consul-dataplane

1.2.8 (May 24, 2024)

SECURITY:

• Upgrade Go to use 1.21.10. This addresses CVEs
  CVE-2024-24787 and
  CVE-2024-24788 [GH-487]
• Upgrade to support Envoy 1.26.8. This resolves CVE
  CVE-2024-27919 (http2). [GH-476]
• Upgrade to support Envoy 1.27.5. This resolves CVE
  CVE-2024-32475. [GH-498]
• Upgrade to use Go 1.21.9. This resolves CVE
  CVE-2023-45288 (http2). [GH-476]
• Upgrade to use golang.org/x/net v0.24.0. This resolves CVE
  CVE-2023-45288 (x/net). [GH-476]

IMPROVEMENTS:

• Upgrade Go to use 1.22.3. [GH-501]

1.1.11 (May 20, 2024)

SECURITY:

• Upgrade Go to use 1.21.10. This addresses CVEs
  CVE-2024-24787 and
  CVE-2024-24788 [GH-487]
• Upgrade to support Envoy 1.26.8. This resolves CVE
  CVE-2024-27919 (http2). [GH-475]
• Upgrade to support Envoy 1.27.5. This resolves CVE
  CVE-2024-32475. [GH-499]
• Upgrade to use Go 1.21.9. This resolves CVE
  CVE-2023-45288 (http2). [GH-475]
• Upgrade to use golang.org/x/net v0.24.0. This resolves CVE
  CVE-2023-45288 (x/net). [GH-475]

IMPROVEMENTS:

• Upgrade Go to use 1.22.3. [GH-501]

1.4.2 (May 21, 2024)

SECURITY:

• Upgrade Go to use 1.21.10. This addresses CVEs
  CVE-2024-24787 and
  CVE-2024-24788 [GH-487]
• Upgrade to support Envoy 1.28.2. This resolves CVE
  CVE-2024-27919 (http2). [GH-474]
• Upgrade to support Envoy 1.28.3. This resolves CVE
  CVE-2024-32475. [GH-496]
• Upgrade to use Go 1.21.9. This resolves CVE
  CVE-2023-45288 (http2). [GH-474]
• Upgrade to use golang.org/x/net v0.24.0. This resolves CVE
  CVE-2023-45288 (x/net). [GH-474]

IMPROVEMENTS:

• Upgrade Go to use 1.22.3. [GH-501]

1.4.1 (March 28, 2024)

SECURITY:

• Update google.golang.org/protobuf to v1.33.0 to address CVE-2024-24786. [GH-460]
• Upgrade to use Go 1.21.8. This resolves CVEs
  CVE-2024-24783 (crypto/x509).
  CVE-2023-45290 (net/http).
  CVE-2023-45289 (net/http, net/http/cookiejar).
  CVE-2024-24785 (html/template).
  CVE-2024-24784 (net/mail). [GH-465]

1.3.4 (March 28, 2024)

SECURITY:

• Update google.golang.org/protobuf to v1.33.0 to address CVE-2024-24786. [GH-460]
• Upgrade consul-dataplane-fips OpenShift container image to use ubi9-minimal:9.3 as the base image. [GH-434]
• Upgrade to use Go 1.21.8. This resolves CVEs
  CVE-2024-24783 (crypto/x509).
  CVE-2023-45290 (net/http).
  CVE-2023-45289 (net/http, net/http/cookiejar).
  CVE-2024-24785 (html/template).
  CVE-2024-24784 (net/mail). [GH-465]

1.2.7 (March 28, 2024)

SECURITY:

• Update google.golang.org/protobuf to v1.33.0 to address CVE-2024-24786. [GH-460]
• Upgrade consul-dataplane-fips OpenShift container image to use ubi9-minimal:9.3 as the base image. [GH-434]
• Upgrade to use Go 1.21.8. This resolves CVEs
  CVE-2024-24783 (crypto/x509).
  CVE-2023-45290 (net/http).
  CVE-2023-45289 (net/http, net/http/cookiejar).
  CVE-2024-24785 (html/template).
  CVE-2024-24784 (net/mail). [GH-465]

1.1.10 (March 28, 2024)

SECURITY:

• Update google.golang.org/protobuf to v1.33.0 to address CVE-2024-24786. [GH-460]
• Upgrade to use Go 1.21.8. This resolves CVEs
  CVE-2024-24783 (crypto/x509).
  CVE-2023-45290 (net/http).
  CVE-2023-45289 (net/http, net/http/cookiejar).
  CVE-2024-24785 (html/template).
  CVE-2024-24784 (net/mail). [GH-465]

1.4.0 (February 28, 2024)

SECURITY:

• Update Envoy version to 1.28.1 to address CVE-2024-23324, CVE-2024-23325, CVE-2024-23322, CVE-2024-23323, CVE-2024-23327, and CVE-2023-44487 [GH-416]
• Upgrade consul-dataplane-fips OpenShift container image to use ubi9-minimal:9.3 as the base image. [GH-434]

