i0rek
June 10, 2020, 10:08pm
1
Hello everyone,
We just released Consul 1.6.6 and 1.7.4 which are shipping fixes for multiple CVEs:
Consul 1.6.6 and 1.7.4 are available as of now for OSS and ENT customers in the usual locations. Both releases are mostly about the fixed CVEs:
CVE-2020-13250 : Consul’s DNS and HTTP API expose a caching feature susceptible to DoS.
CVE-2020-12797 : Consul doesn’t enforce changes to legacy ACL tokens rules due to not being propagated to secondary data centers.
CVE-2020-13170 : When token replication is not enabled in a secondary datacenter, attempts to use a local token created in the primary are successful for operations targeting that secondary datacenter. Thus what was meant to be scoped to a single datacenter is valid in other datacenters.
CVE-2020-12758 : Requiring service:write permissions, a service-router entry without a destination can crash Consul servers.
Please see the complete changelog for details on the releases:
## 1.6.6 (June 10, 2020)
SECURITY:
* Adding an option `http_config.use_cache` to disable agent caching for http endpoints, because Consul’s DNS and HTTP API expose a caching feature susceptible to DoS. [CVE-2020-13250](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13250) [[GH-8023]](https://github.com/hashicorp/consul/pull/8023)
* Propagate and enforce changes to legacy ACL tokens rules in secondary data centers. [CVE-2020-12797](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12797) [[GH-8047]](https://github.com/hashicorp/consul/pull/8047)
* Only resolve local acl token in the datacenter it belongs to. [CVE-2020-13170](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13170) [[GH-8068]](https://github.com/hashicorp/consul/pull/8068)
BUG FIXES:
* acl: Fixed an issue where legacy management tokens could not be used in secondary datacenters. [[GH-7908](https://github.com/hashicorp/consul/pull/7908)]
* agent: Fixed a race condition that could cause an agent to crash when first starting. [[GH-7955](https://github.com/hashicorp/consul/issues/7955)]
## 1.6.5 (April 14, 2020)
BUG FIXES:
* agent: **(Consul Enterprise only)** Fixed several bugs related to Network Area ann Network Segment compatibility with other features caused by incorrectly doing version or serf tag checking. [[GH-7551](https://github.com/hashicorp/consul/pull/7551)]
## 1.6.4 (February 20, 2020)
This file has been truncated. show original
## 1.7.4 (June 10, 2020)
SECURITY:
* Adding an option `http_config.use_cache` to disable agent caching for http endpoints, because Consul’s DNS and HTTP API expose a caching feature susceptible to DoS. [CVE-2020-13250](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13250) [[GH-8023]](https://github.com/hashicorp/consul/pull/8023)
* Propagate and enforce changes to legacy ACL tokens rules in secondary data centers. [CVE-2020-12797](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12797) [[GH-8047]](https://github.com/hashicorp/consul/pull/8047)
* Only resolve local acl token in the datacenter it belongs to. [CVE-2020-13170](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13170) [[GH-8068]](https://github.com/hashicorp/consul/pull/8068)
* Requiring service:write permissions, a service-router entry without a destination no longer crashes Consul servers. [CVE-2020-12758](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12758) [[GH-7783]](https://github.com/hashicorp/consul/pull/7783)
BUG FIXES:
* acl: Fixed an issue where legacy management tokens could not be used in secondary datacenters. [[GH-7908](https://github.com/hashicorp/consul/pull/7908)]
* agent: Fixed a race condition that could cause an agent to crash when first starting. [[GH-7955](https://github.com/hashicorp/consul/issues/7955)]
* connect: setup intermediate_pki_path on secondary when using vault [[GH-8001]](https://github.com/hashicorp/consul/pull/8001)
## 1.7.3 (May 05, 2020)
IMPROVEMENTS:
* acl: **(Consul Enterprise only)** - Disable the ACL.Bootstrap RPC endpoints when managed service provider tokens are in use. [[GH-7614](https://github.com/hashicorp/consul/pull/7614)]
This file has been truncated. show original
The release binaries can be downloaded here:
https://releases.hashicorp.com/consul/1.6.6/
https://releases.hashicorp.com/consul/1.7.4/
– The Consul Team
1 Like