The Nomad team is pleased to announce Nomad 1.9.4, which includes various security and bug-related improvements for Nomad and Nomad Enterprise.
This release includes the following security bug fixes:
- No longer allows use of executeTemplate by default in template blocks
- Mitigate XSS vulnerabilities by setting ‘Content-Type’ header in HTTP error responses
- Disallow additional environment variables by default from being propagated to tasks
- Prevent privilege escalation through unredacted workload identity token impersonation
As well as these improvements:
- Nomad Actions now support a wider variety of names !
- PreRun and PreStart hooks now emit telemetry for monitoring and alerting
- Nomad specific workload information now passed to CNI_ARGS
- Job versions can be cloned and edited via the Web UI
And these bug fixes (among others):
- Fixed a bug where
retry_joinwould give up after a single failure - Fixed a bug where AMD CPUs were not correctly fingerprinting base clock speed
- Fixed a bug where syncing Consul checks could panic the Nomad agent
- Fixed a bug where CSI drivers could cause placements to fail
- Fixed a bug where the executor based drivers would leak goroutines on task-start failures
- Fixed a bug where forced garbage collection would not ignore GC thresholds
- Fixed a UI bug where two parent jobs could “see” each other’s dispatch jobs
- Fixed a UI bug where volumes were not navigable
Please refer to the changelog for the complete list of changes. We are also releasing backports of all enhancements to Nomad Enterprise v1.8.8 and v1.7.16.
Thanks,
The Nomad Team
1.9.4 Binaries - Nomad v1.9.4 Binaries | HashiCorp Releases
1.9.4 Changelog - nomad/CHANGELOG.md at v1.9.4 · hashicorp/nomad · GitHub