FEATURES:

• Add metrics exporting directly to HCP when configured in core. [GH-370]

IMPROVEMENTS:

• Propagate merged metrics request query params to Envoy to enable metrics filtering. [GH-372]

BUG FIXES:

• Exclude Prometheus scrape path query params from Envoy path match s.t. it does not break merged metrics request routing. [GH-372]

1.3.3 (February 14, 2024)

SECURITY:

• Update Envoy version to 1.27.3 to address CVE-2024-23324, CVE-2024-23325, CVE-2024-23322, CVE-2024-23323, CVE-2024-23327, and CVE-2023-44487 [GH-421]

IMPROVEMENTS:

• Upgrade to use Go 1.21.7. [GH-411]

1.1.9 (February 14, 2024)

SECURITY:

• Update Envoy version to 1.26.7 to address CVE-2024-23324, CVE-2024-23325, CVE-2024-23322, CVE-2024-23323, CVE-2024-23327, and CVE-2023-44487 (note: upgrades to Envoy 1.26 for security patches due to 1.25 EOL) [GH-418]

IMPROVEMENTS:

• Upgrade to use Go 1.21.7. [GH-411]

1.4.0-rc1 (February 7, 2024)

SECURITY:

• Update Envoy version to 1.27.2 to address CVE-2023-44487 [GH-310]

IMPROVEMENTS:

• Propagate merged metrics request query params to Envoy to enable metrics filtering. [GH-372]

BUG FIXES:

• Exclude Prometheus scrape path query params from Envoy path match s.t. it does not break merged metrics request routing. [GH-372]

1.2.5 (January 24, 2024)

SECURITY:

• Upgrade OpenShift container images to use ubi9-minimal:9.3 as the base image. [GH-373]

IMPROVEMENTS:

• Upgrade to use Go 1.21.6. [GH-384]

1.1.8 (January 24, 2024)

SECURITY:

• Upgrade OpenShift container images to use ubi9-minimal:9.3 as the base image. [GH-373]

IMPROVEMENTS:

• Upgrade to use Go 1.21.6. [GH-384]

1.3.2 (January 24, 2024)

SECURITY:

• Upgrade OpenShift container images to use ubi9-minimal:9.3 as the base image. [GH-373]

IMPROVEMENTS:

• Upgrade to use Go 1.21.6. [GH-384]

1.1.7 (December 18, 2023)

SECURITY:

• Upgrade to use Go 1.20.12. This resolves CVEs
  CVE-2023-45283: (path/filepath) recognize ??\ as a Root Local Device path prefix (Windows)
  CVE-2023-45284: recognize device names with trailing spaces and superscripts (Windows)
  CVE-2023-39326: (net/http) limit chunked data overhead
  CVE-2023-45285: (cmd/go) go get may unexpectedly fallback to insecure git [GH-353]

BUG FIXES:

• Fix issue where the internal grpc-proxy would hit the max message size limit for xDS streams with a large amount of configuration. [GH-357]

1.2.4 (December 18, 2023)

SECURITY:

• Upgrade to use Go 1.20.12. This resolves CVEs
  CVE-2023-45283: (path/filepath) recognize ??\ as a Root Local Device path prefix (Windows)
  CVE-2023-45284: recognize device names with trailing spaces and superscripts (Windows)
  CVE-2023-39326: (net/http) limit chunked data overhead
  CVE-2023-45285: (cmd/go) go get may unexpectedly fallback to insecure git [GH-353]

BUG FIXES:

• Fix issue where the internal grpc-proxy would hit the max message size limit for xDS streams with a large amount of configuration. [GH-357]

1.3.1 (December 18th, 2023)

SECURITY:

• Update Envoy version to 1.27.2 to address CVE-2023-44487 [GH-314]
• Upgrade to use Go 1.20.12. This resolves CVEs
  CVE-2023-45283: (path/filepath) recognize ??\ as a Root Local Device path prefix (Windows)
  CVE-2023-45284: recognize device names with trailing spaces and superscripts (Windows)
  CVE-2023-39326: (net/http) limit chunked data overhead
  CVE-2023-45285: (cmd/go) go get may unexpectedly fallback to insecure git [GH-353]

BUG FIXES:

• Fix issue where the internal grpc-proxy would hit the max message size limit for xDS streams with a large amount of configuration. [GH-357]

1.3.0 (November 6, 2023)

SECURITY:

• Update Envoy version to 1.27.2 to address CVE-2023-44487 [GH-315]
• Upgrade google.golang.org/grpc to 1.56.3.
  This resolves vulnerability CVE-2023-44487. [GH-323]
• Upgrade to use Go 1.20.10 and x/net 0.17.0.
  This resolves CVE-2023-39325
  / CVE-2023-44487. [GH-299]