We have released Consul 1.7.0-beta4. This release contains the security fixes that were also released in v1.6.3 earlier this week. In addition to the security and bug fixes Consul has now gained the ability to output logs in JSON form.
A vulnerability was identified in Consul such that unbounded resource usage, triggered by the establishment of many unauthenticated HTTP or RPC connections, may generate excessive load and/or crash the server.
This vulnerability affects all previous releases of Consul, and is fixed in the 1.6.3 and 1.7.0-beta4 releases. For full details about the problem and how to remediate see
issue 7159 1 on GitHub.
A low risk vulnerability was identified in Consul HTTP API such that the endpoints v1/agent/health/service/* did not enforce acl
This vulnerability affects Consul releases 1.4.1 until 1.6.2, and is fixed in 1.6.3 and 1.7.0-beta4. For full details about the problem and how to remediate see
issue 7160 1 on GitHub.
Please see the complete changelog for details on the release:
This file has been truncated.
## 1.7.0-beta4 (January 31, 2020)
* agent: mitigate potential DoS vector allowing unbounded server resource usage from unauthenticated connections [[GH-7159](https://github.com/hashicorp/consul/issues/7159)]
* acl: add ACL enforcement to the `v1/agent/health/service/*` endpoints [[GH-7160](https://github.com/hashicorp/consul/issues/7160)]
* logging: Switch over to using go-hclog and allow emitting either structured or unstructured logs. [[GH-1249](https://github.com/hashicorp/consul/issues/1249)][[GH-7130](https://github.com/hashicorp/consul/pull/7130)]
* acl: **(Consul Enterprise only)** `intention:write` privileges are now granted by the `namespace-management` policy that is injected into each new namespace.
* config: Fixed a bug that caused some config parsing to be case-sensitive: [[GH-7191](https://github.com/hashicorp/consul/pull/7191)]
* connect: **(Consul Enterprise only)** Fixed a bug that caused Envoy intention authorization to improperly request authorization in the `default` namespace.
* connect: **(Consul Enterprise only)** Fixed bugs that caused the intention CLI interface to not properly handle namespaces in the strings passed as its arguments.
* ui: Remove the Policy/Service Identity selector from namespace policy form [[GH-7124](https://github.com/hashicorp/consul/pull/7124)]
* ui: Fix positioning of active icon in the selected menu item [[GH-7148](https://github.com/hashicorp/consul/pull/7148)]
* ui: Discovery-Chain: Improve parsing of redirects [[GH-7174](https://github.com/hashicorp/consul/pull/7174)]
The release binaries can be downloaded here:
– The Consul Team