Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Use an intermediate env variable in GH workflow #12905

Merged
merged 1 commit into from
May 7, 2024

Conversation

chaudum
Copy link
Contributor

@chaudum chaudum commented May 7, 2024

What this PR does / why we need it:

For inline scripts, the preferred approach to handling untrusted input
is to set the value of the expression to an intermediate environment variable.

Source: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable

Checklist

  • Reviewed the CONTRIBUTING.md guide (required)
  • Documentation added
  • Tests updated
  • Title matches the required conventional commits format, see here
    • Note that Promtail is considered to be feature complete, and future development for logs collection will be in Grafana Alloy. As such, feat PRs are unlikely to be accepted unless a case can be made for the feature actually being a bug fix to existing behavior.
  • Changes that require user attention or interaction to upgrade are documented in docs/sources/setup/upgrade/_index.md
  • For Helm chart changes bump the Helm chart version in production/helm/loki/Chart.yaml and update production/helm/loki/CHANGELOG.md and production/helm/loki/README.md. Example PR
  • If the change is deprecating or removing a configuration option, update the deprecated-config.yaml and deleted-config.yaml files respectively in the tools/deprecated-config-checker directory. Example PR

> For inline scripts, the preferred approach to handling untrusted input
is to set the value of the expression to an intermediate environment
variable.

Source: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable

Signed-off-by: Christian Haudum <[email protected]>
@chaudum chaudum requested review from periklis, xperimental and a team as code owners May 7, 2024 08:40
Copy link
Contributor

@poyzannur poyzannur left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@chaudum chaudum merged commit 772616c into main May 7, 2024
59 checks passed
@chaudum chaudum deleted the chaudum/use-intermediate-env-variable-in-gh-workflow branch May 7, 2024 08:51
jotak pushed a commit to jotak/loki that referenced this pull request May 21, 2024
grafana#10830)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [github.com/hashicorp/consul](https://togithub.com/hashicorp/consul) |
replace | minor | `v1.5.1` -> `v1.14.5` |

---

### Denial of Service (DoS) in HashiCorp Consul
[CVE-2020-7219](https://nvd.nist.gov/vuln/detail/CVE-2020-7219) /
[GHSA-23jv-v6qj-3fhh](https://togithub.com/advisories/GHSA-23jv-v6qj-3fhh)

<details>
<summary>More information</summary>

#### Details
HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services
allowed unbounded resource usage, and were susceptible to
unauthenticated denial of service. Fixed in 1.6.3.

##### Specific Go Packages Affected
github.com/hashicorp/consul/agent/consul

#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2020-7219](https://nvd.nist.gov/vuln/detail/CVE-2020-7219)
-
[https://github.com/hashicorp/consul/issues/7159](https://togithub.com/hashicorp/consul/issues/7159)
-
[https://www.hashicorp.com/blog/category/consul/](https://www.hashicorp.com/blog/category/consul/)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-23jv-v6qj-3fhh) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Incorrect Authorization in HashiCorp Consul
[CVE-2020-7955](https://nvd.nist.gov/vuln/detail/CVE-2020-7955) /
[GHSA-r9w6-rhh9-7v53](https://togithub.com/advisories/GHSA-r9w6-rhh9-7v53)

<details>
<summary>More information</summary>

#### Details
HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not
uniformly enforce ACLs across all API endpoints, resulting in potential
unintended information disclosure. Fixed in 1.6.3.

#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N`

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2020-7955](https://nvd.nist.gov/vuln/detail/CVE-2020-7955)
-
[https://github.com/hashicorp/consul/issues/7160](https://togithub.com/hashicorp/consul/issues/7160)
-
[https://www.hashicorp.com/blog/category/consul/](https://www.hashicorp.com/blog/category/consul/)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-r9w6-rhh9-7v53) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Allocation of Resources Without Limits or Throttling in Hashicorp
Consul
[CVE-2020-13250](https://nvd.nist.gov/vuln/detail/CVE-2020-13250) /
[GHSA-rqjq-mrgx-85hp](https://togithub.com/advisories/GHSA-rqjq-mrgx-85hp)

<details>
<summary>More information</summary>

#### Details
HashiCorp Consul and Consul Enterprise include an HTTP API (introduced
in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was
vulnerable to denial of service.

##### Specific Go Packages Affected
github.com/hashicorp/consul/agent/config

##### Fix
The vulnerability is fixed in versions 1.6.6 and 1.7.4.

#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2020-13250](https://nvd.nist.gov/vuln/detail/CVE-2020-13250)
-
[https://github.com/hashicorp/consul/pull/8023](https://togithub.com/hashicorp/consul/pull/8023)
-
[https://github.com/hashicorp/consul/commit/72f92ae7ca4cabc1dc3069362a9b64ef46941432](https://togithub.com/hashicorp/consul/commit/72f92ae7ca4cabc1dc3069362a9b64ef46941432)
-
[https://github.com/hashicorp/consul/blob/v1.6.6/CHANGELOG.md](https://togithub.com/hashicorp/consul/blob/v1.6.6/CHANGELOG.md)
-
[https://github.com/hashicorp/consul/blob/v1.7.4/CHANGELOG.md](https://togithub.com/hashicorp/consul/blob/v1.7.4/CHANGELOG.md)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-rqjq-mrgx-85hp) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### HashiCorp Consul Cross-site Scripting vulnerability
[CVE-2020-25864](https://nvd.nist.gov/vuln/detail/CVE-2020-25864) /
[GHSA-8xmx-h8rq-h94j](https://togithub.com/advisories/GHSA-8xmx-h8rq-h94j)

<details>
<summary>More information</summary>

#### Details
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value
(KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5,
1.8.10 and 1.7.14.

#### Severity
- CVSS Score: 6.1 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2020-25864](https://nvd.nist.gov/vuln/detail/CVE-2020-25864)
-
[https://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368](https://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368)
-
[https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul)
-
[https://security.gentoo.org/glsa/202208-09](https://security.gentoo.org/glsa/202208-09)
-
[https://www.hashicorp.com/blog/category/consul](https://www.hashicorp.com/blog/category/consul)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-8xmx-h8rq-h94j) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### HashiCorp Consul Privilege Escalation Vulnerability
[CVE-2021-37219](https://nvd.nist.gov/vuln/detail/CVE-2021-37219) /
[GHSA-ccw8-7688-vqx4](https://togithub.com/advisories/GHSA-ccw8-7688-vqx4)

<details>
<summary>More information</summary>

#### Details
HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows
non-server agents with a valid certificate signed by the same CA to
access server-only functionality, enabling privilege escalation. Fixed
in 1.8.15, 1.9.9 and 1.10.2.

