Consul 1.7.0 Released!

mkeeler · February 11, 2020, 4:32pm

Hello everyone,

Today we are very excited to release Consul 1.7.0. Read more in our blog post.

This release contains two security fixes, several breaking changes and many new features and bug fixes.

Security

CVE-2019-19794: There was a vulnerability in the DNS library Consul uses that caused DNS transaction IDs to be predictable. This has the potential to allow a malicious entity to forge responses to the DNS queries that Consul makes to other DNS servers.

CVE-2020-0601: There was a vulnerability in the Windows CryptoAPI regarding x509 certificate validation. This release of Consul is built with a newer Go version that mitigates the issue for Consul.

Breaking Changes

HTTP API JSON Validation: Previously the Consul HTTP API would allow unknown fields in various JSON payloads sent to it. Those unknown fields would be ignored. As of Consul 1.7.0, the API will return responses with a 400 status code indicating the problematic field in the payload.

DNS PTR Records: DNS PTR records in response from Consul’s DNS server will now contain a label with the datacenter name in between the service and the domain. Previously the datacenter was omitted from these responses all together.

ACLs: There were two potentially breaking ACL changes for this release. First was that the v1/agent/force-leave endpoint in the HTTP API will now require the token used for the request to have operator:write privileges instead of agent:write privileges. Secondly ACL requirements regarding intentions that use wildcards have changed. Previously in order to write an intention with “*” as the intention destination, it would require a rule like the following:

service "*" {
   policy = "write"
   intentions = "write"
}

Now access is granted if two conditions are met. First the token must have an associated rule that grants write access to all intentions with the following service_prefix rule:

service_prefix "" {
   policy = "write"
   intentions = "write"
}

Secondly, no other rule can be associated with the token that would deny access to any intention, or grant read-only privileges.

ACL requirements for reading intentions also were updated to allow read access to an intention if the token used would have read access granted to either the source or destination of the intention. Previously it would require read access to be granted specifically on the destination.

Logging: This release has upgraded all of Consul’s logging to use a new logging library and consequently the structure of the logs Consul emits has changed. This is a potentially breaking change if you are parsing Consul’s log output in any way. The new format should be richer and easier to parse and also has enabled Consul to emit structured logs in JSON form.

Telemetry: The consul.rpc.query metric has changed to only measure the start of srv.blockingQuery()calls. In certain rare cases where there are lots of idempotent updates this will cause the metric to report lower than before. The counter should now provide more meaningful behavior that maps to the rate of client-initiated requests. Additionally, the consul.rpc.queries_blocking gauge was added to measure the current number of in-flight blocking queries.

New Features

Namespaces (Consul Enterprise only) This version adds namespacing to Consul. Namespaces help reduce operational challenges by removing restrictions around uniqueness of resource names across distinct teams, and enable operators to provide self-service through delegation of administrative privileges. Namespace support was added to:
- ACLs
- Key/Value Store
- Sessions
- Catalog
- Connect
- UI [GH6639]
Cloud Auto-join support for Tencent Cloud
Discovery Chain Visualization in the UI
Exposed Check support in the UI

Code Signing and Notarization

This is the first release that is signed and notarized according to Apple’s third party requirements. Prior to this release, MacOS 10.15+ users attempting to run our software may see the error: “‘consul’ cannot be opened because the developer cannot be verified.” This error affected all MacOS 10.15+ users who downloaded our software directly via web browsers, and was caused by changes to the new notarization requirements.

MacOS 10.15+ users should plan to upgrade to 1.7.0+ to prevent running into this error.

Additionally, our Windows 32-bit and 64-bit executables for this version and up will be signed with a HashiCorp certificate. Windows users will no longer see a warning about an “unknown publisher” when running our software.

Please see the complete changelog for details on the release:

github.com

hashicorp/consul/blob/v1.7.0/CHANGELOG.md

## 1.7.0 (February 11, 2020)

NOTES:

* cli: Our Windows 32-bit and 64-bit executables for this version and up will be signed with a HashiCorp certificate. Windows users will no longer see a warning about an "unknown publisher" when running our software.

* cli: Our darwin releases for this version and up will be signed and notarized according to Apple's requirements.

Prior to this release, MacOS 10.15+ users attempting to run our software may see the error: "'consul' cannot be opened because the developer cannot be verified." This error affected all MacOS 10.15+ users who downloaded our software directly via web browsers, and was caused by changes to [Apple's third-party software requirements](https://developer.apple.com/news/?id=09032019a).

MacOS 10.15+ users should plan to upgrade to 1.7.0+.

SECURITY:

* dns: Updated miekg/dns dependency to fix a memory leak and CVE-2019-19794. [[GH-6984](https://github.com/hashicorp/consul/issues/6984),[GH-7252](https://github.com/hashicorp/consul/pull/7252)]
* updated to compile with [[Go 1.12.16](https://groups.google.com/forum/m/#!topic/golang-announce/Hsw4mHYc470)] which includes a fix for CVE-2020-0601 on windows [[GH-7153](https://github.com/hashicorp/consul/pull/7153)]

BREAKING CHANGES:

* http: The HTTP API no longer accepts JSON fields that are unknown to it. Instead errors will be returned with 400 status codes [[GH-6874](https://github.com/hashicorp/consul/pull/6874)]

This file has been truncated. show original

The release binaries can be downloaded here:

https://releases.hashicorp.com/consul/1.7.0/

– The Consul Team