consul v1.9.5 Release Notes
Release Date: 2021-04-15 // about 3 years ago-
๐ SECURITY:
- โ Add content-type headers to raw KV responses to prevent XSS attacks CVE-2020-25864 [GH-10023]
- ๐ audit-logging: Parse endpoint URL to prevent requests from bypassing the audit log CVE-2021-28156
๐ IMPROVEMENTS:
- ๐ api:
AutopilotServerHelath
now handles the 429 status code returned by the v1/operator/autopilot/health endpoint and still returned the parsed reply which will indicate server healthiness [GH-8599] - 0๏ธโฃ client: when a client agent is attempting to dereigster a service, anddoes not have access to the ACL token used to register a service, attempt to use the agent token instead of the default user token. If no agent token is set, fall back to the default user token. [GH-9683]
- connect: Automatically rewrite the Host header for Terminating Gateway HTTP services [GH-9042]
- ๐ ui: support stricter content security policies [GH-9847]
๐ BUG FIXES:
- api: ensure v1/health/ingress/:service endpoint works properly when streaming is enabled [GH-9967]
- ๐ areas: Fixes a bug which would prevent newer servers in a network areas from connecting to servers running a version of Consul prior to 1.7.3.
- ๐ audit-logging: (Enterprise only) Fixed an issue that resulted in usage of the agent master token or managed service provider tokens from being resolved properly. [GH-10013]
- cache: fix a bug in the client agent cache where streaming could potentially leak resources. [GH-9978]. [GH-9978]
- cache: fix a bug in the client agent cache where streaming would disconnect every 20 minutes and cause delivery delays. [GH-9979]. [GH-9979]
- ๐ command: when generating envoy bootstrap configs to stdout do not mix informational logs into the json [GH-9980]
- โ config: correct config key from
advertise_addr_ipv6
toadvertise_addr_wan_ipv6
[GH-9851] - ๐ http: fix a bug in Consul Enterprise that would cause the UI to believe namespaces were supported, resulting in warning logs and incorrect UI behaviour. [GH-9923]
- ๐ snapshot: fixes a bug that would cause snapshots to be missing all but the first ACL Auth Method. [GH-10025]
- ๐ป ui: Fix intention form cancel button [GH-9901]