#### Severity
- CVSS Score: 8.8 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2021-37219](https://nvd.nist.gov/vuln/detail/CVE-2021-37219)
-
[https://github.com/hashicorp/consul/pull/10925](https://togithub.com/hashicorp/consul/pull/10925)
-
[https://github.com/hashicorp/consul/commit/3357e57dac9aadabd476f7a14973e47f003c4cf0](https://togithub.com/hashicorp/consul/commit/3357e57dac9aadabd476f7a14973e47f003c4cf0)
-
[https://github.com/hashicorp/consul/commit/473edd1764b6739e2e4610ea5dede4c2bc6009d1](https://togithub.com/hashicorp/consul/commit/473edd1764b6739e2e4610ea5dede4c2bc6009d1)
-
[https://github.com/hashicorp/consul/commit/ccf8eb1947357434eb6e66303ddab79f4c9d4103](https://togithub.com/hashicorp/consul/commit/ccf8eb1947357434eb6e66303ddab79f4c9d4103)
-
[https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalation/29024](https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalation/29024)
-
[https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul)
-
[https://security.gentoo.org/glsa/202207-01](https://security.gentoo.org/glsa/202207-01)
-
[https://www.hashicorp.com/blog/category/consul](https://www.hashicorp.com/blog/category/consul)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-ccw8-7688-vqx4) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint
allowed services to register proxies for other services, enabling access
to service traffic.
[CVE-2021-38698](https://nvd.nist.gov/vuln/detail/CVE-2021-38698) /
[GHSA-6hw5-6gcx-phmw](https://togithub.com/advisories/GHSA-6hw5-6gcx-phmw)

<details>
<summary>More information</summary>

#### Details
HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed
services to register proxies for other services, enabling access to
service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2.

#### Severity
- CVSS Score: 6.5 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N`

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2021-38698](https://nvd.nist.gov/vuln/detail/CVE-2021-38698)
-
[https://github.com/hashicorp/consul/pull/10824](https://togithub.com/hashicorp/consul/pull/10824)
-
[https://discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026](https://discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026)
-
[https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul)
-
[https://security.gentoo.org/glsa/202208-09](https://security.gentoo.org/glsa/202208-09)
-
[https://www.hashicorp.com/blog/category/consul](https://www.hashicorp.com/blog/category/consul)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-6hw5-6gcx-phmw) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Hashicorp Consul HTTP health check endpoints returning an HTTP
redirect may be abused as SSRF vector
[CVE-2022-29153](https://nvd.nist.gov/vuln/detail/CVE-2022-29153) /
[GHSA-q6h7-4qgw-2j9p](https://togithub.com/advisories/GHSA-q6h7-4qgw-2j9p)

<details>
<summary>More information</summary>

#### Details
A vulnerability was identified in Consul and Consul Enterprise
(“Consul”) such that HTTP health check endpoints returning an HTTP
redirect may be abused as a vector for server-side request forgery
(SSRF). This vulnerability, CVE-2022-29153, was fixed in Consul 1.9.17,
1.10.10, and 1.11.5.

#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N`

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2022-29153](https://nvd.nist.gov/vuln/detail/CVE-2022-29153)
- [https://discuss.hashicorp.com](https://discuss.hashicorp.com)
-
[https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/](https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/)
-
[https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393](https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393)
-
[https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul)
-
[https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/)
-
[https://lists.fedoraproject.org/archives/list/[email protected]/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/](https://lists.fedoraproject.org/archives/list/[email protected]/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/)
-
[https://security.gentoo.org/glsa/202208-09](https://security.gentoo.org/glsa/202208-09)
-
[https://security.netapp.com/advisory/ntap-20220602-0005/](https://security.netapp.com/advisory/ntap-20220602-0005/)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-q6h7-4qgw-2j9p) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Hashicorp Consul Missing SSL Certificate Validation
[CVE-2021-32574](https://nvd.nist.gov/vuln/detail/CVE-2021-32574) /
[GHSA-25gf-8qrr-g78r](https://togithub.com/advisories/GHSA-25gf-8qrr-g78r)

<details>
<summary>More information</summary>

#### Details
HashiCorp Consul before 1.10.1 (and Consul Enterprise) has Missing SSL
Certificate Validation. xds does not ensure that the Subject Alternative
Name of an upstream is validated.

#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N`

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2021-32574](https://nvd.nist.gov/vuln/detail/CVE-2021-32574)
-
[https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856](https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856)
-
[https://github.com/hashicorp/consul/releases/tag/v1.10.1](https://togithub.com/hashicorp/consul/releases/tag/v1.10.1)
-
[https://security.gentoo.org/glsa/202208-09](https://security.gentoo.org/glsa/202208-09)
-
[https://www.hashicorp.com/blog/category/consul](https://www.hashicorp.com/blog/category/consul)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-25gf-8qrr-g78r) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### HashiCorp Consul L7 deny intention results in an allow action
[CVE-2021-36213](https://nvd.nist.gov/vuln/detail/CVE-2021-36213) /
[GHSA-8h2g-r292-j8xh](https://togithub.com/advisories/GHSA-8h2g-r292-j8xh)

<details>
<summary>More information</summary>

#### Details
In HashiCorp Consul before 1.10.1 (and Consul Enterprise), xds can
generate a situation where a single L7 deny intention (with a default
deny policy) results in an allow action.

#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N`

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2021-36213](https://nvd.nist.gov/vuln/detail/CVE-2021-36213)
-
[https://discuss.hashicorp.com/t/hcsec-2021-16-consul-s-application-aware-intentions-deny-action-fails-open-when-combined-with-default-deny-policy/26855](https://discuss.hashicorp.com/t/hcsec-2021-16-consul-s-application-aware-intentions-deny-action-fails-open-when-combined-with-default-deny-policy/26855)
-
[https://github.com/hashicorp/consul/](https://togithub.com/hashicorp/consul/)
-
[https://github.com/hashicorp/consul/releases/tag/v1.10.1](https://togithub.com/hashicorp/consul/releases/tag/v1.10.1)
-
[https://security.gentoo.org/glsa/202208-09](https://security.gentoo.org/glsa/202208-09)
-
[https://www.hashicorp.com/blog/category/consul](https://www.hashicorp.com/blog/category/consul)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-8h2g-r292-j8xh) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### HashiCorp Consul vulnerable to authorization bypass
[CVE-2022-40716](https://nvd.nist.gov/vuln/detail/CVE-2022-40716) /
[GHSA-m69r-9g56-7mv8](https://togithub.com/advisories/GHSA-m69r-9g56-7mv8)

<details>
<summary>More information</summary>

#### Details
HashiCorp Consul and Consul Enterprise versions prior to 1.11.9, 1.12.5,
and 1.13.2 do not check for multiple SAN URI values in a CSR on the
internal RPC endpoint, enabling leverage of privileged access to bypass
service mesh intentions. A specially crafted CSR sent directly to
Consul’s internal server agent RPC endpoint can include multiple SAN URI
values with additional service names. This issue has been fixed in
versions 1.11.9, 1.12.5, and 1.13.2. There are no known workarounds.

