SECURITY:
- security: Fix symlink escape during unarchiving by removing existing paths within the same allocdir. Compromising the Nomad client agent at the source allocation first is a prerequisite for leveraging this issue. [GH-23738]
IMPROVEMENTS:
- keyring: Added support for prepublishing keys [GH-23577]
BUG FIXES:
- api: Fixed a bug where an
api.Configtargeting a unix domain socket could not be reused between clients [GH-23785] - cni: .conf and .json config files are now parsed properly [GH-23629]
- docker: Fixed a bug where plugin SELinux labels would conflict with read-only
volumeoptions [GH-23750] - identity: Fixed a bug where a missing default task identity could panic the leader [GH-23763]
- keyring: Fixed a bug where keys could be garbage collected before workload identities expire [GH-23577]
- keyring: Fixed a bug where keys would never exit the "rekeying" state after a rotation with the
-fullflag [GH-23577] - keyring: Fixed a bug where periodic key rotation would not occur [GH-23577]
- networking: The same static port can now be used more than once on host networks with multiple IPs [GH-23693]
- scaling: Fixed a bug where state store corruption could occur when writing scaling events [GH-23673]
- template: Fixed a bug where change_mode = "script" would not execute after a client restart [GH-23663]
- windows: Fix bug with containers capabilities on Docker CE [GH-23599]