1.19.4 Enterprise (January 10, 2025)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.
BREAKING CHANGES:
- mesh: (Enterprise Only) Enable Envoy
HttpConnectionManager.normalize_pathby default on inbound traffic to mesh proxies. This resolves CVE-2024-10005.
SECURITY:
- Removed ability to use bexpr to filter results without ACL read on endpoint [GH-21950]
- Resolved issue where hcl would allow duplicates of the same key in acl policy configuration. [GH-21908]
- Update
github.com/golang-jwt/jwt/v4to v4.5.1 to address GHSA-29wx-vh33-7x7r. [GH-21951] - Update
golang.org/x/cryptoto v0.31.0 to address GO-2024-3321. [GH-22001] - Update
golang.org/x/netto v0.33.0 to address GO-2024-3333. [GH-22021] - Update
registry.access.redhat.com/ubi9-minimalimage to 9.5 to address CVE-2024-3596,CVE-2024-2511,CVE-2024-26458. [GH-22011] - api: Enforces strict content-type header validation to protect against XSS vulnerability. [GH-21930]
- mesh: (Enterprise Only) Add
containsandignoreCaseto L7 Intentions HTTP header matching criteria to support configuration resilient to variable casing and multiple values. This resolves CVE-2024-10006. - mesh: (Enterprise Only) Add
http.incoming.requestNormalizationto Mesh configuration entry to support inbound service traffic request normalization. This resolves CVE-2024-10005 and CVE-2024-10006.
IMPROVEMENTS:
- Upgrade api submodule to 1.29.6 [GH-22058]
- snapshot agent: (Enterprise only) Implement Service Principal Auth for snapshot agent on azure.
- xds: configures Envoy to load balance over all instances of an external service configured with hostnames when "envoy_dns_discovery_type" is set to "STRICT_DNS" [GH-21655]
BUG FIXES: