Update module github.com/hashicorp/consul to v1.14.5 [SECURITY] (main)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
github.com/hashicorp/consul	replace	minor	v1.5.1 -> v1.14.5

---

Denial of Service (DoS) in HashiCorp Consul

CVE-2020-7219 / GHSA-23jv-v6qj-3fhh

More information

Details

HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3.

Specific Go Packages Affected

github.com/hashicorp/consul/agent/consul

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-7219
• https://github.com/hashicorp/consul/issues/7159
• https://www.hashicorp.com/blog/category/consul/

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Incorrect Authorization in HashiCorp Consul

CVE-2020-7955 / GHSA-r9w6-rhh9-7v53

More information

Details

HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-7955
• https://github.com/hashicorp/consul/issues/7160
• https://www.hashicorp.com/blog/category/consul/

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Allocation of Resources Without Limits or Throttling in Hashicorp Consul

CVE-2020-13250 / GHSA-rqjq-mrgx-85hp

More information

Details

HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service.

Specific Go Packages Affected

github.com/hashicorp/consul/agent/config

Fix

The vulnerability is fixed in versions 1.6.6 and 1.7.4.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-13250
• https://github.com/hashicorp/consul/pull/8023
• https://github.com/hashicorp/consul/commit/72f92ae7ca4cabc1dc3069362a9b64ef46941432
• https://github.com/hashicorp/consul/blob/v1.6.6/CHANGELOG.md
• https://github.com/hashicorp/consul/blob/v1.7.4/CHANGELOG.md

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

HashiCorp Consul Cross-site Scripting vulnerability

CVE-2020-25864 / GHSA-8xmx-h8rq-h94j

More information

Details

HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.

Severity

• CVSS Score: 6.1 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-25864
• https://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368
• https://github.com/hashicorp/consul
• https://security.gentoo.org/glsa/202208-09
• https://www.hashicorp.com/blog/category/consul

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

HashiCorp Consul Privilege Escalation Vulnerability

CVE-2021-37219 / GHSA-ccw8-7688-vqx4

More information

Details

HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2.

Severity

• CVSS Score: 8.8 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-37219
• https://github.com/hashicorp/consul/pull/10925
• https://github.com/hashicorp/consul/commit/3357e57dac9aadabd476f7a14973e47f003c4cf0
• https://github.com/hashicorp/consul/commit/473edd1764b6739e2e4610ea5dede4c2bc6009d1
• https://github.com/hashicorp/consul/commit/ccf8eb1947357434eb6e66303ddab79f4c9d4103
• https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalation/29024
• https://github.com/hashicorp/consul
• https://security.gentoo.org/glsa/202207-01
• https://www.hashicorp.com/blog/category/consul

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic.

CVE-2021-38698 / GHSA-6hw5-6gcx-phmw

More information

Details

HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2.

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-38698
• https://github.com/hashicorp/consul/pull/10824
• https://discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026
• https://github.com/hashicorp/consul
• https://security.gentoo.org/glsa/202208-09
• https://www.hashicorp.com/blog/category/consul

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector

CVE-2022-29153 / GHSA-q6h7-4qgw-2j9p

More information

Details

A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that HTTP health check endpoints returning an HTTP redirect may be abused as a vector for server-side request forgery (SSRF). This vulnerability, CVE-2022-29153, was fixed in Consul 1.9.17, 1.10.10, and 1.11.5.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-29153
• https://discuss.hashicorp.com
• https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/
• https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393
• https://github.com/hashicorp/consul
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/
• https://security.gentoo.org/glsa/202208-09
• https://security.netapp.com/advisory/ntap-20220602-0005/

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Hashicorp Consul Missing SSL Certificate Validation

CVE-2021-32574 / GHSA-25gf-8qrr-g78r

More information

Details

HashiCorp Consul before 1.10.1 (and Consul Enterprise) has Missing SSL Certificate Validation. xds does not ensure that the Subject Alternative Name of an upstream is validated.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-32574
• https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856
• https://github.com/hashicorp/consul/releases/tag/v1.10.1
• https://security.gentoo.org/glsa/202208-09
• https://www.hashicorp.com/blog/category/consul

