We just released Consul 1.6.3 which has two security related fixes.
In addition, 1.6.3 includes fixes for intermediate certificate handling in a secondary datacenter in a multi-dc Connect setup.
A vulnerability was identified in Consul such that unbounded resource usage, triggered by the establishment of many unauthenticated HTTP or RPC connections, may generate excessive load and/or crash the server.
This vulnerability affects all previous releases of Consul, and is fixed in the 1.6.3 release. For full details about the problem and how to remediate see
issue 7159 on GitHub.
A low risk vulnerability was identified in Consul HTTP API such that the endpoints v1/agent/health/service/* did not enforce acl
This vulnerability affects Consul releases 1.4.1 until 1.6.2, and is fixed in 1.6.3. For full details about the problem and how to remediate see
issue 7160 on GitHub.
Please see the complete changelog for details on the releases:
This file has been truncated.
## 1.6.3 (January 30, 2020)
* agent: mitigate potential DoS vector allowing unbounded server resource usage from unauthenticated connections [[GH-7159](https://github.com/hashicorp/consul/issues/7159)]
* acl: add ACL enforcement to the `v1/agent/health/service/*` endpoints [[GH-7160](https://github.com/hashicorp/consul/issues/7160)]
* tls: `auto_encrypt` and `verify_incoming` [[GH-6811](https://github.com/hashicorp/consul/pull/6811)]
* agent: output proper HTTP status codes for Txn requests that are too large [[GH-7158](https://github.com/hashicorp/consul/pull/7158)]
* connect: derive connect certificate serial numbers from a memdb index instead of the provider table max index [[GH-7011](https://github.com/hashicorp/consul/pull/7011)]
* connect: ensure that updates to the secondary root CA configuration use the correct signing key ID values for comparison [[GH-7012](https://github.com/hashicorp/consul/pull/7012)]
## 1.6.2 (November 13, 2019)
The release binaries can be downloaded here:
– The Consul Team