#### Severity
- CVSS Score: 6.5 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N`

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2022-40716](https://nvd.nist.gov/vuln/detail/CVE-2022-40716)
-
[https://github.com/hashicorp/consul/pull/14579](https://togithub.com/hashicorp/consul/pull/14579)
-
[https://github.com/hashicorp/consul/commit/8f6fb4f6fe9488b8ec37da71ac503081d7d3760b](https://togithub.com/hashicorp/consul/commit/8f6fb4f6fe9488b8ec37da71ac503081d7d3760b)
- [https://discuss.hashicorp.com](https://discuss.hashicorp.com)
-
[https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypass-with-malicious-certificate-signing-request/44628](https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypass-with-malicious-certificate-signing-request/44628)
-
[https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul)
-
[https://lists.fedoraproject.org/archives/list/[email protected]/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/](https://lists.fedoraproject.org/archives/list/[email protected]/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/)
-
[https://lists.fedoraproject.org/archives/list/[email protected]/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/](https://lists.fedoraproject.org/archives/list/[email protected]/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-m69r-9g56-7mv8) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Hashicorp Consul vulnerable to denial of service
[CVE-2023-1297](https://nvd.nist.gov/vuln/detail/CVE-2023-1297) /
[GHSA-c57c-7hrj-6q6v](https://togithub.com/advisories/GHSA-c57c-7hrj-6q6v)

<details>
<summary>More information</summary>

#### Details
Consul and Consul Enterprise's cluster peering implementation contained
a flaw whereby a peer cluster with service of the same name as a local
service could corrupt Consul state, resulting in denial of service. This
vulnerability was resolved in Consul 1.14.5, and 1.15.3

#### Severity
- CVSS Score: 4.9 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H`

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2023-1297](https://nvd.nist.gov/vuln/detail/CVE-2023-1297)
-
[https://discuss.hashicorp.com/t/hcsec-2023-15-consul-cluster-peering-can-result-in-denial-of-service/54515](https://discuss.hashicorp.com/t/hcsec-2023-15-consul-cluster-peering-can-result-in-denial-of-service/54515)
-
[https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-c57c-7hrj-6q6v) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>hashicorp/consul (github.com/hashicorp/consul)</summary>

###
[`v1.14.5`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.5)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.14.4...v1.14.5)

#### 1.14.5 (March 7, 2023)

SECURITY:

-   Upgrade to use Go 1.20.1.
This resolves vulnerabilities
[CVE-2022-41724](https://go.dev/issue/58001) in `crypto/tls` and
[CVE-2022-41723](https://go.dev/issue/57855) in `net/http`.
\[[GH-16263](https://togithub.com/hashicorp/consul/issues/16263)]

IMPROVEMENTS:

- container: Upgrade container image to use to Alpine 3.17.
\[[GH-16358](https://togithub.com/hashicorp/consul/issues/16358)]
- mesh: Add ServiceResolver RequestTimeout for route timeouts to make
request timeouts configurable
\[[GH-16495](https://togithub.com/hashicorp/consul/issues/16495)]

BUG FIXES:

- mesh: Fix resolution of service resolvers with subsets for external
upstreams
\[[GH-16499](https://togithub.com/hashicorp/consul/issues/16499)]
- peering: Fix bug where services were incorrectly imported as
connect-enabled.
\[[GH-16339](https://togithub.com/hashicorp/consul/issues/16339)]
- peering: Fix issue where mesh gateways would use the wrong address
when contacting a remote peer with the same datacenter name.
\[[GH-16257](https://togithub.com/hashicorp/consul/issues/16257)]
- peering: Fix issue where secondary wan-federated datacenters could not
be used as peering acceptors.
\[[GH-16230](https://togithub.com/hashicorp/consul/issues/16230)]
- proxycfg: fix a bug where terminating gateways were not cleaning up
deleted service resolvers for their referenced services
\[[GH-16498](https://togithub.com/hashicorp/consul/issues/16498)]

###
[`v1.14.4`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.4)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.14.3...v1.14.4)

#### 1.14.4 (January 26, 2023)

BREAKING CHANGES:

- connect: Fix configuration merging for transparent proxy upstreams.
Proxy-defaults and service-defaults config entries were not correctly
merged for implicit upstreams in transparent proxy mode and would result
in some configuration not being applied. To avoid issues when upgrading,
ensure that any proxy-defaults or service-defaults have correct
configuration for upstreams, since all fields will now be properly used
to configure proxies.
\[[GH-16000](https://togithub.com/hashicorp/consul/issues/16000)]
- peering: Newly created peering connections must use only lowercase
characters in the `name` field. Existing peerings with uppercase
characters will not be modified, but they may encounter issues in
various circumstances. To maintain forward compatibility and avoid
issues, it is recommended to destroy and re-create any invalid peering
connections so that they do not have a name containing uppercase
characters.
\[[GH-15697](https://togithub.com/hashicorp/consul/issues/15697)]

FEATURES:

- connect: add flags `envoy-ready-bind-port` and
`envoy-ready-bind-address` to the `consul connect envoy` command that
allows configuration of readiness probe on proxy for any service kind.
\[[GH-16015](https://togithub.com/hashicorp/consul/issues/16015)]
- deps: update to latest go-discover to provide ECS auto-discover
capabilities.
\[[GH-13782](https://togithub.com/hashicorp/consul/issues/13782)]

IMPROVEMENTS:

- acl: relax permissions on the `WatchServers`, `WatchRoots` and
`GetSupportedDataplaneFeatures` gRPC endpoints to accept *any* valid ACL
token \[[GH-15346](https://togithub.com/hashicorp/consul/issues/15346)]
- connect: Add support for ConsulResolver to specifies a filter
expression
\[[GH-15659](https://togithub.com/hashicorp/consul/issues/15659)]
- grpc: Use new balancer implementation to reduce periodic WARN logs
when shuffling servers.
\[[GH-15701](https://togithub.com/hashicorp/consul/issues/15701)]
- partition: **(Consul Enterprise only)** when loading service from
on-disk config file or sending API request to agent endpoint,
if the partition is unspecified, consul will default the partition in
the request to agent's partition
\[[GH-16024](https://togithub.com/hashicorp/consul/issues/16024)]

BUG FIXES:

- agent: Fix assignment of error when auto-reloading cert and key file
changes.
\[[GH-15769](https://togithub.com/hashicorp/consul/issues/15769)]
- agent: Fix issue where the agent cache would incorrectly mark protobuf
objects as updated.
\[[GH-15866](https://togithub.com/hashicorp/consul/issues/15866)]
- cli: Fix issue where `consul connect envoy` was unable to configure
TLS over unix-sockets to gRPC.
\[[GH-15913](https://togithub.com/hashicorp/consul/issues/15913)]
- connect: **(Consul Enterprise only)** Fix issue where upstream
configuration from proxy-defaults and service-defaults was not properly
merged. This could occur when a mixture of empty-strings and "default"
were used for the namespace or partition fields.
- connect: Fix issue where service-resolver protocol checks incorrectly
errored for failover peer targets.
\[[GH-15833](https://togithub.com/hashicorp/consul/issues/15833)]
- connect: Fix issue where watches on upstream failover peer targets did
not always query the correct data.
\[[GH-15865](https://togithub.com/hashicorp/consul/issues/15865)]
- xds: fix bug where sessions for locally-managed services could fail
with "this server has too many xDS streams open"
\[[GH-15789](https://togithub.com/hashicorp/consul/issues/15789)]

###
[`v1.14.3`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.3)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.14.2...v1.14.3)

#### 1.14.3 (December 13, 2022)

SECURITY:

- Upgrade to use Go 1.19.4. This resolves a vulnerability where
restricted files can be read on Windows.
[CVE-2022-41720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41720)
\[[GH-15705](https://togithub.com/hashicorp/consul/issues/15705)]
- Upgrades `golang.org/x/net` to prevent a denial of service by
excessive memory usage caused by HTTP2 requests.
[CVE-2022-41717](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41717)
\[[GH-15737](https://togithub.com/hashicorp/consul/issues/15737)]

FEATURES:

- ui: Add field for fallback server addresses to peer token generation
form \[[GH-15555](https://togithub.com/hashicorp/consul/issues/15555)]

IMPROVEMENTS:

- connect: ensure all vault connect CA tests use limited privilege
tokens \[[GH-15669](https://togithub.com/hashicorp/consul/issues/15669)]

BUG FIXES:

- agent: **(Enterprise Only)** Ensure configIntentionsConvertToList does
not compare empty strings with populated strings when filtering
intentions created prior to AdminPartitions.
- connect: Fix issue where DialedDirectly configuration was not used by
Consul Dataplane.
\[[GH-15760](https://togithub.com/hashicorp/consul/issues/15760)]
- connect: Fix peering failovers ignoring local mesh gateway
configuration.
\[[GH-15690](https://togithub.com/hashicorp/consul/issues/15690)]
- connect: Fixed issue where using Vault 1.11+ as CA provider in a
secondary datacenter would eventually break Intermediate CAs
\[[GH-15661](https://togithub.com/hashicorp/consul/issues/15661)]

###
[`v1.14.2`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.2)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.14.1...v1.14.2)

#### 1.14.2 (November 30, 2022)

FEATURES:

- connect: Add local_idle_timeout_ms to allow configuring the Envoy
route idle timeout on local_app
connect: Add IdleTimeout to service-router to allow configuring the
Envoy route idle timeout
\[[GH-14340](https://togithub.com/hashicorp/consul/issues/14340)]
- snapshot: **(Enterprise Only)** Add support for the snapshot agent to
use an IAM role for authentication/authorization when managing snapshots
in S3.

IMPROVEMENTS:

- dns: Add support for cluster peering `.service` and `.node` DNS
queries.
\[[GH-15596](https://togithub.com/hashicorp/consul/issues/15596)]

BUG FIXES:

- acl: avoid debug log spam in secondary datacenter servers due to
management token not being initialized.
\[[GH-15610](https://togithub.com/hashicorp/consul/issues/15610)]
- agent: Fixed issue where blocking queries with short waits could
timeout on the client
\[[GH-15541](https://togithub.com/hashicorp/consul/issues/15541)]
- ca: Fixed issue where using Vault as Connect CA with Vault-managed
policies would error on start-up if the intermediate PKI mount existed
but was empty
\[[GH-15525](https://togithub.com/hashicorp/consul/issues/15525)]
- cli: **(Enterprise Only)** Fix issue where `consul partition update`
subcommand was not registered and therefore not available through the
cli.
- connect: Fixed issue where using Vault 1.11+ as CA provider would
eventually break Intermediate CAs
\[[GH-15217](https://togithub.com/hashicorp/consul/issues/15217)]
\[[GH-15253](https://togithub.com/hashicorp/consul/issues/15253)]
- namespace: **(Enterprise Only)** Fix a bug that caused blocking
queries during namespace replication to timeout
- peering: better represent non-passing states during peer check
flattening
\[[GH-15615](https://togithub.com/hashicorp/consul/issues/15615)]
- peering: fix the limit of replication gRPC message; set to 8MB
\[[GH-15503](https://togithub.com/hashicorp/consul/issues/15503)]

###
[`v1.14.1`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.1)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.14.0...v1.14.1)

#### 1.14.1 (November 21, 2022)

BUG FIXES:

- cli: Fix issue where `consul connect envoy` incorrectly uses the HTTPS
API configuration for xDS connections.
\[[GH-15466](https://togithub.com/hashicorp/consul/issues/15466)]
- sdk: Fix SDK testutil backwards compatibility by only configuring
grpc_tls port for new Consul versions.
\[[GH-15423](https://togithub.com/hashicorp/consul/issues/15423)]

###
[`v1.14.0`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.0)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.13.9...v1.14.0)

#### 1.14.0 (November 15, 2022)

BREAKING CHANGES:

-   config: Add new `ports.grpc_tls` configuration option.
Introduce a new port to better separate TLS config from the existing
`ports.grpc` config.
    The new `ports.grpc_tls` only supports TLS encrypted communication.
The existing `ports.grpc` now only supports plain-text communication.
\[[GH-15339](https://togithub.com/hashicorp/consul/issues/15339)]
- config: update 1.14 config defaults: Enable `peering` and `connect` by
default.
\[[GH-15302](https://togithub.com/hashicorp/consul/issues/15302)]
- config: update 1.14 config defaults: Set gRPC TLS port default value
to 8503
\[[GH-15302](https://togithub.com/hashicorp/consul/issues/15302)]
- connect: Removes support for Envoy 1.20
\[[GH-15093](https://togithub.com/hashicorp/consul/issues/15093)]
- peering: Rename `PeerName` to `Peer` on prepared queries and exported
services.
\[[GH-14854](https://togithub.com/hashicorp/consul/issues/14854)]
- xds: Convert service mesh failover to use Envoy's aggregate clusters.
This
changes the names of some [Envoy dynamic HTTP
metrics](https://www.envoyproxy.io/docs/envoy/latest/configuration/upstream/cluster_manager/cluster_stats#dynamic-http-statistics).
\[[GH-14178](https://togithub.com/hashicorp/consul/issues/14178)]

SECURITY:

- Ensure that data imported from peers is filtered by ACLs at the UI
Nodes/Services endpoints
[CVE-2022-3920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3920)
\[[GH-15356](https://togithub.com/hashicorp/consul/issues/15356)]

FEATURES:

- DNS-proxy support via gRPC request.
\[[GH-14811](https://togithub.com/hashicorp/consul/issues/14811)]
- cli: Add -node-name flag to redirect-traffic command to support
running in environments without client agents.
\[[GH-14933](https://togithub.com/hashicorp/consul/issues/14933)]
- cli: Add `-consul-dns-port` flag to the `consul connect
redirect-traffic` command to allow forwarding DNS traffic to a specific
Consul DNS port.
\[[GH-15050](https://togithub.com/hashicorp/consul/issues/15050)]
- connect: Add Envoy connection balancing configuration fields.
\[[GH-14616](https://togithub.com/hashicorp/consul/issues/14616)]
- grpc: Added metrics for external gRPC server. Added
`server_type=internal|external` label to gRPC metrics.
\[[GH-14922](https://togithub.com/hashicorp/consul/issues/14922)]
- http: Add new `get-or-empty` operation to the txn api. Refer to the
[API docs](https://www.consul.io/api-docs/txn#kv-operations) for more
information.
\[[GH-14474](https://togithub.com/hashicorp/consul/issues/14474)]
- peering: Add mesh gateway local mode support for cluster peering.
\[[GH-14817](https://togithub.com/hashicorp/consul/issues/14817)]
- peering: Add support for stale queries for trust bundle lookups
\[[GH-14724](https://togithub.com/hashicorp/consul/issues/14724)]
- peering: Add support to failover to services running on cluster peers.
\[[GH-14396](https://togithub.com/hashicorp/consul/issues/14396)]
- peering: Add support to redirect to services running on cluster peers
with service resolvers.
\[[GH-14445](https://togithub.com/hashicorp/consul/issues/14445)]
- peering: Ensure un-exported services get deleted even if the un-export
happens while cluster peering replication is down.
\[[GH-14797](https://togithub.com/hashicorp/consul/issues/14797)]
- peering: add support for routine peering control-plane traffic through
mesh gateways
\[[GH-14981](https://togithub.com/hashicorp/consul/issues/14981)]
- sdk: Configure `iptables` to forward DNS traffic to a specific DNS
port. \[[GH-15050](https://togithub.com/hashicorp/consul/issues/15050)]
- telemetry: emit memberlist size metrics and broadcast queue depth
metric.
\[[GH-14873](https://togithub.com/hashicorp/consul/issues/14873)]
- ui: Added support for central config merging
\[[GH-14604](https://togithub.com/hashicorp/consul/issues/14604)]
- ui: Create peerings detail page
\[[GH-14947](https://togithub.com/hashicorp/consul/issues/14947)]
- ui: Detect a TokenSecretID cookie and passthrough to localStorage
\[[GH-14495](https://togithub.com/hashicorp/consul/issues/14495)]
- ui: Display notice banner on nodes index page if synthetic nodes are
being filtered.
\[[GH-14971](https://togithub.com/hashicorp/consul/issues/14971)]
- ui: Filter agentless (synthetic) nodes from the nodes list page.
\[[GH-14970](https://togithub.com/hashicorp/consul/issues/14970)]
- ui: Filter out node health checks on agentless service instances
\[[GH-14986](https://togithub.com/hashicorp/consul/issues/14986)]
- ui: Remove node meta on service instances when using agentless and
consolidate external-source labels on service instances page if they all
match. \[[GH-14921](https://togithub.com/hashicorp/consul/issues/14921)]
- ui: Removed reference to node name on service instance page when using
agentless
\[[GH-14903](https://togithub.com/hashicorp/consul/issues/14903)]
- ui: Use withCredentials for all HTTP API requests
\[[GH-14343](https://togithub.com/hashicorp/consul/issues/14343)]
- xds: servers will limit the number of concurrent xDS streams they can
handle to balance the load across all servers
\[[GH-14397](https://togithub.com/hashicorp/consul/issues/14397)]

IMPROVEMENTS:

- peering: Add peering datacenter and partition to initial handshake.
\[[GH-14889](https://togithub.com/hashicorp/consul/issues/14889)]
- xds: Added a rate limiter to the delivery of proxy config updates, to
prevent updates to "global" resources such as wildcard intentions from
overwhelming servers (see: `xds.update_max_per_second` config field)
\[[GH-14960](https://togithub.com/hashicorp/consul/issues/14960)]
- xds: Removed a bottleneck in Envoy config generation, enabling a
higher number of dataplanes per server
\[[GH-14934](https://togithub.com/hashicorp/consul/issues/14934)]
- agent/hcp: add initial HashiCorp Cloud Platform integration
\[[GH-14723](https://togithub.com/hashicorp/consul/issues/14723)]
- agent: Added configuration option cloud.scada_address.
\[[GH-14936](https://togithub.com/hashicorp/consul/issues/14936)]
- api: Add filtering support to Catalog's List Services
(v1/catalog/services)
\[[GH-11742](https://togithub.com/hashicorp/consul/issues/11742)]
- api: Increase max number of operations inside a transaction for
requests to /v1/txn (128)
\[[GH-14599](https://togithub.com/hashicorp/consul/issues/14599)]
- auto-config: Relax the validation on auto-config JWT authorization to
allow non-whitespace, non-quote characters in node names.
\[[GH-15370](https://togithub.com/hashicorp/consul/issues/15370)]
- config-entry: Validate that service-resolver `Failover`s and
`Redirect`s only
specify `Partition` and `Namespace` on Consul Enterprise. This prevents
scenarios
where OSS Consul would save service-resolvers that require Consul
Enterprise.
\[[GH-14162](https://togithub.com/hashicorp/consul/issues/14162)]
- connect: Add Envoy 1.24.0 to support matrix
\[[GH-15093](https://togithub.com/hashicorp/consul/issues/15093)]
- connect: Bump Envoy 1.20 to 1.20.7, 1.21 to 1.21.5 and 1.22 to 1.22.5
\[[GH-14831](https://togithub.com/hashicorp/consul/issues/14831)]
- connect: service-router destinations have gained a `RetryOn` field for
specifying the conditions when Envoy should retry requests beyond
specific status codes and generic connection failure which already
exists.
\[[GH-12890](https://togithub.com/hashicorp/consul/issues/12890)]
- dns/peering: **(Enterprise Only)** Support addresses in the formats
`<servicename>.virtual.<namespace>.ns.<partition>.ap.<peername>.peer.consul`
and `<servicename>.virtual.<partition>.ap.<peername>.peer.consul`. This
longer form address that allows specifying `.peer` would need to be used
for tproxy DNS requests made within non-default partitions for imported
services.
- dns: **(Enterprise Only)** All enterprise locality labels are now
optional in DNS lookups. For example, service lookups support the
following format:
`[<tag>.]<service>.service[.<namespace>.ns][.<partition>.ap][.<datacenter>.dc]<domain>`.
\[[GH-14679](https://togithub.com/hashicorp/consul/issues/14679)]
- integ test: fix flakiness due to test condition from retry app endoint
\[[GH-15233](https://togithub.com/hashicorp/consul/issues/15233)]
- metrics: Service RPC calls less than 1ms are now emitted as a decimal
number.
\[[GH-12905](https://togithub.com/hashicorp/consul/issues/12905)]
- peering: adds an internally managed server certificate for automatic
TLS between servers in peer clusters.
\[[GH-14556](https://togithub.com/hashicorp/consul/issues/14556)]
- peering: require TLS for peering connections using server cert signed
by Connect CA
\[[GH-14796](https://togithub.com/hashicorp/consul/issues/14796)]
- peering: return information about the health of the peering when the
leader is queried to read a peering.
\[[GH-14747](https://togithub.com/hashicorp/consul/issues/14747)]
- raft: Allow nonVoter to initiate an election to avoid having an
election infinite loop when a Voter is converted to NonVoter
\[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)]
- raft: Cap maximum grpc wait time when heartbeating to
heartbeatTimeout/2
\[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)]
- raft: Fix a race condition where the snapshot file is closed without
being opened
\[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)]
- telemetry: Added a `consul.xds.server.streamStart` metric to measure
time taken to first generate xDS resources for an xDS stream.
\[[GH-14957](https://togithub.com/hashicorp/consul/issues/14957)]
- ui: Improve guidance around topology visualisation
\[[GH-14527](https://togithub.com/hashicorp/consul/issues/14527)]
- xds: Set `max_ejection_percent` on Envoy's outlier detection to 100%
for peered services.
\[[GH-14373](https://togithub.com/hashicorp/consul/issues/14373)]

