) - autoclosed Oct 10, 2023
@renovate renovate bot closed this Oct 10, 2023
@renovate renovate bot deleted the deps-update/main-go-github.com/hashicorp/consul-vulnerability branch October 10, 2023 06:28
@renovate renovate bot changed the title chore(deps): update module github.com/hashicorp/consul to v1.14.5 [security] (main) - autoclosed chore(deps): update module github.com/hashicorp/consul to v1.14.5 [security] (main) Oct 10, 2023
@renovate renovate bot restored the deps-update/main-go-github.com/hashicorp/consul-vulnerability branch October 10, 2023 07:05
@renovate renovate bot changed the title chore(deps): update module github.com/hashicorp/consul to v1.14.5 [security] (main) Update module github.com/hashicorp/consul to v1.14.5 [SECURITY] (main) Oct 19, 2023
@renovate renovate bot changed the title Update module github.com/hashicorp/consul to v1.14.5 [SECURITY] (main) Update module github.com/hashicorp/consul to v1.14.5 [SECURITY] (main) - autoclosed Oct 19, 2023
@renovate renovate bot closed this Oct 19, 2023
@renovate renovate bot deleted the deps-update/main-go-github.com/hashicorp/consul-vulnerability branch October 19, 2023 19:18
@renovate renovate bot changed the title Update module github.com/hashicorp/consul to v1.14.5 [SECURITY] (main) - autoclosed Update module github.com/hashicorp/consul to v1.14.5 [SECURITY] (main) Oct 19, 2023
@renovate renovate bot reopened this Oct 19, 2023
@renovate renovate bot restored the deps-update/main-go-github.com/hashicorp/consul-vulnerability branch October 19, 2023 19:19
@renovate renovate bot force-pushed the deps-update/main-go-github.com/hashicorp/consul-vulnerability branch from 15d8489 to 9be30cf Compare October 19, 2023 19:21
@renovate renovate bot changed the title Update module github.com/hashicorp/consul to v1.14.5 [SECURITY] (main) chore(deps): update module github.com/hashicorp/consul to v1.14.5 [security] (main) Oct 19, 2023
@renovate renovate bot changed the title chore(deps): update module github.com/hashicorp/consul to v1.14.5 [security] (main) chore(deps): update module github.com/hashicorp/consul to v1.14.5 [security] (main) - autoclosed Oct 19, 2023
@renovate renovate bot closed this Oct 19, 2023
@renovate renovate bot deleted the deps-update/main-go-github.com/hashicorp/consul-vulnerability branch October 19, 2023 19:51
@renovate renovate bot changed the title chore(deps): update module github.com/hashicorp/consul to v1.14.5 [security] (main) - autoclosed chore(deps): update module github.com/hashicorp/consul to v1.14.5 [security] (main) Oct 20, 2023
@renovate renovate bot reopened this Oct 20, 2023
@renovate renovate bot restored the deps-update/main-go-github.com/hashicorp/consul-vulnerability branch October 20, 2023 06:18
@renovate renovate bot force-pushed the deps-update/main-go-github.com/hashicorp/consul-vulnerability branch from 9be30cf to 6c5368b Compare October 20, 2023 06:19
@renovate renovate bot changed the title chore(deps): update module github.com/hashicorp/consul to v1.14.5 [security] (main) Update module github.com/hashicorp/consul to v1.14.5 [SECURITY] (main) Oct 20, 2023
@renovate renovate bot changed the title Update module github.com/hashicorp/consul to v1.14.5 [SECURITY] (main) Update module github.com/hashicorp/consul to v1.14.5 [SECURITY] (main) - autoclosed Oct 20, 2023
@renovate renovate bot closed this Oct 20, 2023
@renovate renovate bot deleted the deps-update/main-go-github.com/hashicorp/consul-vulnerability branch October 20, 2023 08:16
@renovate renovate bot changed the title Update module github.com/hashicorp/consul to v1.14.5 [SECURITY] (main) - autoclosed Update module github.com/hashicorp/consul to v1.14.5 [SECURITY] (main) Oct 20, 2023
@renovate renovate bot reopened this Oct 20, 2023
@renovate renovate bot restored the deps-update/main-go-github.com/hashicorp/consul-vulnerability branch October 20, 2023 08:31
@renovate renovate bot force-pushed the deps-update/main-go-github.com/hashicorp/consul-vulnerability branch from 6c5368b to c0e9792 Compare October 20, 2023 08:33
@chaudum chaudum enabled auto-merge (squash) October 20, 2023 08:44
@chaudum chaudum merged commit 9474be0 into main Oct 20, 2023
2 checks passed
@chaudum chaudum deleted the deps-update/main-go-github.com/hashicorp/consul-vulnerability branch October 20, 2023 08:46
rhnasc pushed a commit to inloco/loki that referenced this pull request Apr 12, 2024
grafana#10830)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [github.com/hashicorp/consul](https://togithub.com/hashicorp/consul) |
replace | minor | `v1.5.1` -> `v1.14.5` |

---

### Denial of Service (DoS) in HashiCorp Consul
[CVE-2020-7219](https://nvd.nist.gov/vuln/detail/CVE-2020-7219) /
[GHSA-23jv-v6qj-3fhh](https://togithub.com/advisories/GHSA-23jv-v6qj-3fhh)

<details>
<summary>More information</summary>

#### Details
HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services
allowed unbounded resource usage, and were susceptible to
unauthenticated denial of service. Fixed in 1.6.3.

##### Specific Go Packages Affected
github.com/hashicorp/consul/agent/consul

#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2020-7219](https://nvd.nist.gov/vuln/detail/CVE-2020-7219)
-
[/~https://github.com/hashicorp/consul/issues/7159](https://togithub.com/hashicorp/consul/issues/7159)
-
[https://www.hashicorp.com/blog/category/consul/](https://www.hashicorp.com/blog/category/consul/)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-23jv-v6qj-3fhh) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Incorrect Authorization in HashiCorp Consul
[CVE-2020-7955](https://nvd.nist.gov/vuln/detail/CVE-2020-7955) /
[GHSA-r9w6-rhh9-7v53](https://togithub.com/advisories/GHSA-r9w6-rhh9-7v53)

<details>
<summary>More information</summary>

#### Details
HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not
uniformly enforce ACLs across all API endpoints, resulting in potential
unintended information disclosure. Fixed in 1.6.3.

#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N`

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2020-7955](https://nvd.nist.gov/vuln/detail/CVE-2020-7955)
-
[/~https://github.com/hashicorp/consul/issues/7160](https://togithub.com/hashicorp/consul/issues/7160)
-
[https://www.hashicorp.com/blog/category/consul/](https://www.hashicorp.com/blog/category/consul/)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-r9w6-rhh9-7v53) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Allocation of Resources Without Limits or Throttling in Hashicorp
Consul
[CVE-2020-13250](https://nvd.nist.gov/vuln/detail/CVE-2020-13250) /
[GHSA-rqjq-mrgx-85hp](https://togithub.com/advisories/GHSA-rqjq-mrgx-85hp)

<details>
<summary>More information</summary>

#### Details
HashiCorp Consul and Consul Enterprise include an HTTP API (introduced
in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was
vulnerable to denial of service.

