1.22.5 (February 26, 2026)
SECURITY:
- security: upgrade go version to 1.25.7 [GH-23204]
- dockerfile: the Consul build Go base image to
alpine3.23[GH-23194] - connect: Migrate to aws-sdk-go-v2 from aws-sdk-go (v1). Also updated consul-awsauth and go-secure-stdlib/awsutil dependencies to their v2 versions. [GH-23109]
- security: Configure HTTP server timeouts to prevent Slowloris denial-of-service attacks on agent HTTP endpoints and pprof endpoints. [GH-22739]
- security: Patched Vault CA provider to prevent arbitrary file reads via Kubernetes, JWT, and AppRole methods. [GH-23249]
- security: Introduced debounce timing for synchronization operations within federationStateAntiEntropySync. [GH-23196]
IMPROVEMENTS:
- api-gateway: Fixed "duplicate matcher" errors in Envoy when using multiple file-system certificates on a single TLS listener. The certificates are now consolidated into a single filter chain, allowing Envoy to select the correct one. [GH-23212]
- agent: Fix vault provider failure when signing intermediate CA with isCA=true in CSR [GH-23202]
- cli: Added
--aws-iam-endpointflag toconsul logincommand for AWS IAM auth method to support custom IAM endpoint configuration [GH-23109] - docs: Refreshed the security documentation to include the new HTTP server timeout defaults and relevant configuration options. [GH-23246]
- api: Cancel context check for watches cache fetch to stop execution when manager deregisters the watch. [GH-23157]