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

HashiCorp Consul L7 deny intention results in an allow action

CVE-2021-36213 / GHSA-8h2g-r292-j8xh

More information

Details

In HashiCorp Consul before 1.10.1 (and Consul Enterprise), xds can generate a situation where a single L7 deny intention (with a default deny policy) results in an allow action.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-36213
• https://discuss.hashicorp.com/t/hcsec-2021-16-consul-s-application-aware-intentions-deny-action-fails-open-when-combined-with-default-deny-policy/26855
• https://github.com/hashicorp/consul/
• https://github.com/hashicorp/consul/releases/tag/v1.10.1
• https://security.gentoo.org/glsa/202208-09
• https://www.hashicorp.com/blog/category/consul

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

HashiCorp Consul vulnerable to authorization bypass

CVE-2022-40716 / GHSA-m69r-9g56-7mv8

More information

Details

HashiCorp Consul and Consul Enterprise versions prior to 1.11.9, 1.12.5, and 1.13.2 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. A specially crafted CSR sent directly to Consul’s internal server agent RPC endpoint can include multiple SAN URI values with additional service names. This issue has been fixed in versions 1.11.9, 1.12.5, and 1.13.2. There are no known workarounds.

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-40716
• https://github.com/hashicorp/consul/pull/14579
• https://github.com/hashicorp/consul/commit/8f6fb4f6fe9488b8ec37da71ac503081d7d3760b
• https://discuss.hashicorp.com
• https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypass-with-malicious-certificate-signing-request/44628
• https://github.com/hashicorp/consul
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Hashicorp Consul vulnerable to denial of service

CVE-2023-1297 / GHSA-c57c-7hrj-6q6v

More information

Details

Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial of service. This vulnerability was resolved in Consul 1.14.5, and 1.15.3

Severity

• CVSS Score: 4.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-1297
• https://discuss.hashicorp.com/t/hcsec-2023-15-consul-cluster-peering-can-result-in-denial-of-service/54515
• https://github.com/hashicorp/consul

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

hashicorp/consul (github.com/hashicorp/consul)

v1.14.5

Compare Source

1.14.5 (March 7, 2023)

SECURITY:

• Upgrade to use Go 1.20.1.
  This resolves vulnerabilities CVE-2022-41724 in crypto/tls and CVE-2022-41723 in net/http. [GH-16263]

IMPROVEMENTS:

• container: Upgrade container image to use to Alpine 3.17. [GH-16358]
• mesh: Add ServiceResolver RequestTimeout for route timeouts to make request timeouts configurable [GH-16495]

BUG FIXES:

• mesh: Fix resolution of service resolvers with subsets for external upstreams [GH-16499]
• peering: Fix bug where services were incorrectly imported as connect-enabled. [GH-16339]
• peering: Fix issue where mesh gateways would use the wrong address when contacting a remote peer with the same datacenter name. [GH-16257]
• peering: Fix issue where secondary wan-federated datacenters could not be used as peering acceptors. [GH-16230]
• proxycfg: fix a bug where terminating gateways were not cleaning up deleted service resolvers for their referenced services [GH-16498]

v1.14.4

Compare Source

1.14.4 (January 26, 2023)

BREAKING CHANGES:

• connect: Fix configuration merging for transparent proxy upstreams. Proxy-defaults and service-defaults config entries were not correctly merged for implicit upstreams in transparent proxy mode and would result in some configuration not being applied. To avoid issues when upgrading, ensure that any proxy-defaults or service-defaults have correct configuration for upstreams, since all fields will now be properly used to configure proxies. [GH-16000]
• peering: Newly created peering connections must use only lowercase characters in the name field. Existing peerings with uppercase characters will not be modified, but they may encounter issues in various circumstances. To maintain forward compatibility and avoid issues, it is recommended to destroy and re-create any invalid peering connections so that they do not have a name containing uppercase characters. [GH-15697]

FEATURES:

• connect: add flags envoy-ready-bind-port and envoy-ready-bind-address to the consul connect envoy command that allows configuration of readiness probe on proxy for any service kind. [GH-16015]
• deps: update to latest go-discover to provide ECS auto-discover capabilities. [GH-13782]

IMPROVEMENTS:

• acl: relax permissions on the WatchServers, WatchRoots and GetSupportedDataplaneFeatures gRPC endpoints to accept any valid ACL token [GH-15346]
• connect: Add support for ConsulResolver to specifies a filter expression [GH-15659]
• grpc: Use new balancer implementation to reduce periodic WARN logs when shuffling servers. [GH-15701]
• partition: (Consul Enterprise only) when loading service from on-disk config file or sending API request to agent endpoint,
  if the partition is unspecified, consul will default the partition in the request to agent's partition [GH-16024]

BUG FIXES:

• agent: Fix assignment of error when auto-reloading cert and key file changes. [GH-15769]
• agent: Fix issue where the agent cache would incorrectly mark protobuf objects as updated. [GH-15866]
• cli: Fix issue where consul connect envoy was unable to configure TLS over unix-sockets to gRPC. [GH-15913]
• connect: (Consul Enterprise only) Fix issue where upstream configuration from proxy-defaults and service-defaults was not properly merged. This could occur when a mixture of empty-strings and "default" were used for the namespace or partition fields.
• connect: Fix issue where service-resolver protocol checks incorrectly errored for failover peer targets. [GH-15833]
• connect: Fix issue where watches on upstream failover peer targets did not always query the correct data. [GH-15865]
• xds: fix bug where sessions for locally-managed services could fail with "this server has too many xDS streams open" [GH-15789]

v1.14.3

Compare Source

1.14.3 (December 13, 2022)

SECURITY:

• Upgrade to use Go 1.19.4. This resolves a vulnerability where restricted files can be read on Windows. CVE-2022-41720 [GH-15705]
• Upgrades golang.org/x/net to prevent a denial of service by excessive memory usage caused by HTTP2 requests. CVE-2022-41717 [GH-15737]

FEATURES:

• ui: Add field for fallback server addresses to peer token generation form [GH-15555]

IMPROVEMENTS:

• connect: ensure all vault connect CA tests use limited privilege tokens [GH-15669]

BUG FIXES:

• agent: (Enterprise Only) Ensure configIntentionsConvertToList does not compare empty strings with populated strings when filtering intentions created prior to AdminPartitions.
• connect: Fix issue where DialedDirectly configuration was not used by Consul Dataplane. [GH-15760]
• connect: Fix peering failovers ignoring local mesh gateway configuration. [GH-15690]
• connect: Fixed issue where using Vault 1.11+ as CA provider in a secondary datacenter would eventually break Intermediate CAs [GH-15661]

v1.14.2

Compare Source

1.14.2 (November 30, 2022)

FEATURES:

• connect: Add local_idle_timeout_ms to allow configuring the Envoy route idle timeout on local_app
  connect: Add IdleTimeout to service-router to allow configuring the Envoy route idle timeout [GH-14340]
• snapshot: (Enterprise Only) Add support for the snapshot agent to use an IAM role for authentication/authorization when managing snapshots in S3.

IMPROVEMENTS:

• dns: Add support for cluster peering .service and .node DNS queries. [GH-15596]

BUG FIXES:

• acl: avoid debug log spam in secondary datacenter servers due to management token not being initialized. [GH-15610]
• agent: Fixed issue where blocking queries with short waits could timeout on the client [GH-15541]
• ca: Fixed issue where using Vault as Connect CA with Vault-managed policies would error on start-up if the intermediate PKI mount existed but was empty [GH-15525]
• cli: (Enterprise Only) Fix issue where consul partition update subcommand was not registered and therefore not available through the cli.
• connect: Fixed issue where using Vault 1.11+ as CA provider would eventually break Intermediate CAs [GH-15217] [GH-15253]
• namespace: (Enterprise Only) Fix a bug that caused blocking queries during namespace replication to timeout
• peering: better represent non-passing states during peer check flattening [GH-15615]
• peering: fix the limit of replication gRPC message; set to 8MB [GH-15503]

v1.14.1

Compare Source

1.14.1 (November 21, 2022)

BUG FIXES:

• cli: Fix issue where consul connect envoy incorrectly uses the HTTPS API configuration for xDS connections. [GH-15466]
• sdk: Fix SDK testutil backwards compatibility by only configuring grpc_tls port for new Consul versions. [GH-15423]

v1.14.0

Compare Source

1.14.0 (November 15, 2022)

BREAKING CHANGES:

• config: Add new ports.grpc_tls configuration option.
  Introduce a new port to better separate TLS config from the existing ports.grpc config.
  The new ports.grpc_tls only supports TLS encrypted communication.
  The existing ports.grpc now only supports plain-text communication. [GH-15339]
• config: update 1.14 config defaults: Enable peering and connect by default. [GH-15302]
• config: update 1.14 config defaults: Set gRPC TLS port default value to 8503 [GH-15302]
• connect: Removes support for Envoy 1.20 [GH-15093]
• peering: Rename PeerName to Peer on prepared queries and exported services. [GH-14854]
• xds: Convert service mesh failover to use Envoy's aggregate clusters. This
  changes the names of some Envoy dynamic HTTP metrics. [GH-14178]

SECURITY:

• Ensure that data imported from peers is filtered by ACLs at the UI Nodes/Services endpoints CVE-2022-3920 [GH-15356]

FEATURES:

• DNS-proxy support via gRPC request. [GH-14811]
• cli: Add -node-name flag to redirect-traffic command to support running in environments without client agents. [GH-14933]
• cli: Add -consul-dns-port flag to the consul connect redirect-traffic command to allow forwarding DNS traffic to a specific Consul DNS port. [GH-15050]
• connect: Add Envoy connection balancing configuration fields. [GH-14616]
• grpc: Added metrics for external gRPC server. Added server_type=internal|external label to gRPC metrics. [GH-14922]
• http: Add new get-or-empty operation to the txn api. Refer to the API docs for more information. [GH-14474]
• peering: Add mesh gateway local mode support for cluster peering. [GH-14817]
• peering: Add support for stale queries for trust bundle lookups [GH-14724]
• peering: Add support to failover to services running on cluster peers. [GH-14396]
• peering: Add support to redirect to services running on cluster peers with service resolvers. [GH-14445]
• peering: Ensure un-exported services get deleted even if the un-export happens while cluster peering replication is down. [GH-14797]
• peering: add support for routine peering control-plane traffic through mesh gateways [GH-14981]
• sdk: Configure iptables to forward DNS traffic to a specific DNS port. [GH-15050]
• telemetry: emit memberlist size metrics and broadcast queue depth metric. [GH-14873]
• ui: Added support for central config merging [GH-14604]
• ui: Create peerings detail page [GH-14947]
• ui: Detect a TokenSecretID cookie and passthrough to localStorage [GH-14495]
• ui: Display notice banner on nodes index page if synthetic nodes are being filtered. [GH-14971]
• ui: Filter agentless (synthetic) nodes from the nodes list page. [GH-14970]
• ui: Filter out node health checks on agentless service instances [GH-14986]
• ui: Remove node meta on service instances when using agentless and consolidate external-source labels on service instances page if they all match. [GH-14921]
• ui: Removed reference to node name on service instance page when using agentless [GH-14903]
• ui: Use withCredentials for all HTTP API requests [GH-14343]
• xds: servers will limit the number of concurrent xDS streams they can handle to balance the load across all servers [GH-14397]

IMPROVEMENTS:

• peering: Add peering datacenter and partition to initial handshake. [GH-14889]
• xds: Added a rate limiter to the delivery of proxy config updates, to prevent updates to "global" resources such as wildcard intentions from overwhelming servers (see: xds.update_max_per_second config field) [GH-14960]
• xds: Removed a bottleneck in Envoy config generation, enabling a higher number of dataplanes per server [GH-14934]
• agent/hcp: add initial HashiCorp Cloud Platform integration [GH-14723]
• agent: Added configuration option cloud.scada_address. [GH-14936]
• api: Add filtering support to Catalog's List Services (v1/catalog/services) [GH-11742]
• api: Increase max number of operations inside a transaction for requests to /v1/txn (128) [GH-14599]
• auto-config: Relax the validation on auto-config JWT authorization to allow non-whitespace, non-quote characters in node names. [GH-15370]
• config-entry: Validate that service-resolver Failovers and Redirects only
  specify Partition and Namespace on Consul Enterprise. This prevents scenarios
  where OSS Consul would save service-resolvers that require Consul Enterprise. [GH-14162]
• connect: Add Envoy 1.24.0 to support matrix [GH-15093]
• connect: Bump Envoy 1.20 to 1.20.7, 1.21 to 1.21.5 and 1.22 to 1.22.5 [GH-14831]
• connect: service-router destinations have gained a RetryOn field for specifying the conditions when Envoy should retry requests beyond specific status codes and generic connection failure which already exists. [GH-12890]
• dns/peering: (Enterprise Only) Support addresses in the formats <servicename>.virtual.<namespace>.ns.<partition>.ap.<peername>.peer.consul and <servicename>.virtual.<partition>.ap.<peername>.peer.consul. This longer form address that allows specifying .peer would need to be used for tproxy DNS requests made within non-default partitions for imported services.
• dns: (Enterprise Only) All enterprise locality labels are now optional in DNS lookups. For example, service lookups support the following format: [<tag>.]<service>.service[.<namespace>.ns][.<partition>.ap][.<datacenter>.dc]<domain>. [GH-14679]
• integ test: fix flakiness due to test condition from retry app endoint [GH-15233]
• metrics: Service RPC calls less than 1ms are now emitted as a decimal number. [GH-12905]
• peering: adds an internally managed server certificate for automatic TLS between servers in peer clusters. [GH-14556]
• peering: require TLS for peering connections using server cert signed by Connect CA [GH-14796]
• peering: return information about the health of the peering when the leader is queried to read a peering. [GH-14747]
• raft: Allow nonVoter to initiate an election to avoid having an election infinite loop when a Voter is converted to NonVoter [GH-14897]
• raft: Cap maximum grpc wait time when heartbeating to heartbeatTimeout/2 [GH-14897]
• raft: Fix a race condition where the snapshot file is closed without being opened [GH-14897]
• telemetry: Added a consul.xds.server.streamStart metric to measure time taken to first generate xDS resources for an xDS stream. [GH-14957]
• ui: Improve guidance around topology visualisation [GH-14527]
• xds: Set max_ejection_percent on Envoy's outlier detection to 100% for peered services. [GH-14373]

BUG FIXES:

• checks: Do not set interval as timeout value [GH-14619]
• checks: If set, use proxy address for automatically added sidecar check instead of service address. [GH-14433]
• cli: Fix Consul kv CLI 'GET' flags 'keys' and 'recurse' to be set together [GH-13493]
• connect: Fix issue where mesh-gateway settings were not properly inherited from configuration entries. [GH-15186]
• connect: fixed bug where endpoint updates for new xDS clusters could block for 15s before being sent to Envoy. [GH-15083]
• connect: strip port from DNS SANs for ingress gateway leaf certificate to avoid an invalid hostname error when using the Vault provider. [GH-15320]
• debug: fixed bug that caused consul debug CLI to error on ACL-disabled clusters [GH-15155]
• deps: update go-memdb, fixing goroutine leak [GH-15010] [GH-15068]
• grpc: Merge proxy-defaults and service-defaults in GetEnvoyBootstrapParams response. [GH-14869]
• metrics: Add duplicate metrics that have only a single "consul_" prefix for all existing metrics with double ("consul_consul_") prefix, with the intent to standardize on single prefixes. [GH-14475]
• namespace: (Enterprise Only) Fixed a bug where a client may incorrectly log that namespaces were not enabled in the local datacenter
• peering: Fix a bug that resulted in /v1/agent/metrics returning an error. [GH-15178]
• peering: fix nil pointer in calling handleUpdateService [GH-15160]
• peering: fix the error of wan address isn't taken by the peering token. [GH-15065]
• peering: when wan address is set, peering stream should use the wan address. [GH-15108]
• proxycfg(mesh-gateway): Fix issue where deregistered services are not removed from mesh-gateway clusters. [GH-15272]
• server: fix goroutine/memory leaks in the xDS subsystem (these were present regardless of whether or not xDS was in-use) [GH-14916]
• server: fixes the error trying to source proxy configuration for http checks, in case of proxies using consul-dataplane. [GH-14924]
• xds: Central service configuration (proxy-defaults and service-defaults) is now correctly applied to Consul Dataplane proxies [GH-14962]

NOTES:

• deps: Upgrade to use Go 1.19.2 [GH-15090]

v1.13.9

Compare Source

1.13.9 (June 26, 2023)

BREAKING CHANGES:

• connect: Disable peering by default in connect proxies for Consul 1.13. This change was made to prevent inefficient polling
  queries from having a negative impact on server performance. Peering in Consul 1.13 is an experimental feature and is not
  recommended for use in production environments. If you still wish to use the experimental peering feature, ensure
  peering.enabled = true
  is set on all clients and servers. [GH-17731]

SECURITY:

• Update to UBI base image to 9.2. [GH-17513]

FEATURES:

• server: (Enterprise Only) allow automatic license utilization reporting. [GH-5102]

IMPROVEMENTS:

• debug: change default setting of consul debug command. now default duration is 5ms and default log level is 'TRACE' [GH-17596]
• systemd: set service type to notify. [GH-16845]

BUG FIXES:

• cache: fix a few minor goroutine leaks in leaf certs and the agent cache [GH-17636]
• namespaces: (Enterprise only) fixes a bug where namespaces are stuck in a deferred deletion state indefinitely under some conditions.
  Also fixes the Consul query metadata present in the HTTP headers of the namespace read and list endpoints.
• namespaces: adjusts the return type from HTTP list API to return the api module representation of a namespace.
  This fixes an error with the consul namespace list command when a namespace has a deferred deletion timestamp.
• peering: Fix a bug that caused server agents to continue cleaning up peering resources even after loss of leadership. [GH-17483]

v1.13.8

Compare Source

1.13.8 (May 16, 2023)

SECURITY:

• Upgrade to use Go 1.20.1.
  This resolves vulnerabilities CVE-2022-41724 in crypto/tls and CVE-2022-41723 in net/http. [GH-16263]
• Upgrade to use Go 1.20.4.
  This resolves vulnerabilities CVE-2023-24537(go/scanner),
  CVE-2023-24538(html/template),
  CVE-2023-24534(net/textproto) and
  CVE-2023-24536(mime/multipart).
  Also, golang.org/x/net has been updated to v0.7.0 to resolve CVEs CVE-2022-41721, CVE-2022-27664 and CVE-2022-41723 [GH-17240]

IMPROVEMENTS:

• api: updated the go module directive to 1.18. [GH-15297]
• connect: update supported envoy versions to 1.20.7, 1.21.6, 1.22.11, 1.23.8 [GH-16891]
• sdk: updated the go module directive to 1.18. [GH-15297]

BUG FIXES:

• Fix an bug where decoding some Config structs with unset pointer fields could fail with reflect: call of reflect.Value.Type on zero Value. [GH-17048]
• audit-logging: (Enterprise only) Fix a bug where /agent/monitor and /agent/metrics endpoints return a Streaming not supported error when audit logs are enabled. This also fixes the delay receiving logs when running consul monitor against an agent with audit logs enabled. [GH-16700]
• ca: Fixes a bug where updating Vault CA Provider config would cause TLS issues in the service mesh [GH-16592]
• connect: Fix multiple inefficient behaviors when querying service health. [GH-17241]
• grpc: ensure grpc resolver correctly uses lan/wan addresses on servers [GH-17270]
• peering: Fixes a bug that can lead to peering service deletes impacting the state of local services [GH-16570]
• xds: Fix possible panic that can when generating clusters before the root certificates have been fetched. [GH-17185]

v1.13.7

Compare Source

1.13.7 (March 7, 2023)

SECURITY:

• Upgrade to use Go 1.19.6.
  This resolves vulnerabilities CVE-2022-41724 in crypto/tls and CVE-2022-41723 in net/http. [GH-16299]

IMPROVEMENTS:

• xds: Removed a bottleneck in Envoy config generation. [GH-16269]
• container: Upgrade container image to use to Alpine 3.17. [GH-16358]
• mesh: Add ServiceResolver RequestTimeout for route timeouts to make request timeouts configurable [GH-16495]

BUG FIXES:

• mesh: Fix resolution of service resolvers with subsets for external upstreams [GH-16499]
• proxycfg: fix a bug where terminating gateways were not cleaning up deleted service resolvers for their referenced services [GH-16498]

v1.13.6

Compare Source

1.13.6 (January 26, 2023)

FEATURES:

• connect: add flags envoy-ready-bind-port and envoy-ready-bind-address to the consul connect envoy command that allows configuration of readiness probe on proxy for any service kind. [GH-16015]
• deps: update to latest go-discover to provide ECS auto-discover capabilities. [GH-13782]

IMPROVEMENTS:

• grpc: Use new balancer implementation to reduce periodic WARN logs when shuffling servers. [GH-15701]
• partition: (Consul Enterprise only) when loading service from on-disk config file or sending API request to agent endpoint,
  if the partition is unspecified, consul will default the partition in the request to agent's partition [GH-16024]

BUG FIXES:

• agent: Fix assignment of error when auto-reloading cert and key file changes. [GH-15769]

v1.13.5

Compare Source

1.13.5 (December 13, 2022)

SECURITY:

• Upgrade to use Go 1.18.9. This resolves a vulnerability where restricted files can be read on Windows. CVE-2022-41720 [GH-15706]
• Upgrades golang.org/x/net to prevent a denial of service by excessive memory usage caused by HTTP2 requests. CVE-2022-41717 [GH-15743]

IMPROVEMENTS:

• connect: ensure all vault connect CA tests use limited privilege tokens [GH-15669]

BUG FIXES:

• agent: (Enterprise Only) Ensure configIntentionsConvertToList does not compare empty strings with populated strings when filtering intentions created prior to AdminPartitions.
• cli: (Enterprise Only) Fix issue where consul partition update subcommand was not registered and therefore not available through the cli.
• connect: Fixed issue where using Vault 1.11+ as CA provider in a secondary datacenter would eventually break Intermediate CAs [GH-15661]

v1.13.4

Compare Source

1.13.4 (November 30, 2022)

IMPROVEMENTS:

• auto-config: Relax the validation on auto-config JWT authorization to allow non-whitespace, non-quote characters in node names. [GH-15370]
• raft: Allow nonVoter to initiate an election to avoid having an election infinite loop when a Voter is converted to NonVoter [GH-14897]
• raft: Cap maximum grpc wait time when heartbeating to heartbeatTimeout/2 [GH-14897]
• raft: Fix a race condition where the snapshot file is closed without being opened [GH-14897]

BUG FIXES:

• agent: Fixed issue where blocking queries with short waits could timeout on the client [GH-15541]
• ca: Fixed issue where using Vault as Connect CA with Vault-managed policies would error on start-up if the intermediate PKI mount existed but was empty [GH-15525]
• connect: Fixed issue where using Vault 1.11+ as CA provider would eventually break Intermediate CAs [GH-15217] [GH-15253]
• connect: fixed bug where endpoint updates for new xDS clusters could block for 15s before being sent to Envoy. [GH-15083]
• connect: strip port from DNS SANs for ingress gateway leaf certificate to avoid an invalid hostname error when using the Vault provider. [GH-15320]
• debug: fixed bug that caused consul debug CLI to error on ACL-disabled clusters [GH-15155]
• deps: update go-memdb, fixing goroutine leak [GH-15010] [GH-15068]
• namespace: (Enterprise Only) Fix a bug that caused blocking queries during namespace replication to timeout
• namespace: (Enterprise Only) Fixed a bug where a client may incorrectly log that namespaces were not enabled in the local datacenter
• peering: better represent non-passing states during peer check flattening [GH-15615]
• peering: fix the error of wan address isn't taken by the peering token. [GH-15065]
• peering: when wan address is set, peering stream should use the wan address. [GH-15108]

v1.13.3

Compare Source

1.13.3 (October 19, 2022)

FEATURES:

• agent: Added a new config option rpc_client_timeout to tune timeouts for client RPC requests [GH-14965]
• config-entry(ingress-gateway): Added support for max_connections for upstream clusters [GH-14749]

IMPROVEMENTS:

• connect/ca: Log a warning message instead of erroring when attempting to update the intermediate pki mount when using the Vault provider. [GH-15035]
• connect: Added gateway options to Envoy proxy config for enabling tcp keepalives on terminating gateway upstreams and mesh gateways in remote datacenters. [GH-14800]
• connect: Bump Envoy 1.20 to 1.20.7, 1.21 to 1.21.5 and 1.22 to 1.22.5 [GH-14828]
• licensing: (Enterprise Only) Consul Enterprise production licenses do not degrade or terminate Consul upon expiration. They will only fail when trying to upgrade to a newer version of Consul. Evaluation licenses still terminate. [GH-1990]

BUG FIXES:

• agent: avoid leaking the alias check runner goroutine when the check is de-registered [GH-14935]
• ca: fix a masked bug in leaf cert generation that would not be notified of root cert rotation after the first one [GH-15005]
• cache: prevent goroutine leak in agent cache [GH-14908]
• checks: Fixed a bug that prevented registration of UDP health checks from agent configuration files, such as service definition files with embedded health check definitions. [GH-14885]
• connect: Fixed a bug where transparent proxy does not correctly spawn listeners for upstreams to service-resolvers. [GH-14751]
• snapshot-agent: (Enterprise only) Fix a bug when a session is not found in Consul, which leads the agent to panic.

v1.13.2

Compare Source

1.13.2 (September 20, 2022)

SECURITY:

• auto-config: Added input validation for auto-config JWT authorization checks. Prior to this change, it was possible for malicious actors to construct requests which incorrectly pass custom JWT claim validation for the AutoConfig.InitialConfiguration endpoint. Now, only a subset of characters are allowed for the input before evaluating the bexpr. [GH-14577]
• connect: Added URI length checks to ConnectCA CSR requests. Prior to this change, it was possible for a malicious actor to designate multiple SAN URI values in a call to the ConnectCA.Sign endpoint. The endpoint now only allows for exactly one SAN URI to be specified. [GH-14579]

FEATURES:

• cli: Adds new subcommands for peering workflows. Refer to the CLI docs for more information. [GH-14423]
• connect: Server address changes are streamed to peers [GH-14285]
• service-defaults: Added support for local_request_timeout_ms and
  local_connect_timeout_ms in servicedefaults config entry [GH-14395]

IMPROVEMENTS:

• connect: Bump latest Envoy to 1.23.1 in test matrix [GH-14573]
• connect: expose new tracing configuration on envoy [GH-13998]
• envoy: adds additional Envoy outlier ejection parameters to passive health check configurations. [GH-14238]
• metrics: add labels of segment, partition, network area, network (lan or wan) to serf and memberlist metrics [GH-14161]
• peering: Validate peering tokens for server name conflicts [GH-14563]
• snapshot agent: (Enterprise only) Add support for path-based addressing when using s3 backend.
• ui: Reuse connections for requests to /v1/internal/ui/metrics-proxy/ [GH-14521]

BUG FIXES:

• agent: Fixes an issue where an agent that fails to start due to bad addresses won't clean up any existing liste

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.