##### Specific Go Packages Affected
github.com/hashicorp/consul/agent/config

##### Fix
The vulnerability is fixed in versions 1.6.6 and 1.7.4.

#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2020-13250](https://nvd.nist.gov/vuln/detail/CVE-2020-13250)
-
[/~https://github.com/hashicorp/consul/pull/8023](https://togithub.com/hashicorp/consul/pull/8023)
-
[/~https://github.com/hashicorp/consul/commit/72f92ae7ca4cabc1dc3069362a9b64ef46941432](https://togithub.com/hashicorp/consul/commit/72f92ae7ca4cabc1dc3069362a9b64ef46941432)
-
[/~https://github.com/hashicorp/consul/blob/v1.6.6/CHANGELOG.md](https://togithub.com/hashicorp/consul/blob/v1.6.6/CHANGELOG.md)
-
[/~https://github.com/hashicorp/consul/blob/v1.7.4/CHANGELOG.md](https://togithub.com/hashicorp/consul/blob/v1.7.4/CHANGELOG.md)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-rqjq-mrgx-85hp) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### HashiCorp Consul Cross-site Scripting vulnerability
[CVE-2020-25864](https://nvd.nist.gov/vuln/detail/CVE-2020-25864) /
[GHSA-8xmx-h8rq-h94j](https://togithub.com/advisories/GHSA-8xmx-h8rq-h94j)

<details>
<summary>More information</summary>

#### Details
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value
(KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5,
1.8.10 and 1.7.14.

#### Severity
- CVSS Score: 6.1 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2020-25864](https://nvd.nist.gov/vuln/detail/CVE-2020-25864)
-
[https://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368](https://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368)
-
[/~https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul)
-
[https://security.gentoo.org/glsa/202208-09](https://security.gentoo.org/glsa/202208-09)
-
[https://www.hashicorp.com/blog/category/consul](https://www.hashicorp.com/blog/category/consul)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-8xmx-h8rq-h94j) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### HashiCorp Consul Privilege Escalation Vulnerability
[CVE-2021-37219](https://nvd.nist.gov/vuln/detail/CVE-2021-37219) /
[GHSA-ccw8-7688-vqx4](https://togithub.com/advisories/GHSA-ccw8-7688-vqx4)

<details>
<summary>More information</summary>

#### Details
HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows
non-server agents with a valid certificate signed by the same CA to
access server-only functionality, enabling privilege escalation. Fixed
in 1.8.15, 1.9.9 and 1.10.2.

#### Severity
- CVSS Score: 8.8 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2021-37219](https://nvd.nist.gov/vuln/detail/CVE-2021-37219)
-
[/~https://github.com/hashicorp/consul/pull/10925](https://togithub.com/hashicorp/consul/pull/10925)
-
[/~https://github.com/hashicorp/consul/commit/3357e57dac9aadabd476f7a14973e47f003c4cf0](https://togithub.com/hashicorp/consul/commit/3357e57dac9aadabd476f7a14973e47f003c4cf0)
-
[/~https://github.com/hashicorp/consul/commit/473edd1764b6739e2e4610ea5dede4c2bc6009d1](https://togithub.com/hashicorp/consul/commit/473edd1764b6739e2e4610ea5dede4c2bc6009d1)
-
[/~https://github.com/hashicorp/consul/commit/ccf8eb1947357434eb6e66303ddab79f4c9d4103](https://togithub.com/hashicorp/consul/commit/ccf8eb1947357434eb6e66303ddab79f4c9d4103)
-
[https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalation/29024](https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalation/29024)
-
[/~https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul)
-
[https://security.gentoo.org/glsa/202207-01](https://security.gentoo.org/glsa/202207-01)
-
[https://www.hashicorp.com/blog/category/consul](https://www.hashicorp.com/blog/category/consul)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-ccw8-7688-vqx4) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint
allowed services to register proxies for other services, enabling access
to service traffic.
[CVE-2021-38698](https://nvd.nist.gov/vuln/detail/CVE-2021-38698) /
[GHSA-6hw5-6gcx-phmw](https://togithub.com/advisories/GHSA-6hw5-6gcx-phmw)

<details>
<summary>More information</summary>

#### Details
HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed
services to register proxies for other services, enabling access to
service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2.

#### Severity
- CVSS Score: 6.5 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N`

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2021-38698](https://nvd.nist.gov/vuln/detail/CVE-2021-38698)
-
[/~https://github.com/hashicorp/consul/pull/10824](https://togithub.com/hashicorp/consul/pull/10824)
-
[https://discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026](https://discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026)
-
[/~https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul)
-
[https://security.gentoo.org/glsa/202208-09](https://security.gentoo.org/glsa/202208-09)
-
[https://www.hashicorp.com/blog/category/consul](https://www.hashicorp.com/blog/category/consul)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-6hw5-6gcx-phmw) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Hashicorp Consul HTTP health check endpoints returning an HTTP
redirect may be abused as SSRF vector
[CVE-2022-29153](https://nvd.nist.gov/vuln/detail/CVE-2022-29153) /
[GHSA-q6h7-4qgw-2j9p](https://togithub.com/advisories/GHSA-q6h7-4qgw-2j9p)

<details>
<summary>More information</summary>

#### Details
A vulnerability was identified in Consul and Consul Enterprise
(“Consul”) such that HTTP health check endpoints returning an HTTP
redirect may be abused as a vector for server-side request forgery
(SSRF). This vulnerability, CVE-2022-29153, was fixed in Consul 1.9.17,
1.10.10, and 1.11.5.

#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N`

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2022-29153](https://nvd.nist.gov/vuln/detail/CVE-2022-29153)
- [https://discuss.hashicorp.com](https://discuss.hashicorp.com)
-
[https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/](https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/)
-
[https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393](https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393)
-
[/~https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul)
-
[https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/)
-
[https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/)
-
[https://security.gentoo.org/glsa/202208-09](https://security.gentoo.org/glsa/202208-09)
-
[https://security.netapp.com/advisory/ntap-20220602-0005/](https://security.netapp.com/advisory/ntap-20220602-0005/)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-q6h7-4qgw-2j9p) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Hashicorp Consul Missing SSL Certificate Validation
[CVE-2021-32574](https://nvd.nist.gov/vuln/detail/CVE-2021-32574) /
[GHSA-25gf-8qrr-g78r](https://togithub.com/advisories/GHSA-25gf-8qrr-g78r)

<details>
<summary>More information</summary>

#### Details
HashiCorp Consul before 1.10.1 (and Consul Enterprise) has Missing SSL
Certificate Validation. xds does not ensure that the Subject Alternative
Name of an upstream is validated.

#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N`

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2021-32574](https://nvd.nist.gov/vuln/detail/CVE-2021-32574)
-
[https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856](https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856)
-
[/~https://github.com/hashicorp/consul/releases/tag/v1.10.1](https://togithub.com/hashicorp/consul/releases/tag/v1.10.1)
-
[https://security.gentoo.org/glsa/202208-09](https://security.gentoo.org/glsa/202208-09)
-
[https://www.hashicorp.com/blog/category/consul](https://www.hashicorp.com/blog/category/consul)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-25gf-8qrr-g78r) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### HashiCorp Consul L7 deny intention results in an allow action
[CVE-2021-36213](https://nvd.nist.gov/vuln/detail/CVE-2021-36213) /
[GHSA-8h2g-r292-j8xh](https://togithub.com/advisories/GHSA-8h2g-r292-j8xh)

<details>
<summary>More information</summary>

#### Details
In HashiCorp Consul before 1.10.1 (and Consul Enterprise), xds can
generate a situation where a single L7 deny intention (with a default
deny policy) results in an allow action.

