Hello everyone,
We just released Consul 1.6.4 which ships an updated version of miekg/dns that includes a fix for a CVE.
The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.
Please see the complete changelog for details on the releases:
https://github.com/hashicorp/consul/blob/v1.6.4/CHANGELOG.md
The release binaries can be downloaded here:
https://releases.hashicorp.com/consul/1.6.4/
– The Consul Team