SECURITY:
- api: sanitize the SignedIdentities in allocations to prevent privilege escalation through unredacted workload identity token impersonation associated with ACL policies. [GH-24683]
- security: Added more host environment variables to the default deny list for tasks [GH-24540]
- security: Explicitly set 'Content-Type' header to mitigate XSS vulnerability [GH-24489]
- security: add executeTemplate to default template function_denylist [GH-24541]
BUG FIXES:
- agent: Fixed a bug where
retry_joingave up after a single failure, rather than retrying until max attempts had been reached [GH-24561] - cli: Ensure the
operator autopilot healthcommand only outputs JSON when thejsonflag is supplied [GH-24655] - consul: Fixed a bug where failures when syncing Consul checks could panic the Nomad agent [GH-24513]
- consul: Fixed a bug where non-root Nomad agents could not recreate a task's Consul token on task restart [GH-24410]
- csi: Fixed a bug where drivers that emit multiple topology segments would cause placements to fail [GH-24522]
- csi: Removed redundant namespace output from volume status command [GH-24432]
- discovery: Fixed a bug where IPv6 addresses would not be accepted from cloud autojoin [GH-24649]
- drivers: fix executor leak when drivers error starting tasks [GH-24495]
- executor: validate executor on reattach to avoid possibility of killing non-Nomad processes [GH-24538]
- fix: handles consul template re-renders on client restart [GH-24399]
- networking: use a tmpfs location for the state of CNI IPAM plugin used by bridge mode, to fix a bug where allocations would fail to restore after host reboot [GH-24650]
- scheduler: take all assigned cpu cores into account instead of only those part of the largest lifecycle [GH-24304]
- vault: Fixed a bug where expired secret leases were treated as non-fatal and retried [GH-24409]
- windows: Restore process accounting logic from Nomad 1.6.x [GH-24494]