#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N`

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2021-36213](https://nvd.nist.gov/vuln/detail/CVE-2021-36213)
-
[https://discuss.hashicorp.com/t/hcsec-2021-16-consul-s-application-aware-intentions-deny-action-fails-open-when-combined-with-default-deny-policy/26855](https://discuss.hashicorp.com/t/hcsec-2021-16-consul-s-application-aware-intentions-deny-action-fails-open-when-combined-with-default-deny-policy/26855)
-
[/~https://github.com/hashicorp/consul/](https://togithub.com/hashicorp/consul/)
-
[/~https://github.com/hashicorp/consul/releases/tag/v1.10.1](https://togithub.com/hashicorp/consul/releases/tag/v1.10.1)
-
[https://security.gentoo.org/glsa/202208-09](https://security.gentoo.org/glsa/202208-09)
-
[https://www.hashicorp.com/blog/category/consul](https://www.hashicorp.com/blog/category/consul)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-8h2g-r292-j8xh) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### HashiCorp Consul vulnerable to authorization bypass
[CVE-2022-40716](https://nvd.nist.gov/vuln/detail/CVE-2022-40716) /
[GHSA-m69r-9g56-7mv8](https://togithub.com/advisories/GHSA-m69r-9g56-7mv8)

<details>
<summary>More information</summary>

#### Details
HashiCorp Consul and Consul Enterprise versions prior to 1.11.9, 1.12.5,
and 1.13.2 do not check for multiple SAN URI values in a CSR on the
internal RPC endpoint, enabling leverage of privileged access to bypass
service mesh intentions. A specially crafted CSR sent directly to
Consul’s internal server agent RPC endpoint can include multiple SAN URI
values with additional service names. This issue has been fixed in
versions 1.11.9, 1.12.5, and 1.13.2. There are no known workarounds.

#### Severity
- CVSS Score: 6.5 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N`

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2022-40716](https://nvd.nist.gov/vuln/detail/CVE-2022-40716)
-
[/~https://github.com/hashicorp/consul/pull/14579](https://togithub.com/hashicorp/consul/pull/14579)
-
[/~https://github.com/hashicorp/consul/commit/8f6fb4f6fe9488b8ec37da71ac503081d7d3760b](https://togithub.com/hashicorp/consul/commit/8f6fb4f6fe9488b8ec37da71ac503081d7d3760b)
- [https://discuss.hashicorp.com](https://discuss.hashicorp.com)
-
[https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypass-with-malicious-certificate-signing-request/44628](https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypass-with-malicious-certificate-signing-request/44628)
-
[/~https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul)
-
[https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/)
-
[https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-m69r-9g56-7mv8) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Hashicorp Consul vulnerable to denial of service
[CVE-2023-1297](https://nvd.nist.gov/vuln/detail/CVE-2023-1297) /
[GHSA-c57c-7hrj-6q6v](https://togithub.com/advisories/GHSA-c57c-7hrj-6q6v)

<details>
<summary>More information</summary>

#### Details
Consul and Consul Enterprise's cluster peering implementation contained
a flaw whereby a peer cluster with service of the same name as a local
service could corrupt Consul state, resulting in denial of service. This
vulnerability was resolved in Consul 1.14.5, and 1.15.3

#### Severity
- CVSS Score: 4.9 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H`

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2023-1297](https://nvd.nist.gov/vuln/detail/CVE-2023-1297)
-
[https://discuss.hashicorp.com/t/hcsec-2023-15-consul-cluster-peering-can-result-in-denial-of-service/54515](https://discuss.hashicorp.com/t/hcsec-2023-15-consul-cluster-peering-can-result-in-denial-of-service/54515)
-
[/~https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-c57c-7hrj-6q6v) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>hashicorp/consul (github.com/hashicorp/consul)</summary>

###
[`v1.14.5`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.5)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.14.4...v1.14.5)

#### 1.14.5 (March 7, 2023)

SECURITY:

-   Upgrade to use Go 1.20.1.
This resolves vulnerabilities
[CVE-2022-41724](https://go.dev/issue/58001) in `crypto/tls` and
[CVE-2022-41723](https://go.dev/issue/57855) in `net/http`.
\[[GH-16263](https://togithub.com/hashicorp/consul/issues/16263)]

IMPROVEMENTS:

- container: Upgrade container image to use to Alpine 3.17.
\[[GH-16358](https://togithub.com/hashicorp/consul/issues/16358)]
- mesh: Add ServiceResolver RequestTimeout for route timeouts to make
request timeouts configurable
\[[GH-16495](https://togithub.com/hashicorp/consul/issues/16495)]

BUG FIXES:

- mesh: Fix resolution of service resolvers with subsets for external
upstreams
\[[GH-16499](https://togithub.com/hashicorp/consul/issues/16499)]
- peering: Fix bug where services were incorrectly imported as
connect-enabled.
\[[GH-16339](https://togithub.com/hashicorp/consul/issues/16339)]
- peering: Fix issue where mesh gateways would use the wrong address
when contacting a remote peer with the same datacenter name.
\[[GH-16257](https://togithub.com/hashicorp/consul/issues/16257)]
- peering: Fix issue where secondary wan-federated datacenters could not
be used as peering acceptors.
\[[GH-16230](https://togithub.com/hashicorp/consul/issues/16230)]
- proxycfg: fix a bug where terminating gateways were not cleaning up
deleted service resolvers for their referenced services
\[[GH-16498](https://togithub.com/hashicorp/consul/issues/16498)]

###
[`v1.14.4`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.4)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.14.3...v1.14.4)

#### 1.14.4 (January 26, 2023)

BREAKING CHANGES:

- connect: Fix configuration merging for transparent proxy upstreams.
Proxy-defaults and service-defaults config entries were not correctly
merged for implicit upstreams in transparent proxy mode and would result
in some configuration not being applied. To avoid issues when upgrading,
ensure that any proxy-defaults or service-defaults have correct
configuration for upstreams, since all fields will now be properly used
to configure proxies.
\[[GH-16000](https://togithub.com/hashicorp/consul/issues/16000)]
- peering: Newly created peering connections must use only lowercase
characters in the `name` field. Existing peerings with uppercase
characters will not be modified, but they may encounter issues in
various circumstances. To maintain forward compatibility and avoid
issues, it is recommended to destroy and re-create any invalid peering
connections so that they do not have a name containing uppercase
characters.
\[[GH-15697](https://togithub.com/hashicorp/consul/issues/15697)]

FEATURES:

- connect: add flags `envoy-ready-bind-port` and
`envoy-ready-bind-address` to the `consul connect envoy` command that
allows configuration of readiness probe on proxy for any service kind.
\[[GH-16015](https://togithub.com/hashicorp/consul/issues/16015)]
- deps: update to latest go-discover to provide ECS auto-discover
capabilities.
\[[GH-13782](https://togithub.com/hashicorp/consul/issues/13782)]

IMPROVEMENTS:

- acl: relax permissions on the `WatchServers`, `WatchRoots` and
`GetSupportedDataplaneFeatures` gRPC endpoints to accept *any* valid ACL
token \[[GH-15346](https://togithub.com/hashicorp/consul/issues/15346)]
- connect: Add support for ConsulResolver to specifies a filter
expression
\[[GH-15659](https://togithub.com/hashicorp/consul/issues/15659)]
- grpc: Use new balancer implementation to reduce periodic WARN logs
when shuffling servers.
\[[GH-15701](https://togithub.com/hashicorp/consul/issues/15701)]
- partition: **(Consul Enterprise only)** when loading service from
on-disk config file or sending API request to agent endpoint,
if the partition is unspecified, consul will default the partition in
the request to agent's partition
\[[GH-16024](https://togithub.com/hashicorp/consul/issues/16024)]