BUG FIXES:

- checks: Do not set interval as timeout value
\[[GH-14619](https://togithub.com/hashicorp/consul/issues/14619)]
- checks: If set, use proxy address for automatically added sidecar
check instead of service address.
\[[GH-14433](https://togithub.com/hashicorp/consul/issues/14433)]
- cli: Fix Consul kv CLI 'GET' flags 'keys' and 'recurse' to be set
together
\[[GH-13493](https://togithub.com/hashicorp/consul/issues/13493)]
- connect: Fix issue where mesh-gateway settings were not properly
inherited from configuration entries.
\[[GH-15186](https://togithub.com/hashicorp/consul/issues/15186)]
- connect: fixed bug where endpoint updates for new xDS clusters could
block for 15s before being sent to Envoy.
\[[GH-15083](https://togithub.com/hashicorp/consul/issues/15083)]
- connect: strip port from DNS SANs for ingress gateway leaf certificate
to avoid an invalid hostname error when using the Vault provider.
\[[GH-15320](https://togithub.com/hashicorp/consul/issues/15320)]
- debug: fixed bug that caused consul debug CLI to error on ACL-disabled
clusters
\[[GH-15155](https://togithub.com/hashicorp/consul/issues/15155)]
- deps: update go-memdb, fixing goroutine leak
\[[GH-15010](https://togithub.com/hashicorp/consul/issues/15010)]
\[[GH-15068](https://togithub.com/hashicorp/consul/issues/15068)]
- grpc: Merge proxy-defaults and service-defaults in
GetEnvoyBootstrapParams response.
\[[GH-14869](https://togithub.com/hashicorp/consul/issues/14869)]
- metrics: Add duplicate metrics that have only a single "consul\_"
prefix for all existing metrics with double ("consul_consul\_") prefix,
with the intent to standardize on single prefixes.
\[[GH-14475](https://togithub.com/hashicorp/consul/issues/14475)]
- namespace: **(Enterprise Only)** Fixed a bug where a client may
incorrectly log that namespaces were not enabled in the local datacenter
- peering: Fix a bug that resulted in /v1/agent/metrics returning an
error. \[[GH-15178](https://togithub.com/hashicorp/consul/issues/15178)]
- peering: fix nil pointer in calling handleUpdateService
\[[GH-15160](https://togithub.com/hashicorp/consul/issues/15160)]
- peering: fix the error of wan address isn't taken by the peering
token. \[[GH-15065](https://togithub.com/hashicorp/consul/issues/15065)]
- peering: when wan address is set, peering stream should use the wan
address.
\[[GH-15108](https://togithub.com/hashicorp/consul/issues/15108)]
- proxycfg(mesh-gateway): Fix issue where deregistered services are not
removed from mesh-gateway clusters.
\[[GH-15272](https://togithub.com/hashicorp/consul/issues/15272)]
- server: fix goroutine/memory leaks in the xDS subsystem (these were
present regardless of whether or not xDS was in-use)
\[[GH-14916](https://togithub.com/hashicorp/consul/issues/14916)]
- server: fixes the error trying to source proxy configuration for http
checks, in case of proxies using consul-dataplane.
\[[GH-14924](https://togithub.com/hashicorp/consul/issues/14924)]
- xds: Central service configuration (proxy-defaults and
service-defaults) is now correctly applied to Consul Dataplane proxies
\[[GH-14962](https://togithub.com/hashicorp/consul/issues/14962)]

NOTES:

- deps: Upgrade to use Go 1.19.2
\[[GH-15090](https://togithub.com/hashicorp/consul/issues/15090)]

###
[`v1.13.9`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.9)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.13.8...v1.13.9)

#### 1.13.9 (June 26, 2023)

BREAKING CHANGES:

- connect: Disable peering by default in connect proxies for Consul
1.13. This change was made to prevent inefficient polling
queries from having a negative impact on server performance. Peering in
Consul 1.13 is an experimental feature and is not
recommended for use in production environments. If you still wish to use
the experimental peering feature, ensure
[`peering.enabled =
true`](https://developer.hashicorp.com/consul/docs/v1.13.x/agent/config/config-files#peering_enabled)
is set on all clients and servers.
\[[GH-17731](https://togithub.com/hashicorp/consul/issues/17731)]

SECURITY:

- Update to UBI base image to 9.2.
\[[GH-17513](https://togithub.com/hashicorp/consul/issues/17513)]

FEATURES:

- server: **(Enterprise Only)** allow automatic license utilization
reporting.
\[[GH-5102](https://togithub.com/hashicorp/consul/issues/5102)]

IMPROVEMENTS:

- debug: change default setting of consul debug command. now default
duration is 5ms and default log level is 'TRACE'
\[[GH-17596](https://togithub.com/hashicorp/consul/issues/17596)]
- systemd: set service type to notify.
\[[GH-16845](https://togithub.com/hashicorp/consul/issues/16845)]

BUG FIXES:

- cache: fix a few minor goroutine leaks in leaf certs and the agent
cache \[[GH-17636](https://togithub.com/hashicorp/consul/issues/17636)]
- namespaces: **(Enterprise only)** fixes a bug where namespaces are
stuck in a deferred deletion state indefinitely under some conditions.
Also fixes the Consul query metadata present in the HTTP headers of the
namespace read and list endpoints.
- namespaces: adjusts the return type from HTTP list API to return the
`api` module representation of a namespace.
This fixes an error with the `consul namespace list` command when a
namespace has a deferred deletion timestamp.
- peering: Fix a bug that caused server agents to continue cleaning up
peering resources even after loss of leadership.
\[[GH-17483](https://togithub.com/hashicorp/consul/issues/17483)]

###
[`v1.13.8`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.8)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.13.7...v1.13.8)

#### 1.13.8 (May 16, 2023)

SECURITY:

-   Upgrade to use Go 1.20.1.
This resolves vulnerabilities
[CVE-2022-41724](https://go.dev/issue/58001) in `crypto/tls` and
[CVE-2022-41723](https://go.dev/issue/57855) in `net/http`.
\[[GH-16263](https://togithub.com/hashicorp/consul/issues/16263)]
-   Upgrade to use Go 1.20.4.
This resolves vulnerabilities
[CVE-2023-24537](https://togithub.com/advisories/GHSA-9f7g-gqwh-jpf5)(`go/scanner`),

[CVE-2023-24538](https://togithub.com/advisories/GHSA-v4m2-x4rp-hv22)(`html/template`),

[CVE-2023-24534](https://togithub.com/advisories/GHSA-8v5j-pwr7-w5f8)(`net/textproto`)
and

[CVE-2023-24536](https://togithub.com/advisories/GHSA-9f7g-gqwh-jpf5)(`mime/multipart`).
Also, `golang.org/x/net` has been updated to v0.7.0 to resolve CVEs
[CVE-2022-41721](https://togithub.com/advisories/GHSA-fxg5-wq6x-vr4w),
[CVE-2022-27664](https://togithub.com/advisories/GHSA-69cg-p879-7622)
and
[CVE-2022-41723](https://togithub.com/advisories/GHSA-vvpx-j8f3-3w6h.)
\[[GH-17240](https://togithub.com/hashicorp/consul/issues/17240)]

IMPROVEMENTS:

- api: updated the go module directive to 1.18.
\[[GH-15297](https://togithub.com/hashicorp/consul/issues/15297)]
- connect: update supported envoy versions to 1.20.7, 1.21.6, 1.22.11,
1.23.8 \[[GH-16891](https://togithub.com/hashicorp/consul/issues/16891)]
- sdk: updated the go module directive to 1.18.
\[[GH-15297](https://togithub.com/hashicorp/consul/issues/15297)]

BUG FIXES:

- Fix an bug where decoding some Config structs with unset pointer
fields could fail with `reflect: call of reflect.Value.Type on zero
Value`.
\[[GH-17048](https://togithub.com/hashicorp/consul/issues/17048)]
- audit-logging: (Enterprise only) Fix a bug where `/agent/monitor` and
`/agent/metrics` endpoints return a `Streaming not supported` error when
audit logs are enabled. This also fixes the delay receiving logs when
running `consul monitor` against an agent with audit logs enabled.
\[[GH-16700](https://togithub.com/hashicorp/consul/issues/16700)]
- ca: Fixes a bug where updating Vault CA Provider config would cause
TLS issues in the service mesh
\[[GH-16592](https://togithub.com/hashicorp/consul/issues/16592)]
- connect: Fix multiple inefficient behaviors when querying service
health.
\[[GH-17241](https://togithub.com/hashicorp/consul/issues/17241)]
- grpc: ensure grpc resolver correctly uses lan/wan addresses on servers
\[[GH-17270](https://togithub.com/hashicorp/consul/issues/17270)]
- peering: Fixes a bug that can lead to peering service deletes
impacting the state of local services
\[[GH-16570](https://togithub.com/hashicorp/consul/issues/16570)]
- xds: Fix possible panic that can when generating clusters before the
root certificates have been fetched.
\[[GH-17185](https://togithub.com/hashicorp/consul/issues/17185)]

###
[`v1.13.7`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.7)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.13.6...v1.13.7)

#### 1.13.7 (March 7, 2023)

SECURITY:

-   Upgrade to use Go 1.19.6.
This resolves vulnerabilities
[CVE-2022-41724](https://go.dev/issue/58001) in `crypto/tls` and
[CVE-2022-41723](https://go.dev/issue/57855) in `net/http`.
\[[GH-16299](https://togithub.com/hashicorp/consul/issues/16299)]

IMPROVEMENTS:

- xds: Removed a bottleneck in Envoy config generation.
\[[GH-16269](https://togithub.com/hashicorp/consul/issues/16269)]
- container: Upgrade container image to use to Alpine 3.17.
\[[GH-16358](https://togithub.com/hashicorp/consul/issues/16358)]
- mesh: Add ServiceResolver RequestTimeout for route timeouts to make
request timeouts configurable
\[[GH-16495](https://togithub.com/hashicorp/consul/issues/16495)]

BUG FIXES:

- mesh: Fix resolution of service resolvers with subsets for external
upstreams
\[[GH-16499](https://togithub.com/hashicorp/consul/issues/16499)]
- proxycfg: fix a bug where terminating gateways were not cleaning up
deleted service resolvers for their referenced services
\[[GH-16498](https://togithub.com/hashicorp/consul/issues/16498)]

###
[`v1.13.6`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.6)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.13.5...v1.13.6)

#### 1.13.6 (January 26, 2023)

FEATURES:

- connect: add flags `envoy-ready-bind-port` and
`envoy-ready-bind-address` to the `consul connect envoy` command that
allows configuration of readiness probe on proxy for any service kind.
\[[GH-16015](https://togithub.com/hashicorp/consul/issues/16015)]
- deps: update to latest go-discover to provide ECS auto-discover
capabilities.
\[[GH-13782](https://togithub.com/hashicorp/consul/issues/13782)]

IMPROVEMENTS:

- grpc: Use new balancer implementation to reduce periodic WARN logs
when shuffling servers.
\[[GH-15701](https://togithub.com/hashicorp/consul/issues/15701)]
- partition: **(Consul Enterprise only)** when loading service from
on-disk config file or sending API request to agent endpoint,
if the partition is unspecified, consul will default the partition in
the request to agent's partition
\[[GH-16024](https://togithub.com/hashicorp/consul/issues/16024)]

BUG FIXES:

- agent: Fix assignment of error when auto-reloading cert and key file
changes.
\[[GH-15769](https://togithub.com/hashicorp/consul/issues/15769)]

###
[`v1.13.5`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.5)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.13.4...v1.13.5)

#### 1.13.5 (December 13, 2022)

SECURITY:

- Upgrade to use Go 1.18.9. This resolves a vulnerability where
restricted files can be read on Windows.
[CVE-2022-41720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41720)
\[[GH-15706](https://togithub.com/hashicorp/consul/issues/15706)]
- Upgrades `golang.org/x/net` to prevent a denial of service by
excessive memory usage caused by HTTP2 requests.
[CVE-2022-41717](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41717)
\[[GH-15743](https://togithub.com/hashicorp/consul/issues/15743)]

IMPROVEMENTS:

- connect: ensure all vault connect CA tests use limited privilege
tokens \[[GH-15669](https://togithub.com/hashicorp/consul/issues/15669)]

BUG FIXES:

- agent: **(Enterprise Only)** Ensure configIntentionsConvertToList does
not compare empty strings with populated strings when filtering
intentions created prior to AdminPartitions.
- cli: **(Enterprise Only)** Fix issue where `consul partition update`
subcommand was not registered and therefore not available through the
cli.
- connect: Fixed issue where using Vault 1.11+ as CA provider in a
secondary datacenter would eventually break Intermediate CAs
\[[GH-15661](https://togithub.com/hashicorp/consul/issues/15661)]

###
[`v1.13.4`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.4)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.13.3...v1.13.4)

#### 1.13.4 (November 30, 2022)

IMPROVEMENTS:

- auto-config: Relax the validation on auto-config JWT authorization to
allow non-whitespace, non-quote characters in node names.
\[[GH-15370](https://togithub.com/hashicorp/consul/issues/15370)]
- raft: Allow nonVoter to initiate an election to avoid having an
election infinite loop when a Voter is converted to NonVoter
\[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)]
- raft: Cap maximum grpc wait time when heartbeating to
heartbeatTimeout/2
\[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)]
- raft: Fix a race condition where the snapshot file is closed without
being opened
\[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)]

BUG FIXES:

- agent: Fixed issue where blocking queries with short waits could
timeout on the client
\[[GH-15541](https://togithub.com/hashicorp/consul/issues/15541)]
- ca: Fixed issue where using Vault as Connect CA with Vault-managed
policies would error on start-up if the intermediate PKI mount existed
but was empty
\[[GH-15525](https://togithub.com/hashicorp/consul/issues/15525)]
- connect: Fixed issue where using Vault 1.11+ as CA provider would
eventually break Intermediate CAs
\[[GH-15217](https://togithub.com/hashicorp/consul/issues/15217)]
\[[GH-15253](https://togithub.com/hashicorp/consul/issues/15253)]
- connect: fixed bug where endpoint updates for new xDS clusters could
block for 15s before being sent to Envoy.
\[[GH-15083](https://togithub.com/hashicorp/consul/issues/15083)]
- connect: strip port from DNS SANs for ingress gateway leaf certificate
to avoid an invalid hostname error when using the Vault provider.
\[[GH-15320](https://togithub.com/hashicorp/consul/issues/15320)]
- debug: fixed bug that caused consul debug CLI to error on ACL-disabled
clusters
\[[GH-15155](https://togithub.com/hashicorp/consul/issues/15155)]
- deps: update go-memdb, fixing goroutine leak
\[[GH-15010](https://togithub.com/hashicorp/consul/issues/15010)]
\[[GH-15068](https://togithub.com/hashicorp/consul/issues/15068)]
- namespace: **(Enterprise Only)** Fix a bug that caused blocking
queries during namespace replication to timeout
- namespace: **(Enterprise Only)** Fixed a bug where a client may
incorrectly log that namespaces were not enabled in the local datacenter
- peering: better represent non-passing states during peer check
flattening
\[[GH-15615](https://togithub.com/hashicorp/consul/issues/15615)]
- peering: fix the error of wan address isn't taken by the peering
token. \[[GH-15065](https://togithub.com/hashicorp/consul/issues/15065)]
- peering: when wan address is set, peering stream should use the wan
address.
\[[GH-15108](https://togithub.com/hashicorp/consul/issues/15108)]

###
[`v1.13.3`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.3)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.13.2...v1.13.3)

#### 1.13.3 (October 19, 2022)

FEATURES:

- agent: Added a new config option `rpc_client_timeout` to tune timeouts
for client RPC requests
\[[GH-14965](https://togithub.com/hashicorp/consul/issues/14965)]
- config-entry(ingress-gateway): Added support for `max_connections` for
upstream clusters
\[[GH-14749](https://togithub.com/hashicorp/consul/issues/14749)]

IMPROVEMENTS:

- connect/ca: Log a warning message instead of erroring when attempting
to update the intermediate pki mount when using the Vault provider.
\[[GH-15035](https://togithub.com/hashicorp/consul/issues/15035)]
- connect: Added gateway options to Envoy proxy config for enabling tcp
keepalives on terminating gateway upstreams and mesh gateways in remote
datacenters.
\[[GH-14800](https://togithub.com/hashicorp/consul/issues/14800)]
- connect: Bump Envoy 1.20 to 1.20.7, 1.21 to 1.21.5 and 1.22 to 1.22.5
\[[GH-14828](https://togithub.com/hashicorp/consul/issues/14828)]
- licensing: **(Enterprise Only)** Consul Enterprise production licenses
do not degrade or terminate Consul upon expiration. They will only fail
when trying to upgrade to a newer version of Consul. Evaluation licenses
still terminate.
\[[GH-1990](https://togithub.com/hashicorp/consul/issues/1990)]

BUG FIXES:

- agent: avoid leaking the alias check runner goroutine when the check
is de-registered
\[[GH-14935](https://togithub.com/hashicorp/consul/issues/14935)]
- ca: fix a masked bug in leaf cert generation that would not be
notified of root cert rotation after the first one
\[[GH-15005](https://togithub.com/hashicorp/consul/issues/15005)]
- cache: prevent goroutine leak in agent cache
\[[GH-14908](https://togithub.com/hashicorp/consul/issues/14908)]
- checks: Fixed a bug that prevented registration of UDP health checks
from agent configuration files, such as service definition files with
embedded health check definitions.
\[[GH-14885](https://togithub.com/hashicorp/consul/issues/14885)]
- connect: Fixed a bug where transparent proxy does not correctly spawn
listeners for upstreams to service-resolvers.
\[[GH-14751](https://togithub.com/hashicorp/consul/issues/14751)]
- snapshot-agent: **(Enterprise only)** Fix a bug when a session is not
found in Consul, which leads the agent to panic.

###
[`v1.13.2`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.2)

[Compare
Source](https://togithub.com/hashicorp/consul/compare/v1.13.1...v1.13.2)

#### 1.13.2 (September 20, 2022)

SECURITY:

- auto-config: Added input validation for auto-config JWT authorization
checks. Prior to this change, it was possible for malicious actors to
construct requests which incorrectly pass custom JWT claim validation
for the `AutoConfig.InitialConfiguration` endpoint. Now, only a subset
of characters are allowed for the input before evaluating the bexpr.
\[[GH-14577](https://togithub.com/hashicorp/consul/issues/14577)]
- connect: Added URI length checks to ConnectCA CSR requests. Prior to
this change, it was possible for a malicious actor to designate multiple
SAN URI values in a call to the `ConnectCA.Sign` endpoint. The endpoint
now only allows for exactly one SAN URI to be specified.
\[[GH-14579](https://togithub.com/hashicorp/consul/issues/14579)]

FEATURES:

- cli: Adds new subcommands for `peering` workflows. Refer to the [CLI
docs](https://www.consul.io/commands/peering) for more information.
\[[GH-14423](https://togithub.com/hashicorp/consul/issues/14423)]
- connect: Server address changes are streamed to peers
\[[GH-14285](https://togithub.com/hashicorp/consul/issues/14285)]
-   service-defaults: Added support for `local_request_timeout_ms` and
`local_connect_timeout_ms` in servicedefaults config entry
\[[GH-14395](https://togithub.com/hashicorp/consul/issues/14395)]

IMPROVEMENTS:

- connect: Bump latest Envoy to 1.23.1 in test matrix
\[[GH-14573](https://togithub.com/hashicorp/consul/issues/14573)]
- connect: expose new tracing configuration on envoy
\[[GH-13998](https://togithub.com/hashicorp/consul/issues/13998)]
- envoy: adds additional Envoy outlier ejection parameters to passive
health check configurations.
\[[GH-14238](https://togithub.com/hashicorp/consul/issues/14238)]
- metrics: add labels of segment, partition, network area, network (lan
or wan) to serf and memberlist metrics
\[[GH-14161](https://togithub.com/hashicorp/consul/issues/14161)]
- peering: Validate peering tokens for server name conflicts
\[[GH-14563](https://togithub.com/hashicorp/consul/issues/14563)]
- snapshot agent: **(Enterprise only)** Add support for path-based
addressing when using s3 backend.
- ui: Reuse connections for requests to /v1/internal/ui/metrics-proxy/
\[[GH-14521](https://togithub.com/hashicorp/consul/issues/14521)]

BUG FIXES:

- agent: Fixes an issue where an agent that fails to start due to bad
addresses won't clean up any existing liste

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/grafana/loki).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4xOS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants