v1.15.12 (Enterprise)

1.15.12 Enterprise (May 14, 2024)

Enterprise LTS: Consul Enterprise 1.15 is a Long-Term Support (LTS) release.

SECURITY:

• Bump Dockerfile base image to alpine:3.19. [GH-20897]
• Update vault/api to v1.12.2 to address CVE-2024-28180
  (removes indirect dependency on impacted go-jose.v2) [GH-20910]
• Upgrade Go to use 1.21.10. This addresses CVEs
  CVE-2024-24787 and
  CVE-2024-24788 [GH-21074]
• Upgrade to support Envoy 1.26.8, 1.27.4, 1.27.5, 1.28.2 and 1.28.3. This resolves CVEs
  CVE-2024-27919 (http2). [GH-20956] and CVE-2024-32475 (auto_sni). [GH-21030]
• Upgrade to support k8s.io/apimachinery v0.18.7 or higher. This resolves CVE
  CVE-2020-8559. [GH-21030]
• Upgrade to use Go 1.21.9. This resolves CVE
  CVE-2023-45288 (http2). [GH-20956]
• Upgrade to use golang.org/x/net v0.24.0. This resolves CVE
  CVE-2023-45288 (x/net). [GH-20956]
• security: Remove coredns/coredns dependency to address CVE-2024-0874 [GH-9245]

BUG FIXES:

• xds: Make TCP external service registered with terminating gateway reachable from peered cluster [GH-19881]

v1.18.1

1.18.1 (March 26, 2024)

Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.

BREAKING CHANGES:

• ui: Adds a "Link to HCP Consul Central" modal with integration to side-nav and link to HCP banner. There will be an option to disable the Link to HCP banner from the UI in a follow-up release. [GH-20474]

SECURITY:

• Update google.golang.org/protobuf to v1.33.0 to address CVE-2024-24786. [GH-20801]
• Update the Consul Build Go base image to alpine3.19. This resolves CVEs
  CVE-2023-52425
  CVE-2023-52426 [GH-20812]
• Upgrade to use Go 1.21.8. This resolves CVEs
  CVE-2024-24783 (crypto/x509).
  CVE-2023-45290 (net/http).
  CVE-2023-45289 (net/http, net/http/cookiejar).
  CVE-2024-24785 (html/template).
  CVE-2024-24784 (net/mail). [GH-20812]

IMPROVEMENTS:

• api: Randomize the returned server list for the WatchServers gRPC endpoint. [GH-20866]
• partitions: (Enterprise only) Allow disabling of Gossip per Partition [GH-20669]
• snapshot agent: (Enterprise only) Add support for multiple snapshot destinations using the backup_destinations config file object.
• xds: Improved the performance of xDS server side load balancing. Its slightly improved in Consul CE with drastic CPU usage reductions in Consul Enterprise. [GH-20672]

BUG FIXES:

• audit-logs: (Enterprise Only) Fixes non ASCII characters in audit logs because of gzip. [GH-20345]
• connect: Fix issue where Consul-dataplane xDS sessions would not utilize the streaming backend for wan-federated queries. [GH-20868]
• connect: Fix potential goroutine leak in xDS stream handling. [GH-20866]
• connect: Fix xDS deadlock that could result in proxies being unable to start. [GH-20867]
• ingress-gateway: (Enterprise Only) Fix a bug where on update, Ingress Gateways lost all upstreams for listeners with wildcard services in a different namespace.

v1.17.4 (Enterprise)

1.17.4 Enterprise (March 26, 2024)

This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.

SECURITY:

• Update google.golang.org/protobuf to v1.33.0 to address CVE-2024-24786. [GH-20801]
• Update the Consul Build Go base image to alpine3.19. This resolves CVEs
  CVE-2023-52425
  CVE-2023-52426 [GH-20812]
• Upgrade to use Go 1.21.8. This resolves CVEs
  CVE-2024-24783 (crypto/x509).
  CVE-2023-45290 (net/http).
  CVE-2023-45289 (net/http, net/http/cookiejar).
  CVE-2024-24785 (html/template).
  CVE-2024-24784 (net/mail). [GH-20812]

IMPROVEMENTS:

• api: Randomize the returned server list for the WatchServers gRPC endpoint. [GH-20866]
• snapshot agent: (Enterprise only) Add support for multiple snapshot destinations using the backup_destinations config file object.

BUG FIXES:

• connect: Fix issue where Consul-dataplane xDS sessions would not utilize the streaming backend for wan-federated queries. [GH-20868]
• connect: Fix potential goroutine leak in xDS stream handling. [GH-20866]
• connect: Fix xDS deadlock that could result in proxies being unable to start. [GH-20867]
• dns: SERVFAIL when resolving not found PTR records. [GH-20679]
• ingress-gateway: (Enterprise Only) Fix a bug where on update, Ingress Gateways lost all upstreams for listeners with wildcard services in a different namespace.
• snapshot-agent: (Enterprise only) Fix a bug with static AWS credentials where one of the key id or secret key is provided via config file and the other is provided via an environment variable.

v1.16.7 (Enterprise)

1.16.7 Enterprise (March 26, 2024)

This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.

SECURITY:

• Update google.golang.org/protobuf to v1.33.0 to address CVE-2024-24786. [GH-20801]
• Update the Consul Build Go base image to alpine3.19. This resolves CVEs
  CVE-2023-52425
  CVE-2023-52426 [GH-20812]
• Upgrade to use Go 1.21.8. This resolves CVEs
  CVE-2024-24783 (crypto/x509).
  CVE-2023-45290 (net/http).
  CVE-2023-45289 (net/http, net/http/cookiejar).
  CVE-2024-24785 (html/template).
  CVE-2024-24784 (net/mail). [GH-20812]

IMPROVEMENTS:

• api: Randomize the returned server list for the WatchServers gRPC endpoint. [GH-20866]
• snapshot agent: (Enterprise only) Add support for multiple snapshot destinations using the backup_destinations config file object.

BUG FIXES:

• connect: Fix issue where Consul-dataplane xDS sessions would not utilize the streaming backend for wan-federated queries. [GH-20868]
• connect: Fix potential goroutine leak in xDS stream handling. [GH-20866]
• connect: Fix xDS deadlock that could result in proxies being unable to start. [GH-20867]
• ingress-gateway: (Enterprise Only) Fix a bug where on update, Ingress Gateways lost all upstreams for listeners with wildcard services in a different namespace.
• snapshot-agent: (Enterprise only) Fix a bug with static AWS credentials where one of the key id or secret key is provided via config file and the other is provided via an environment variable.

v1.15.11 (Enterprise)

1.15.11 Enterprise (March 26, 2024)

This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.

Enterprise LTS: Consul Enterprise 1.15 is a Long-Term Support (LTS) release.

SECURITY:

• Update google.golang.org/protobuf to v1.33.0 to address CVE-2024-24786. [GH-20801]

IMPROVEMENTS:

• api: Randomize the returned server list for the WatchServers gRPC endpoint. [GH-20866]

BUG FIXES:

• connect: Fix issue where Consul-dataplane xDS sessions would not utilize the streaming backend for wan-federated queries. [GH-20868]
• connect: Fix potential goroutine leak in xDS stream handling. [GH-20866]
• connect: Fix xDS deadlock that could result in proxies being unable to start. [GH-20867]
• ingress-gateway: (Enterprise Only) Fix a bug where on update, Ingress Gateways lost all upstreams for listeners with wildcard services in a different namespace.
• snapshot-agent: (Enterprise only) Fix a bug with static AWS credentials where one of the key id or secret key is provided via config file and the other is provided via an environment variable.

v1.18.0

BREAKING CHANGES:

• config-entries: Allow disabling request and idle timeouts with negative values in service router and service resolver config entries. [GH-19992]
• telemetry: Adds fix to always use the value of telemetry.disable_hostname when determining whether to prefix gauge-type metrics with the hostname of the Consul agent. Previously, if only the default metric sink was enabled, this configuration was ignored and always treated as true, even though its default value is false. [GH-20312]

SECURITY:

• Update golang.org/x/crypto to v0.17.0 to address CVE-2023-48795. [GH-20023]
• connect: Update supported envoy versions to 1.24.12, 1.25.11, 1.26.6, 1.27.2 to address CVE-2023-44487 [GH-19306]
• mesh: Update Envoy versions to 1.28.1, 1.27.3, and 1.26.7 to address CVE-2024-23324, CVE-2024-23325, CVE-2024-23322, CVE-2024-23323, CVE-2024-23327, CVE-2023-44487, GH-20589], CVE-2023-44487, and [GH-19879]

FEATURES:

• acl: add policy bindtype to binding rules. [GH-19499]
• agent: Introduces a new agent config default_intention_policy to decouple the default intention behavior from ACLs [GH-20544]
• agent: (Enterprise Only) Add fault injection filter support for Consul Service Mesh
• cloud: Adds new API/CLI to initiate and manage linking a Consul cluster to HCP Consul Central [GH-20312]
• dns: adds experimental support for a refactored DNS server that is v1 and v2 Catalog compatible.
  Use v2dns in the experiments agent config to enable.
  It will automatically be enabled when using the resource-apis (Catalog v2) experiment.
  The new DNS implementation will be the default in Consul 1.19.
  See the Consul 1.18.x Release Notes for deprecated DNS features. [GH-20643]
• ui: Added a banner to let users link their clusters to HCP [GH-20275]
• ui: Adds a redirect and warning message around unavailable UI with V2 enabled [GH-20359]
• ui: adds V2CatalogEnabled to config that is passed to the ui [GH-20353]
• v2: prevent use of the v2 experiments in secondary datacenters for now [GH-20299]

IMPROVEMENTS:

• cloud: unconditionally add Access-Control-Expose-Headers HTTP header [GH-20220]
• connect: Replace usage of deprecated Envoy field envoy.config.core.v3.HeaderValueOption.append. [GH-20078]
• connect: Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2. [GH-20013]
• docs: add Link API documentation [GH-20308]
• resource: lowercase names enforced for v2 resources only. [GH-19218]

BUG FIXES:

• dns: SERVFAIL when resolving not found PTR records. [GH-20679]
• raft: Fix panic during downgrade from enterprise to oss. [GH-19311]
• server: Ensure controllers are automatically restarted on internal stream errors. [GH-20642]
• server: Ensure internal streams are properly terminated on snapshot restore. [GH-20642]
• snapshot-agent: (Enterprise only) Fix a bug with static AWS credentials where one of the key id or secret key is provided via config file and the other is provided via an environment variable.

v1.17.3

1.17.3 (February 13, 2024)

SECURITY:

• mesh: Update Envoy versions to 1.27.3 and 1.26.7 to address CVE-2024-23324, CVE-2024-23325, CVE-2024-23322, CVE-2024-23323, CVE-2024-23327, and CVE-2023-44487 [GH-20587]

FEATURES:

• cli: Adds new command exported-services to list all services exported and their consumers. Refer to the CLI docs for more information. [GH-20331]

IMPROVEMENTS:

• ProxyCfg: avoid setting a watch on Internal.ServiceDump when mesh gateway is not used. [GH-20168]
• ProxyCfg: only return the nodes list when querying the Internal.ServiceDump watch from proxycfg [GH-20168]
• Upgrade to use Go 1.21.7. [GH-20545]
• api: add a new api(/v1/exported-services) to list all the exported service and their consumers. [GH-20015]
• connect: Add CaseInsensitive flag to service-routers that allows paths and path prefixes to ignore URL upper and lower casing. [GH-19647]

BUG FIXES:

• audit-logs: (Enterprise Only) Fixes non ASCII characters in audit logs because of gzip. [GH-20345]
• connect: Fix issue where re-persisting existing proxy-defaults using http protocol fails with a protocol-mismatch error. [GH-20481]
• connect: Fix regression with SAN matching on terminating gateways GH-20360 [GH-20417]
• connect: Remove code coupling where the xDS capacity controller could negatively affect raft autopilot performance. [GH-20511]
• logging: add /api prefix to v2 resource endpoint logs [GH-20352]
• mesh: Fix bug where envoy extensions could not be configured with "permissive" mTLS mode. Note that envoy extensions currently do not apply to non-mTLS traffic in permissive mode. [GH-20406]

v1.16.6

1.16.6 (February 13, 2024)

SECURITY:

• mesh: Update Envoy version to 1.26.7 to address CVE-2024-23324, CVE-2024-23325, CVE-2024-23322, CVE-2024-23323, CVE-2024-23327, and CVE-2023-44487 [GH-20586]

IMPROVEMENTS:

• ProxyCfg: avoid setting a watch on Internal.ServiceDump when mesh gateway is not used. [GH-20168]
• ProxyCfg: only return the nodes list when querying the Internal.ServiceDump watch from proxycfg [GH-20168]
• Upgrade to use Go 1.21.7. [GH-20545]

BUG FIXES:

• audit-logs: (Enterprise Only) Fixes non ASCII characters in audit logs because of gzip. [GH-20345]
• connect: Fix issue where re-persisting existing proxy-defaults using http protocol fails with a protocol-mismatch error. [GH-20481]
• connect: Fix regression with SAN matching on terminating gateways GH-20360 [GH-20417]
• connect: Remove code coupling where the xDS capacity controller could negatively affect raft autopilot performance. [GH-20511]
• mesh: Fix bug where envoy extensions could not be configured with "permissive" mTLS mode. Note that envoy extensions currently do not apply to non-mTLS traffic in permissive mode. [GH-20406]

v1.15.10

1.15.10 (February 13, 2024)

SECURITY:

• mesh: Update Envoy versions to 1.28.1, 1.27.3, and 1.26.7 to address CVE-2024-23324, CVE-2024-23325, CVE-2024-23322, CVE-2024-23323, CVE-2024-23327, and CVE-2023-44487 [GH-20590]

IMPROVEMENTS:

• ProxyCfg: avoid setting a watch on Internal.ServiceDump when mesh gateway is not used. [GH-20168]
• ProxyCfg: only return the nodes list when querying the Internal.ServiceDump watch from proxycfg [GH-20168]
• Upgrade to use Go 1.21.7. [GH-20545]
• mesh: update supported envoy version 1.28.0 in addition to 1.27.2, 1.26.6 to support LTS release [GH-20323]

BUG FIXES:

• audit-logs: (Enterprise Only) Fixes non ASCII characters in audit logs because of gzip. [GH-20345]
• connect: Fix issue where re-persisting existing proxy-defaults using http protocol fails with a protocol-mismatch error. [GH-20481]
• connect: Remove code coupling where the xDS capacity controller could negatively affect raft autopilot performance. [GH-20511]

v1.18.0-rc1

1.18.0-rc1 (February 6, 2024)

BREAKING CHANGES:

• config-entries: Allow disabling request and idle timeouts with negative values in service router and service resolver config entries. [GH-19992]
• telemetry: Adds fix to always use the value of telemetry.disable_hostname when determining whether to prefix gauge-type metrics with the hostname of the Consul agent. Previously, if only the default metric sink was enabled, this configuration was ignored and always treated as true, even though its default value is false. [GH-20312]

SECURITY:

• Update golang.org/x/crypto to v0.17.0 to address CVE-2023-48795. [GH-20023]
• connect: update supported envoy versions to 1.24.12, 1.25.11, 1.26.6, 1.27.2 to address CVE-2023-44487 [GH-19306]
• mesh: update supported envoy version 1.28.0 in addition to 1.25.11, 1.26.6, 1.27.2, 1.28.0 to address CVE-2023-44487 [GH-19879]

FEATURES:

• acl: add policy bindtype to binding rules. [GH-19499]
• agent: add fault injection filter support [GH-7513]
• cloud: Adds new API/CLI to initiate and manage linking a Consul cluster to HCP Consul Central [GH-20312]
• ui: Added a banner to let users link their clusters to HCP [GH-20275]
• ui: Adds a redirect and warning message around unavailable UI with V2 enabled [GH-20359]
• ui: adds V2CatalogEnabled to config that is passed to the ui [GH-20353]
• v2: prevent use of the v2 experiments in secondary datacenters for now [GH-20299]

IMPROVEMENTS:

• ProxyCfg: avoid setting a watch on Internal.ServiceDump when mesh gateway is not used. [GH-20168]
• ProxyCfg: only return the nodes list when querying the Internal.ServiceDump watch from proxycfg [GH-20168]
• api: add a new api(/v1/exported-services) to list all the exported service and their consumers. [GH-20015]
• cloud: unconditionally add Access-Control-Expose-Headers HTTP header [GH-20220]
• connect: Add CaseInsensitive flag to service-routers that allows paths and path prefixes to ignore URL upper and lower casing. [GH-19647]
• connect: Replace usage of deprecated Envoy field envoy.config.core.v3.HeaderValueOption.append. [GH-20078]
• connect: Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2. [GH-20013]
• resource: lowercase names enforced for v2 resources only. [GH-19218]

BUG FIXES:

• connect: Fix regression with SAN matching on terminating gateways GH-20360 [GH-20417]
• logging: add /api prefix to v2 resource endpoint logs [GH-20352]
• mesh: Fix bug where envoy extensions could not be configured with "permissive" mTLS mode. Note that envoy extensions currently do not apply to non-mTLS traffic in permissive mode. [GH-20406]
• raft: Fix panic during downgrade from enterprise to oss. [GH-19311]