BUG FIXES:

- agent: Fix assignment of error when auto-reloading cert and key file
changes.
\[[GH-15769](https://togithub.com/hashicorp/consul/issues/15769)]
- agent: Fix issue where the agent cache would incorrectly mark protobuf
objects as updated.
\[[GH-15866](https://togithub.com/hashicorp/consul/issues/15866)]
- cli: Fix issue where `consul connect envoy` was unable to configure
TLS over unix-sockets to gRPC.
\[[GH-15913](https://togithub.com/hashicorp/consul/issues/15913)]
- connect: **(Consul Enterprise only)** Fix issue where upstream
configuration from proxy-defaults and service-defaults was not properly
merged. This could occur when a mixture of empty-strings and "default"
were used for the namespace or partition fields.
- connect: Fix issue where service-resolver protocol checks incorrectly
errored for failover peer targets.
\[[GH-15833](https://togithub.com/hashicorp/consul/issues/15833)]
- connect: Fix issue where watches on upstream failover peer targets did
not always query the correct data.
\[[GH-15865](https://togithub.com/hashicorp/consul/issues/15865)]
- xds: fix bug where sessions for locally-managed services could fail
with "this server has too many xDS streams open"
\[[GH-15789](https://togithub.com/hashicorp/consul/issues/15789)]

###
[`v1.14.3`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.3)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.14.2...v1.14.3)

#### 1.14.3 (December 13, 2022)

SECURITY:

- Upgrade to use Go 1.19.4. This resolves a vulnerability where
restricted files can be read on Windows.
[CVE-2022-41720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41720)
\[[GH-15705](https://togithub.com/hashicorp/consul/issues/15705)]
- Upgrades `golang.org/x/net` to prevent a denial of service by
excessive memory usage caused by HTTP2 requests.
[CVE-2022-41717](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41717)
\[[GH-15737](https://togithub.com/hashicorp/consul/issues/15737)]

FEATURES:

- ui: Add field for fallback server addresses to peer token generation
form \[[GH-15555](https://togithub.com/hashicorp/consul/issues/15555)]

IMPROVEMENTS:

- connect: ensure all vault connect CA tests use limited privilege
tokens \[[GH-15669](https://togithub.com/hashicorp/consul/issues/15669)]

BUG FIXES:

- agent: **(Enterprise Only)** Ensure configIntentionsConvertToList does
not compare empty strings with populated strings when filtering
intentions created prior to AdminPartitions.
- connect: Fix issue where DialedDirectly configuration was not used by
Consul Dataplane.
\[[GH-15760](https://togithub.com/hashicorp/consul/issues/15760)]
- connect: Fix peering failovers ignoring local mesh gateway
configuration.
\[[GH-15690](https://togithub.com/hashicorp/consul/issues/15690)]
- connect: Fixed issue where using Vault 1.11+ as CA provider in a
secondary datacenter would eventually break Intermediate CAs
\[[GH-15661](https://togithub.com/hashicorp/consul/issues/15661)]

###
[`v1.14.2`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.2)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.14.1...v1.14.2)

#### 1.14.2 (November 30, 2022)

FEATURES:

- connect: Add local_idle_timeout_ms to allow configuring the Envoy
route idle timeout on local_app
connect: Add IdleTimeout to service-router to allow configuring the
Envoy route idle timeout
\[[GH-14340](https://togithub.com/hashicorp/consul/issues/14340)]
- snapshot: **(Enterprise Only)** Add support for the snapshot agent to
use an IAM role for authentication/authorization when managing snapshots
in S3.

IMPROVEMENTS:

- dns: Add support for cluster peering `.service` and `.node` DNS
queries.
\[[GH-15596](https://togithub.com/hashicorp/consul/issues/15596)]

BUG FIXES:

- acl: avoid debug log spam in secondary datacenter servers due to
management token not being initialized.
\[[GH-15610](https://togithub.com/hashicorp/consul/issues/15610)]
- agent: Fixed issue where blocking queries with short waits could
timeout on the client
\[[GH-15541](https://togithub.com/hashicorp/consul/issues/15541)]
- ca: Fixed issue where using Vault as Connect CA with Vault-managed
policies would error on start-up if the intermediate PKI mount existed
but was empty
\[[GH-15525](https://togithub.com/hashicorp/consul/issues/15525)]
- cli: **(Enterprise Only)** Fix issue where `consul partition update`
subcommand was not registered and therefore not available through the
cli.
- connect: Fixed issue where using Vault 1.11+ as CA provider would
eventually break Intermediate CAs
\[[GH-15217](https://togithub.com/hashicorp/consul/issues/15217)]
\[[GH-15253](https://togithub.com/hashicorp/consul/issues/15253)]
- namespace: **(Enterprise Only)** Fix a bug that caused blocking
queries during namespace replication to timeout
- peering: better represent non-passing states during peer check
flattening
\[[GH-15615](https://togithub.com/hashicorp/consul/issues/15615)]
- peering: fix the limit of replication gRPC message; set to 8MB
\[[GH-15503](https://togithub.com/hashicorp/consul/issues/15503)]

###
[`v1.14.1`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.1)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.14.0...v1.14.1)

#### 1.14.1 (November 21, 2022)

BUG FIXES:

- cli: Fix issue where `consul connect envoy` incorrectly uses the HTTPS
API configuration for xDS connections.
\[[GH-15466](https://togithub.com/hashicorp/consul/issues/15466)]
- sdk: Fix SDK testutil backwards compatibility by only configuring
grpc_tls port for new Consul versions.
\[[GH-15423](https://togithub.com/hashicorp/consul/issues/15423)]

###
[`v1.14.0`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.0)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.13.9...v1.14.0)

#### 1.14.0 (November 15, 2022)

BREAKING CHANGES:

-   config: Add new `ports.grpc_tls` configuration option.
Introduce a new port to better separate TLS config from the existing
`ports.grpc` config.
    The new `ports.grpc_tls` only supports TLS encrypted communication.
The existing `ports.grpc` now only supports plain-text communication.
\[[GH-15339](https://togithub.com/hashicorp/consul/issues/15339)]
- config: update 1.14 config defaults: Enable `peering` and `connect` by
default.
\[[GH-15302](https://togithub.com/hashicorp/consul/issues/15302)]
- config: update 1.14 config defaults: Set gRPC TLS port default value
to 8503
\[[GH-15302](https://togithub.com/hashicorp/consul/issues/15302)]
- connect: Removes support for Envoy 1.20
\[[GH-15093](https://togithub.com/hashicorp/consul/issues/15093)]
- peering: Rename `PeerName` to `Peer` on prepared queries and exported
services.
\[[GH-14854](https://togithub.com/hashicorp/consul/issues/14854)]
- xds: Convert service mesh failover to use Envoy's aggregate clusters.
This
changes the names of some [Envoy dynamic HTTP
metrics](https://www.envoyproxy.io/docs/envoy/latest/configuration/upstream/cluster_manager/cluster_stats#dynamic-http-statistics).
\[[GH-14178](https://togithub.com/hashicorp/consul/issues/14178)]

SECURITY:

- Ensure that data imported from peers is filtered by ACLs at the UI
Nodes/Services endpoints
[CVE-2022-3920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3920)
\[[GH-15356](https://togithub.com/hashicorp/consul/issues/15356)]

FEATURES:

- DNS-proxy support via gRPC request.
\[[GH-14811](https://togithub.com/hashicorp/consul/issues/14811)]
- cli: Add -node-name flag to redirect-traffic command to support
running in environments without client agents.
\[[GH-14933](https://togithub.com/hashicorp/consul/issues/14933)]
- cli: Add `-consul-dns-port` flag to the `consul connect
redirect-traffic` command to allow forwarding DNS traffic to a specific
Consul DNS port.
\[[GH-15050](https://togithub.com/hashicorp/consul/issues/15050)]
- connect: Add Envoy connection balancing configuration fields.
\[[GH-14616](https://togithub.com/hashicorp/consul/issues/14616)]
- grpc: Added metrics for external gRPC server. Added
`server_type=internal|external` label to gRPC metrics.
\[[GH-14922](https://togithub.com/hashicorp/consul/issues/14922)]
- http: Add new `get-or-empty` operation to the txn api. Refer to the
[API docs](https://www.consul.io/api-docs/txn#kv-operations) for more
information.
\[[GH-14474](https://togithub.com/hashicorp/consul/issues/14474)]
- peering: Add mesh gateway local mode support for cluster peering.
\[[GH-14817](https://togithub.com/hashicorp/consul/issues/14817)]
- peering: Add support for stale queries for trust bundle lookups
\[[GH-14724](https://togithub.com/hashicorp/consul/issues/14724)]
- peering: Add support to failover to services running on cluster peers.
\[[GH-14396](https://togithub.com/hashicorp/consul/issues/14396)]
- peering: Add support to redirect to services running on cluster peers
with service resolvers.
\[[GH-14445](https://togithub.com/hashicorp/consul/issues/14445)]
- peering: Ensure un-exported services get deleted even if the un-export
happens while cluster peering replication is down.
\[[GH-14797](https://togithub.com/hashicorp/consul/issues/14797)]
- peering: add support for routine peering control-plane traffic through
mesh gateways
\[[GH-14981](https://togithub.com/hashicorp/consul/issues/14981)]
- sdk: Configure `iptables` to forward DNS traffic to a specific DNS
port. \[[GH-15050](https://togithub.com/hashicorp/consul/issues/15050)]
- telemetry: emit memberlist size metrics and broadcast queue depth
metric.
\[[GH-14873](https://togithub.com/hashicorp/consul/issues/14873)]
- ui: Added support for central config merging
\[[GH-14604](https://togithub.com/hashicorp/consul/issues/14604)]
- ui: Create peerings detail page
\[[GH-14947](https://togithub.com/hashicorp/consul/issues/14947)]
- ui: Detect a TokenSecretID cookie and passthrough to localStorage
\[[GH-14495](https://togithub.com/hashicorp/consul/issues/14495)]
- ui: Display notice banner on nodes index page if synthetic nodes are
being filtered.
\[[GH-14971](https://togithub.com/hashicorp/consul/issues/14971)]
- ui: Filter agentless (synthetic) nodes from the nodes list page.
\[[GH-14970](https://togithub.com/hashicorp/consul/issues/14970)]
- ui: Filter out node health checks on agentless service instances
\[[GH-14986](https://togithub.com/hashicorp/consul/issues/14986)]
- ui: Remove node meta on service instances when using agentless and
consolidate external-source labels on service instances page if they all
match. \[[GH-14921](https://togithub.com/hashicorp/consul/issues/14921)]
- ui: Removed reference to node name on service instance page when using
agentless
\[[GH-14903](https://togithub.com/hashicorp/consul/issues/14903)]
- ui: Use withCredentials for all HTTP API requests
\[[GH-14343](https://togithub.com/hashicorp/consul/issues/14343)]
- xds: servers will limit the number of concurrent xDS streams they can
handle to balance the load across all servers
\[[GH-14397](https://togithub.com/hashicorp/consul/issues/14397)]

IMPROVEMENTS:

- peering: Add peering datacenter and partition to initial handshake.
\[[GH-14889](https://togithub.com/hashicorp/consul/issues/14889)]
- xds: Added a rate limiter to the delivery of proxy config updates, to
prevent updates to "global" resources such as wildcard intentions from
overwhelming servers (see: `xds.update_max_per_second` config field)
\[[GH-14960](https://togithub.com/hashicorp/consul/issues/14960)]
- xds: Removed a bottleneck in Envoy config generation, enabling a
higher number of dataplanes per server
\[[GH-14934](https://togithub.com/hashicorp/consul/issues/14934)]
- agent/hcp: add initial HashiCorp Cloud Platform integration
\[[GH-14723](https://togithub.com/hashicorp/consul/issues/14723)]
- agent: Added configuration option cloud.scada_address.
\[[GH-14936](https://togithub.com/hashicorp/consul/issues/14936)]
- api: Add filtering support to Catalog's List Services
(v1/catalog/services)
\[[GH-11742](https://togithub.com/hashicorp/consul/issues/11742)]
- api: Increase max number of operations inside a transaction for
requests to /v1/txn (128)
\[[GH-14599](https://togithub.com/hashicorp/consul/issues/14599)]
- auto-config: Relax the validation on auto-config JWT authorization to
allow non-whitespace, non-quote characters in node names.
\[[GH-15370](https://togithub.com/hashicorp/consul/issues/15370)]
- config-entry: Validate that service-resolver `Failover`s and
`Redirect`s only
specify `Partition` and `Namespace` on Consul Enterprise. This prevents
scenarios
where OSS Consul would save service-resolvers that require Consul
Enterprise.
\[[GH-14162](https://togithub.com/hashicorp/consul/issues/14162)]
- connect: Add Envoy 1.24.0 to support matrix
\[[GH-15093](https://togithub.com/hashicorp/consul/issues/15093)]
- connect: Bump Envoy 1.20 to 1.20.7, 1.21 to 1.21.5 and 1.22 to 1.22.5
\[[GH-14831](https://togithub.com/hashicorp/consul/issues/14831)]
- connect: service-router destinations have gained a `RetryOn` field for
specifying the conditions when Envoy should retry requests beyond
specific status codes and generic connection failure which already
exists.
\[[GH-12890](https://togithub.com/hashicorp/consul/issues/12890)]
- dns/peering: **(Enterprise Only)** Support addresses in the formats
`<servicename>.virtual.<namespace>.ns.<partition>.ap.<peername>.peer.consul`
and `<servicename>.virtual.<partition>.ap.<peername>.peer.consul`. This
longer form address that allows specifying `.peer` would need to be used
for tproxy DNS requests made within non-default partitions for imported
services.
- dns: **(Enterprise Only)** All enterprise locality labels are now
optional in DNS lookups. For example, service lookups support the
following format:
`[<tag>.]<service>.service[.<namespace>.ns][.<partition>.ap][.<datacenter>.dc]<domain>`.
\[[GH-14679](https://togithub.com/hashicorp/consul/issues/14679)]
- integ test: fix flakiness due to test condition from retry app endoint
\[[GH-15233](https://togithub.com/hashicorp/consul/issues/15233)]
- metrics: Service RPC calls less than 1ms are now emitted as a decimal
number.
\[[GH-12905](https://togithub.com/hashicorp/consul/issues/12905)]
- peering: adds an internally managed server certificate for automatic
TLS between servers in peer clusters.
\[[GH-14556](https://togithub.com/hashicorp/consul/issues/14556)]
- peering: require TLS for peering connections using server cert signed
by Connect CA
\[[GH-14796](https://togithub.com/hashicorp/consul/issues/14796)]
- peering: return information about the health of the peering when the
leader is queried to read a peering.
\[[GH-14747](https://togithub.com/hashicorp/consul/issues/14747)]
- raft: Allow nonVoter to initiate an election to avoid having an
election infinite loop when a Voter is converted to NonVoter
\[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)]
- raft: Cap maximum grpc wait time when heartbeating to
heartbeatTimeout/2
\[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)]
- raft: Fix a race condition where the snapshot file is closed without
being opened
\[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)]
- telemetry: Added a `consul.xds.server.streamStart` metric to measure
time taken to first generate xDS resources for an xDS stream.
\[[GH-14957](https://togithub.com/hashicorp/consul/issues/14957)]
- ui: Improve guidance around topology visualisation
\[[GH-14527](https://togithub.com/hashicorp/consul/issues/14527)]
- xds: Set `max_ejection_percent` on Envoy's outlier detection to 100%
for peered services.
\[[GH-14373](https://togithub.com/hashicorp/consul/issues/14373)]

BUG FIXES:

- checks: Do not set interval as timeout value
\[[GH-14619](https://togithub.com/hashicorp/consul/issues/14619)]
- checks: If set, use proxy address for automatically added sidecar
check instead of service address.
\[[GH-14433](https://togithub.com/hashicorp/consul/issues/14433)]
- cli: Fix Consul kv CLI 'GET' flags 'keys' and 'recurse' to be set
together
\[[GH-13493](https://togithub.com/hashicorp/consul/issues/13493)]
- connect: Fix issue where mesh-gateway settings were not properly
inherited from configuration entries.
\[[GH-15186](https://togithub.com/hashicorp/consul/issues/15186)]
- connect: fixed bug where endpoint updates for new xDS clusters could
block for 15s before being sent to Envoy.
\[[GH-15083](https://togithub.com/hashicorp/consul/issues/15083)]
- connect: strip port from DNS SANs for ingress gateway leaf certificate
to avoid an invalid hostname error when using the Vault provider.
\[[GH-15320](https://togithub.com/hashicorp/consul/issues/15320)]
- debug: fixed bug that caused consul debug CLI to error on ACL-disabled
clusters
\[[GH-15155](https://togithub.com/hashicorp/consul/issues/15155)]
- deps: update go-memdb, fixing goroutine leak
\[[GH-15010](https://togithub.com/hashicorp/consul/issues/15010)]
\[[GH-15068](https://togithub.com/hashicorp/consul/issues/15068)]
- grpc: Merge proxy-defaults and service-defaults in
GetEnvoyBootstrapParams response.
\[[GH-14869](https://togithub.com/hashicorp/consul/issues/14869)]
- metrics: Add duplicate metrics that have only a single "consul\_"
prefix for all existing metrics with double ("consul_consul\_") prefix,
with the intent to standardize on single prefixes.
\[[GH-14475](https://togithub.com/hashicorp/consul/issues/14475)]
- namespace: **(Enterprise Only)** Fixed a bug where a client may
incorrectly log that namespaces were not enabled in the local datacenter
- peering: Fix a bug that resulted in /v1/agent/metrics returning an
error. \[[GH-15178](https://togithub.com/hashicorp/consul/issues/15178)]
- peering: fix nil pointer in calling handleUpdateService
\[[GH-15160](https://togithub.com/hashicorp/consul/issues/15160)]
- peering: fix the error of wan address isn't taken by the peering
token. \[[GH-15065](https://togithub.com/hashicorp/consul/issues/15065)]
- peering: when wan address is set, peering stream should use the wan
address.
\[[GH-15108](https://togithub.com/hashicorp/consul/issues/15108)]
- proxycfg(mesh-gateway): Fix issue where deregistered services are not
removed from mesh-gateway clusters.
\[[GH-15272](https://togithub.com/hashicorp/consul/issues/15272)]
- server: fix goroutine/memory leaks in the xDS subsystem (these were
present regardless of whether or not xDS was in-use)
\[[GH-14916](https://togithub.com/hashicorp/consul/issues/14916)]
- server: fixes the error trying to source proxy configuration for http
checks, in case of proxies using consul-dataplane.
\[[GH-14924](https://togithub.com/hashicorp/consul/issues/14924)]
- xds: Central service configuration (proxy-defaults and
service-defaults) is now correctly applied to Consul Dataplane proxies
\[[GH-14962](https://togithub.com/hashicorp/consul/issues/14962)]

NOTES:

- deps: Upgrade to use Go 1.19.2
\[[GH-15090](https://togithub.com/hashicorp/consul/issues/15090)]

###
[`v1.13.9`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.9)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.13.8...v1.13.9)

#### 1.13.9 (June 26, 2023)

BREAKING CHANGES:

- connect: Disable peering by default in connect proxies for Consul
1.13. This change was made to prevent inefficient polling
queries from having a negative impact on server performance. Peering in
Consul 1.13 is an experimental feature and is not
recommended for use in production environments. If you still wish to use
the experimental peering feature, ensure
[`peering.enabled =
true`](https://developer.hashicorp.com/consul/docs/v1.13.x/agent/config/config-files#peering_enabled)
is set on all clients and servers.
\[[GH-17731](https://togithub.com/hashicorp/consul/issues/17731)]

SECURITY:

- Update to UBI base image to 9.2.
\[[GH-17513](https://togithub.com/hashicorp/consul/issues/17513)]

FEATURES:

- server: **(Enterprise Only)** allow automatic license utilization
reporting.
\[[GH-5102](https://togithub.com/hashicorp/consul/issues/5102)]

IMPROVEMENTS:

- debug: change default setting of consul debug command. now default
duration is 5ms and default log level is 'TRACE'
\[[GH-17596](https://togithub.com/hashicorp/consul/issues/17596)]
- systemd: set service type to notify.
\[[GH-16845](https://togithub.com/hashicorp/consul/issues/16845)]

BUG FIXES:

- cache: fix a few minor goroutine leaks in leaf certs and the agent
cache \[[GH-17636](https://togithub.com/hashicorp/consul/issues/17636)]
- namespaces: **(Enterprise only)** fixes a bug where namespaces are
stuck in a deferred deletion state indefinitely under some conditions.
Also fixes the Consul query metadata present in the HTTP headers of the
namespace read and list endpoints.
- namespaces: adjusts the return type from HTTP list API to return the
`api` module representation of a namespace.
This fixes an error with the `consul namespace list` command when a
namespace has a deferred deletion timestamp.
- peering: Fix a bug that caused server agents to continue cleaning up
peering resources even after loss of leadership.
\[[GH-17483](https://togithub.com/hashicorp/consul/issues/17483)]

###
[`v1.13.8`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.8)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.13.7...v1.13.8)

#### 1.13.8 (May 16, 2023)

SECURITY:

-   Upgrade to use Go 1.20.1.
This resolves vulnerabilities
[CVE-2022-41724](https://go.dev/issue/58001) in `crypto/tls` and
[CVE-2022-41723](https://go.dev/issue/57855) in `net/http`.
\[[GH-16263](https://togithub.com/hashicorp/consul/issues/16263)]
-   Upgrade to use Go 1.20.4.
This resolves vulnerabilities
[CVE-2023-24537](https://togithub.com/advisories/GHSA-9f7g-gqwh-jpf5)(`go/scanner`),

