HCSEC-2021-12 - Missing Tags/Releases

[ciriarte]

Hi Lyle!

I hope you're doing great. I was wondering if it would be possible to release a few tags that were skipped. These are important because it seems they are the ones impacted by HCSEC-2021-12 - Codecov Security Event and HashiCorp GPG Key Exposure

Thank you so much again for this project! It's our lifeline.

[ljfranklin]

Hey Carlos! Hope you're doing well too!

Back in April someone also brought this up: #152. My response then was I didn't have the CI plumbing in place to release old tags, and you should update to latest anyway since Terraform was pre-1.0 at the time with no long-term support guarantees. I think I still stand by that given you're been running without these patched images for 6+ months since the CVE was released. Happy to hear more about your specific case, but upgrading to Terraform 1.0+ feels like a better fix for long-term health to me. Only a matter of time before your IaaS provider makes a breaking API change and you can't deploy until you upgrade N Terraform versions.

[ciriarte]

Makes sense. In our case, we're in 0.11.14 and our plan is to incrementally move to 1.0+ (which is how we noticed as we started migrating our templates to 0.12).

I honestly didn't find #152 during my shallow search. If you don't have the CI infra I completely understand, we would be unfairly pushing work to you.

Thank you so much for your response, it was nice saying hi to you!