[CVE-2023-24538](https://togithub.com/advisories/GHSA-v4m2-x4rp-hv22)(`html/template`),

[CVE-2023-24534](https://togithub.com/advisories/GHSA-8v5j-pwr7-w5f8)(`net/textproto`)
and

[CVE-2023-24536](https://togithub.com/advisories/GHSA-9f7g-gqwh-jpf5)(`mime/multipart`).
Also, `golang.org/x/net` has been updated to v0.7.0 to resolve CVEs
[CVE-2022-41721](https://togithub.com/advisories/GHSA-fxg5-wq6x-vr4w),
[CVE-2022-27664](https://togithub.com/advisories/GHSA-69cg-p879-7622)
and
[CVE-2022-41723](https://togithub.com/advisories/GHSA-vvpx-j8f3-3w6h.)
\[[GH-17240](https://togithub.com/hashicorp/consul/issues/17240)]

IMPROVEMENTS:

- api: updated the go module directive to 1.18.
\[[GH-15297](https://togithub.com/hashicorp/consul/issues/15297)]
- connect: update supported envoy versions to 1.20.7, 1.21.6, 1.22.11,
1.23.8 \[[GH-16891](https://togithub.com/hashicorp/consul/issues/16891)]
- sdk: updated the go module directive to 1.18.
\[[GH-15297](https://togithub.com/hashicorp/consul/issues/15297)]

BUG FIXES:

- Fix an bug where decoding some Config structs with unset pointer
fields could fail with `reflect: call of reflect.Value.Type on zero
Value`.
\[[GH-17048](https://togithub.com/hashicorp/consul/issues/17048)]
- audit-logging: (Enterprise only) Fix a bug where `/agent/monitor` and
`/agent/metrics` endpoints return a `Streaming not supported` error when
audit logs are enabled. This also fixes the delay receiving logs when
running `consul monitor` against an agent with audit logs enabled.
\[[GH-16700](https://togithub.com/hashicorp/consul/issues/16700)]
- ca: Fixes a bug where updating Vault CA Provider config would cause
TLS issues in the service mesh
\[[GH-16592](https://togithub.com/hashicorp/consul/issues/16592)]
- connect: Fix multiple inefficient behaviors when querying service
health.
\[[GH-17241](https://togithub.com/hashicorp/consul/issues/17241)]
- grpc: ensure grpc resolver correctly uses lan/wan addresses on servers
\[[GH-17270](https://togithub.com/hashicorp/consul/issues/17270)]
- peering: Fixes a bug that can lead to peering service deletes
impacting the state of local services
\[[GH-16570](https://togithub.com/hashicorp/consul/issues/16570)]
- xds: Fix possible panic that can when generating clusters before the
root certificates have been fetched.
\[[GH-17185](https://togithub.com/hashicorp/consul/issues/17185)]

###
[`v1.13.7`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.7)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.13.6...v1.13.7)

#### 1.13.7 (March 7, 2023)

SECURITY:

-   Upgrade to use Go 1.19.6.
This resolves vulnerabilities
[CVE-2022-41724](https://go.dev/issue/58001) in `crypto/tls` and
[CVE-2022-41723](https://go.dev/issue/57855) in `net/http`.
\[[GH-16299](https://togithub.com/hashicorp/consul/issues/16299)]

IMPROVEMENTS:

- xds: Removed a bottleneck in Envoy config generation.
\[[GH-16269](https://togithub.com/hashicorp/consul/issues/16269)]
- container: Upgrade container image to use to Alpine 3.17.
\[[GH-16358](https://togithub.com/hashicorp/consul/issues/16358)]
- mesh: Add ServiceResolver RequestTimeout for route timeouts to make
request timeouts configurable
\[[GH-16495](https://togithub.com/hashicorp/consul/issues/16495)]

BUG FIXES:

- mesh: Fix resolution of service resolvers with subsets for external
upstreams
\[[GH-16499](https://togithub.com/hashicorp/consul/issues/16499)]
- proxycfg: fix a bug where terminating gateways were not cleaning up
deleted service resolvers for their referenced services
\[[GH-16498](https://togithub.com/hashicorp/consul/issues/16498)]

###
[`v1.13.6`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.6)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.13.5...v1.13.6)

#### 1.13.6 (January 26, 2023)

FEATURES:

- connect: add flags `envoy-ready-bind-port` and
`envoy-ready-bind-address` to the `consul connect envoy` command that
allows configuration of readiness probe on proxy for any service kind.
\[[GH-16015](https://togithub.com/hashicorp/consul/issues/16015)]
- deps: update to latest go-discover to provide ECS auto-discover
capabilities.
\[[GH-13782](https://togithub.com/hashicorp/consul/issues/13782)]

IMPROVEMENTS:

- grpc: Use new balancer implementation to reduce periodic WARN logs
when shuffling servers.
\[[GH-15701](https://togithub.com/hashicorp/consul/issues/15701)]
- partition: **(Consul Enterprise only)** when loading service from
on-disk config file or sending API request to agent endpoint,
if the partition is unspecified, consul will default the partition in
the request to agent's partition
\[[GH-16024](https://togithub.com/hashicorp/consul/issues/16024)]

BUG FIXES:

- agent: Fix assignment of error when auto-reloading cert and key file
changes.
\[[GH-15769](https://togithub.com/hashicorp/consul/issues/15769)]

###
[`v1.13.5`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.5)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.13.4...v1.13.5)

#### 1.13.5 (December 13, 2022)

SECURITY:

- Upgrade to use Go 1.18.9. This resolves a vulnerability where
restricted files can be read on Windows.
[CVE-2022-41720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41720)
\[[GH-15706](https://togithub.com/hashicorp/consul/issues/15706)]
- Upgrades `golang.org/x/net` to prevent a denial of service by
excessive memory usage caused by HTTP2 requests.
[CVE-2022-41717](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41717)
\[[GH-15743](https://togithub.com/hashicorp/consul/issues/15743)]

IMPROVEMENTS:

- connect: ensure all vault connect CA tests use limited privilege
tokens \[[GH-15669](https://togithub.com/hashicorp/consul/issues/15669)]

BUG FIXES:

- agent: **(Enterprise Only)** Ensure configIntentionsConvertToList does
not compare empty strings with populated strings when filtering
intentions created prior to AdminPartitions.
- cli: **(Enterprise Only)** Fix issue where `consul partition update`
subcommand was not registered and therefore not available through the
cli.
- connect: Fixed issue where using Vault 1.11+ as CA provider in a
secondary datacenter would eventually break Intermediate CAs
\[[GH-15661](https://togithub.com/hashicorp/consul/issues/15661)]

###
[`v1.13.4`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.4)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.13.3...v1.13.4)

#### 1.13.4 (November 30, 2022)

IMPROVEMENTS:

- auto-config: Relax the validation on auto-config JWT authorization to
allow non-whitespace, non-quote characters in node names.
\[[GH-15370](https://togithub.com/hashicorp/consul/issues/15370)]
- raft: Allow nonVoter to initiate an election to avoid having an
election infinite loop when a Voter is converted to NonVoter
\[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)]
- raft: Cap maximum grpc wait time when heartbeating to
heartbeatTimeout/2
\[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)]
- raft: Fix a race condition where the snapshot file is closed without
being opened
\[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)]

BUG FIXES:

- agent: Fixed issue where blocking queries with short waits could
timeout on the client
\[[GH-15541](https://togithub.com/hashicorp/consul/issues/15541)]
- ca: Fixed issue where using Vault as Connect CA with Vault-managed
policies would error on start-up if the intermediate PKI mount existed
but was empty
\[[GH-15525](https://togithub.com/hashicorp/consul/issues/15525)]
- connect: Fixed issue where using Vault 1.11+ as CA provider would
eventually break Intermediate CAs
\[[GH-15217](https://togithub.com/hashicorp/consul/issues/15217)]
\[[GH-15253](https://togithub.com/hashicorp/consul/issues/15253)]
- connect: fixed bug where endpoint updates for new xDS clusters could
block for 15s before being sent to Envoy.
\[[GH-15083](https://togithub.com/hashicorp/consul/issues/15083)]
- connect: strip port from DNS SANs for ingress gateway leaf certificate
to avoid an invalid hostname error when using the Vault provider.
\[[GH-15320](https://togithub.com/hashicorp/consul/issues/15320)]
- debug: fixed bug that caused consul debug CLI to error on ACL-disabled
clusters
\[[GH-15155](https://togithub.com/hashicorp/consul/issues/15155)]
- deps: update go-memdb, fixing goroutine leak
\[[GH-15010](https://togithub.com/hashicorp/consul/issues/15010)]
\[[GH-15068](https://togithub.com/hashicorp/consul/issues/15068)]
- namespace: **(Enterprise Only)** Fix a bug that caused blocking
queries during namespace replication to timeout
- namespace: **(Enterprise Only)** Fixed a bug where a client may
incorrectly log that namespaces were not enabled in the local datacenter
- peering: better represent non-passing states during peer check
flattening
\[[GH-15615](https://togithub.com/hashicorp/consul/issues/15615)]
- peering: fix the error of wan address isn't taken by the peering
token. \[[GH-15065](https://togithub.com/hashicorp/consul/issues/15065)]
- peering: when wan address is set, peering stream should use the wan
address.
\[[GH-15108](https://togithub.com/hashicorp/consul/issues/15108)]

###
[`v1.13.3`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.3)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.13.2...v1.13.3)

#### 1.13.3 (October 19, 2022)

FEATURES:

- agent: Added a new config option `rpc_client_timeout` to tune timeouts
for client RPC requests
\[[GH-14965](https://togithub.com/hashicorp/consul/issues/14965)]
- config-entry(ingress-gateway): Added support for `max_connections` for
upstream clusters
\[[GH-14749](https://togithub.com/hashicorp/consul/issues/14749)]

IMPROVEMENTS:

- connect/ca: Log a warning message instead of erroring when attempting
to update the intermediate pki mount when using the Vault provider.
\[[GH-15035](https://togithub.com/hashicorp/consul/issues/15035)]
- connect: Added gateway options to Envoy proxy config for enabling tcp
keepalives on terminating gateway upstreams and mesh gateways in remote
datacenters.
\[[GH-14800](https://togithub.com/hashicorp/consul/issues/14800)]
- connect: Bump Envoy 1.20 to 1.20.7, 1.21 to 1.21.5 and 1.22 to 1.22.5
\[[GH-14828](https://togithub.com/hashicorp/consul/issues/14828)]
- licensing: **(Enterprise Only)** Consul Enterprise production licenses
do not degrade or terminate Consul upon expiration. They will only fail
when trying to upgrade to a newer version of Consul. Evaluation licenses
still terminate.
\[[GH-1990](https://togithub.com/hashicorp/consul/issues/1990)]

BUG FIXES:

- agent: avoid leaking the alias check runner goroutine when the check
is de-registered
\[[GH-14935](https://togithub.com/hashicorp/consul/issues/14935)]
- ca: fix a masked bug in leaf cert generation that would not be
notified of root cert rotation after the first one
\[[GH-15005](https://togithub.com/hashicorp/consul/issues/15005)]
- cache: prevent goroutine leak in agent cache
\[[GH-14908](https://togithub.com/hashicorp/consul/issues/14908)]
- checks: Fixed a bug that prevented registration of UDP health checks
from agent configuration files, such as service definition files with
embedded health check definitions.
\[[GH-14885](https://togithub.com/hashicorp/consul/issues/14885)]
- connect: Fixed a bug where transparent proxy does not correctly spawn
listeners for upstreams to service-resolvers.
\[[GH-14751](https://togithub.com/hashicorp/consul/issues/14751)]
- snapshot-agent: **(Enterprise only)** Fix a bug when a session is not
found in Consul, which leads the agent to panic.

###
[`v1.13.2`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.2)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.13.1...v1.13.2)

#### 1.13.2 (September 20, 2022)

SECURITY:

- auto-config: Added input validation for auto-config JWT authorization
checks. Prior to this change, it was possible for malicious actors to
construct requests which incorrectly pass custom JWT claim validation
for the `AutoConfig.InitialConfiguration` endpoint. Now, only a subset
of characters are allowed for the input before evaluating the bexpr.
\[[GH-14577](https://togithub.com/hashicorp/consul/issues/14577)]
- connect: Added URI length checks to ConnectCA CSR requests. Prior to
this change, it was possible for a malicious actor to designate multiple
SAN URI values in a call to the `ConnectCA.Sign` endpoint. The endpoint
now only allows for exactly one SAN URI to be specified.
\[[GH-14579](https://togithub.com/hashicorp/consul/issues/14579)]

FEATURES:

- cli: Adds new subcommands for `peering` workflows. Refer to the [CLI
docs](https://www.consul.io/commands/peering) for more information.
\[[GH-14423](https://togithub.com/hashicorp/consul/issues/14423)]
- connect: Server address changes are streamed to peers
\[[GH-14285](https://togithub.com/hashicorp/consul/issues/14285)]
-   service-defaults: Added support for `local_request_timeout_ms` and
`local_connect_timeout_ms` in servicedefaults config entry
\[[GH-14395](https://togithub.com/hashicorp/consul/issues/14395)]

IMPROVEMENTS:

- connect: Bump latest Envoy to 1.23.1 in test matrix
\[[GH-14573](https://togithub.com/hashicorp/consul/issues/14573)]
- connect: expose new tracing configuration on envoy
\[[GH-13998](https://togithub.com/hashicorp/consul/issues/13998)]
- envoy: adds additional Envoy outlier ejection parameters to passive
health check configurations.
\[[GH-14238](https://togithub.com/hashicorp/consul/issues/14238)]
- metrics: add labels of segment, partition, network area, network (lan
or wan) to serf and memberlist metrics
\[[GH-14161](https://togithub.com/hashicorp/consul/issues/14161)]
- peering: Validate peering tokens for server name conflicts
\[[GH-14563](https://togithub.com/hashicorp/consul/issues/14563)]
- snapshot agent: **(Enterprise only)** Add support for path-based
addressing when using s3 backend.
- ui: Reuse connections for requests to /v1/internal/ui/metrics-proxy/
\[[GH-14521](https://togithub.com/hashicorp/consul/issues/14521)]

BUG FIXES:

- agent: Fixes an issue where an agent that fails to start due to bad
addresses won't clean up any existing liste

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/grafana/loki).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4xOS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/security dependencies Pull requests that update a dependency file size/XL
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant