Consul

1.18.8 Enterprise (February 13, 2025)

This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.

Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.

SECURITY:

• Upgrade Go to use v1.22.11 and bump Go X-Repositories to latest. This addresses CVE CVE-2024-45341 and CVE-2024-45336 [GH-22084]
• Upgrade Go to use v1.22.12 and bump Go X-Repositories to latest. This addresses CVE CVE-2025-22866 [GH-22132]

IMPROVEMENTS:

• metadata: memoize the parsed build versions [GH-22113]

BUG FIXES:

• Fixed logging error while building for OpenBSD OS [GH-22120] [GH-22120]

1.20.3 (February 13, 2025)

SECURITY:

• Upgrade Go to use v1.22.11 and bump Go X-Repositories to latest. This addresses CVE CVE-2024-45341 and CVE-2024-45336 [GH-22084]
• Upgrade Go to use v1.22.12 and bump Go X-Repositories to latest. This addresses CVE CVE-2025-22866 [GH-22132]

IMPROVEMENTS:

• connect: update supported envoy versions to 1.33.0, 1.32.3 [GH-22138]
• metadata: memoize the parsed build versions [GH-22113]

BUG FIXES:

• Fixed logging error while building for OpenBSD OS [GH-22120] [GH-22120]
• api-gateway: Fixed TLS configuration to properly enforce listener TLS versions and cipher suites [GH-21984]
• aws-auth: Fix bug where calls to AWS IAM and STS services error out due to URL with multiple trailing slashes. [GH-22109]

1.15.18 Enterprise (February 07, 2025)

This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.

Enterprise LTS: Consul Enterprise 1.15 is a Long-Term Support (LTS) release.

BUG FIXES:

• aws-auth: Fix bug where calls to AWS IAM and STS services error out due to URL with multiple trailing slashes. [GH-22109]

1.15.17 Enterprise (February 05, 2025)

This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.

Enterprise LTS: Consul Enterprise 1.15 is a Long-Term Support (LTS) release.

SECURITY:

• Upgrade Go to use v1.22.11 and bump Go X-Repositories to latest. This addresses CVE CVE-2024-45341 and CVE-2024-45336 [GH-22084]

1.18.7 Enterprise (January 31, 2025)

This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.

Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.

BUG FIXES:

• api-gateway: Fixed TLS configuration to properly enforce listener TLS versions and cipher suites [GH-21984]
• aws-auth: Fix bug where calls to AWS IAM and STS services error out due to URL with multiple trailing slashes. [GH-22109]

1.19.4 Enterprise (January 10, 2025)

This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.

BREAKING CHANGES:

• mesh: (Enterprise Only) Enable Envoy HttpConnectionManager.normalize_path by default on inbound traffic to mesh proxies. This resolves CVE-2024-10005.

SECURITY:

• Removed ability to use bexpr to filter results without ACL read on endpoint [GH-21950]
• Resolved issue where hcl would allow duplicates of the same key in acl policy configuration. [GH-21908]
• Update github.com/golang-jwt/jwt/v4 to v4.5.1 to address GHSA-29wx-vh33-7x7r. [GH-21951]
• Update golang.org/x/crypto to v0.31.0 to address GO-2024-3321. [GH-22001]
• Update golang.org/x/net to v0.33.0 to address GO-2024-3333. [GH-22021]
• Update registry.access.redhat.com/ubi9-minimal image to 9.5 to address CVE-2024-3596,CVE-2024-2511,CVE-2024-26458. [GH-22011]
• api: Enforces strict content-type header validation to protect against XSS vulnerability. [GH-21930]
• mesh: (Enterprise Only) Add contains and ignoreCase to L7 Intentions HTTP header matching criteria to support configuration resilient to variable casing and multiple values. This resolves CVE-2024-10006.
• mesh: (Enterprise Only) Add http.incoming.requestNormalization to Mesh configuration entry to support inbound service traffic request normalization. This resolves CVE-2024-10005 and CVE-2024-10006.

IMPROVEMENTS:

• Upgrade api submodule to 1.29.6 [GH-22058]
• snapshot agent: (Enterprise only) Implement Service Principal Auth for snapshot agent on azure.
• xds: configures Envoy to load balance over all instances of an external service configured with hostnames when "envoy_dns_discovery_type" is set to "STRICT_DNS" [GH-21655]

BUG FIXES:

• proxycfg: fix a bug where peered upstreams watches are canceled even when another target needs it. [GH-21871]
• state: ensure that identical manual virtual IP updates result in not bumping the modify indexes [GH-21909]

1.18.6 Enterprise (January 13, 2025)

This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.

Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release. SECURITY:

• Removed ability to use bexpr to filter results without ACL read on endpoint [GH-21950]
• Resolved issue where hcl would allow duplicates of the same key in acl policy configuration. [GH-21908]
• Update github.com/golang-jwt/jwt/v4 to v4.5.1 to address GHSA-29wx-vh33-7x7r. [GH-21951]
• Update golang.org/x/crypto to v0.31.0 to address GO-2024-3321. [GH-22001]
• Update golang.org/x/net to v0.33.0 to address GO-2024-3333. [GH-22021]
• Update registry.access.redhat.com/ubi9-minimal image to 9.5 to address CVE-2024-3596,CVE-2024-2511,CVE-2024-26458. [GH-22011]
• api: Enforces strict content-type header validation to protect against XSS vulnerability. [GH-21930]

IMPROVEMENTS:

• Upgrade api submodule to 1.28.5 [GH-22056]
• snapshot agent: (Enterprise only) Implement Service Principal Auth for snapshot agent on azure.

BUG FIXES:

• proxycfg: fix a bug where peered upstreams watches are canceled even when another target needs it. [GH-21871]
• state: ensure that identical manual virtual IP updates result in not bumping the modify indexes [GH-21909]

1.15.16 Enterprise (January 13, 2025)

This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.

Enterprise LTS: Consul Enterprise 1.15 is a Long-Term Support (LTS) release. SECURITY:

• Removed ability to use bexpr to filter results without ACL read on endpoint [GH-21950]
• Resolved issue where hcl would allow duplicates of the same key in acl policy configuration. [GH-21908]
• Update github.com/golang-jwt/jwt/v4 to v4.5.1 to address GHSA-29wx-vh33-7x7r. [GH-21951]
• Update registry.access.redhat.com/ubi9-minimal image to 9.5 to address CVE-2024-3596,CVE-2024-2511,CVE-2024-26458. [GH-22011]
• api: Enforces strict content-type header validation to protect against XSS vulnerability. [GH-21930]

IMPROVEMENTS:

• Upgrade api submodule to 1.21.4 [GH-22055]
• snapshot agent: (Enterprise only) Implement Service Principal Auth for snapshot agent on azure.

BUG FIXES:

• proxycfg: fix a bug where peered upstreams watches are canceled even when another target needs it. [GH-21871]

1.20.2 (December 26, 2024)

SECURITY:

• Removed ability to use bexpr to filter results without ACL read on endpoint [GH-21950]
• Resolved issue where hcl would allow duplicates of the same key in acl policy configuration. [GH-21908]
• Update github.com/golang-jwt/jwt/v4 to v4.5.1 to address GHSA-29wx-vh33-7x7r. [GH-21951]
• Update golang.org/x/crypto to v0.31.0 to address GO-2024-3321. [GH-22001]
• Update golang.org/x/net to v0.33.0 to address GO-2024-3333. [GH-22021]
• Update registry.access.redhat.com/ubi9-minimal image to 9.5 to address CVE-2024-3596,CVE-2024-2511,CVE-2024-26458. [GH-22011]
• api: Enforces strict content-type header validation to protect against XSS vulnerability. [GH-21930]

FEATURES:

• docs: added the docs for the grafana dashboards [GH-21795]

BUG FIXES:

• proxycfg: fix a bug where peered upstreams watches are canceled even when another target needs it. [GH-21871]
• state: ensure that identical manual virtual IP updates result in not bumping the modify indexes [GH-21909]

1.15.15 Enterprise (October 29, 2024)

This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.

Enterprise LTS: Consul Enterprise 1.15 is a Long-Term Support (LTS) release. BREAKING CHANGES:

• mesh: (Enterprise Only) Enable Envoy HttpConnectionManager.normalize_path by default on inbound traffic to mesh proxies. This resolves CVE-2024-10005.

SECURITY:

• Explicitly set 'Content-Type' header to mitigate XSS vulnerability. [GH-21704]
• Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. [GH-21711]
• UI: Remove codemirror linting due to package dependency [GH-21726]
• Upgrade Go to use 1.22.7. This addresses CVE CVE-2024-34155 [GH-21705]
• Upgrade to support aws/aws-sdk-go v1.55.5 or higher. This resolves CVEs CVE-2020-8911 and CVE-2020-8912. [GH-21684]
• mesh: (Enterprise Only) Add contains and ignoreCase to L7 Intentions HTTP header matching criteria to support configuration resilient to variable casing and multiple values. This resolves CVE-2024-10006.
• mesh: (Enterprise Only) Add http.incoming.requestNormalization to Mesh configuration entry to support inbound service traffic request normalization. This resolves CVE-2024-10005 and CVE-2024-10006.
• ui: Pin a newer resolution of Braces [GH-21710]
• ui: Pin a newer resolution of Codemirror [GH-21715]
• ui: Pin a newer resolution of Markdown-it [GH-21717]
• ui: Pin a newer resolution of ansi-html [GH-21735]

IMPROVEMENTS:

• security: upgrade ubi base image to 9.4 [GH-21750]
• xds: configures Envoy to load balance over all instances of an external service configured with hostnames when "envoy_dns_discovery_type" is set to "STRICT_DNS" [GH-21655]

1.18.5 Enterprise (October 29, 2024)

This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.

Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release. BREAKING CHANGES:

• mesh: (Enterprise Only) Enable Envoy HttpConnectionManager.normalize_path by default on inbound traffic to mesh proxies. This resolves CVE-2024-10005.

SECURITY:

• Explicitly set 'Content-Type' header to mitigate XSS vulnerability. [GH-21704]
• Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. [GH-21711]
• Upgrade Go to use 1.22.7. This addresses CVE CVE-2024-34155 [GH-21705]
• Upgrade to support aws/aws-sdk-go v1.55.5 or higher. This resolves CVEs CVE-2020-8911 and CVE-2020-8912. [GH-21684]
• mesh: (Enterprise Only) Add contains and ignoreCase to L7 Intentions HTTP header matching criteria to support configuration resilient to variable casing and multiple values. This resolves CVE-2024-10006.
• mesh: (Enterprise Only) Add http.incoming.requestNormalization to Mesh configuration entry to support inbound service traffic request normalization. This resolves CVE-2024-10005 and CVE-2024-10006.
• ui: Pin a newer resolution of Braces [GH-21710]
• ui: Pin a newer resolution of Codemirror [GH-21715]
• ui: Pin a newer resolution of Markdown-it [GH-21717]
• ui: Pin a newer resolution of ansi-html [GH-21735]

IMPROVEMENTS:

• security: upgrade ubi base image to 9.4 [GH-21750]
• api: remove dependency on proto-public, protobuf, and grpc [GH-21780]
• xds: configures Envoy to load balance over all instances of an external service configured with hostnames when "envoy_dns_discovery_type" is set to "STRICT_DNS" [GH-21655]

BUG FIXES:

• jwt-provider: change dns lookup family from the default of AUTO which would prefer ipv6 to ALL if LOGICAL_DNS is used or PREFER_IPV4 if STRICT_DNS is used to gracefully handle transitions to ipv6. [GH-21703]

1.19.3 (Enterprise) (October 29, 2024)

This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.

BREAKING CHANGES:

• mesh: (Enterprise Only) Enable Envoy HttpConnectionManager.normalize_path by default on inbound traffic to mesh proxies. This resolves CVE-2024-10005.

SECURITY:

• Explicitly set 'Content-Type' header to mitigate XSS vulnerability. [GH-21704]
• Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. [GH-21711]
• UI: Remove codemirror linting due to package dependency [GH-21726]
• Upgrade Go to use 1.22.7. This addresses CVE CVE-2024-34155 [GH-21705]
• Upgrade to support aws/aws-sdk-go v1.55.5 or higher. This resolves CVEs CVE-2020-8911 and CVE-2020-8912. [GH-21684]
• mesh: (Enterprise Only) Add contains and ignoreCase to L7 Intentions HTTP header matching criteria to support configuration resilient to variable casing and multiple values. This resolves CVE-2024-10006.
• mesh: (Enterprise Only) Add http.incoming.requestNormalization to Mesh configuration entry to support inbound service traffic request normalization. This resolves CVE-2024-10005 and CVE-2024-10006.
• ui: Pin a newer resolution of Braces [GH-21710]
• ui: Pin a newer resolution of Codemirror [GH-21715]
• ui: Pin a newer resolution of Markdown-it [GH-21717]
• ui: Pin a newer resolution of ansi-html [GH-21735]

IMPROVEMENTS:

• security: upgrade ubi base image to 9.4 [GH-21750]
• api: remove dependency on proto-public, protobuf, and grpc [GH-21780]
• xds: configures Envoy to load balance over all instances of an external service configured with hostnames when "envoy_dns_discovery_type" is set to "STRICT_DNS" [GH-21655]

BUG FIXES:

• jwt-provider: change dns lookup family from the default of AUTO which would prefer ipv6 to ALL if LOGICAL_DNS is used or PREFER_IPV4 if STRICT_DNS is used to gracefully handle transitions to ipv6. [GH-21703]

1.20.1 (October 29, 2024)

BREAKING CHANGES:

• mesh: Enable Envoy HttpConnectionManager.normalize_path by default on inbound traffic to mesh proxies. This resolves CVE-2024-10005. [GH-21816]

SECURITY:

• mesh: Add contains and ignoreCase to L7 Intentions HTTP header matching criteria to support configuration resilient to variable casing and multiple values. This resolves CVE-2024-10006. [GH-21816]
• mesh: Add http.incoming.requestNormalization to Mesh configuration entry to support inbound service traffic request normalization. This resolves CVE-2024-10005 and CVE-2024-10006. [GH-21816]

IMPROVEMENTS:

• api: remove dependency on proto-public, protobuf, and grpc [GH-21780]
• snapshot agent: (Enterprise only) Implement Service Principal Auth for snapshot agent on azure.
• xds: configures Envoy to load balance over all instances of an external service configured with hostnames when "envoy_dns_discovery_type" is set to "STRICT_DNS" [GH-21655]

1.20.0 (October 14, 2024)

SECURITY:

• Explicitly set 'Content-Type' header to mitigate XSS vulnerability. [GH-21704]
• Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. [GH-21711]
• UI: Remove codemirror linting due to package dependency [GH-21726]
• Upgrade Go to use 1.22.7. This addresses CVE CVE-2024-34155 [GH-21705]
• Upgrade to support aws/aws-sdk-go v1.55.5 or higher. This resolves CVEs CVE-2020-8911 and CVE-2020-8912. [GH-21684]
• ui: Pin a newer resolution of Braces [GH-21710]
• ui: Pin a newer resolution of Codemirror [GH-21715]
• ui: Pin a newer resolution of Markdown-it [GH-21717]
• ui: Pin a newer resolution of ansi-html [GH-21735]

FEATURES:

• grafana: added the dashboards service-to-service dashboard, service dashboard, and consul dataplane dashboard [GH-21806]
• server: remove v2 tenancy, catalog, and mesh experiments [GH-21592]

IMPROVEMENTS:

• security: upgrade ubi base image to 9.4 [GH-21750]
• connect: Add Envoy 1.31 and 1.30 to support matrix [GH-21616]

BUG FIXES:

• jwt-provider: change dns lookup family from the default of AUTO which would prefer ipv6 to ALL if LOGICAL_DNS is used or PREFER_IPV4 if STRICT_DNS is used to gracefully handle transitions to ipv6. [GH-21703]

1.20.0-rc1 (September 19, 2024)

SECURITY:

• Explicitly set 'Content-Type' header to mitigate XSS vulnerability. [GH-21704]
• Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. [GH-21711]
• UI: Remove codemirror linting due to package dependency [GH-21726]
• Upgrade Go to use 1.22.7. This addresses CVE CVE-2024-34155 [GH-21705]
• Upgrade to support aws/aws-sdk-go v1.55.5 or higher. This resolves CVEs CVE-2020-8911 and CVE-2020-8912. [GH-21684]
• ui: Pin a newer resolution of Braces [GH-21710]
• ui: Pin a newer resolution of Codemirror [GH-21715]
• ui: Pin a newer resolution of Markdown-it [GH-21717]
• ui: Pin a newer resolution of ansi-html [GH-21735]

FEATURES:

• server: remove v2 tenancy, catalog, and mesh experiments [GH-21592]

IMPROVEMENTS:

• security: upgrade ubi base image to 9.4 [GH-21750]
• connect: Add Envoy 1.31 and 1.30 to support matrix [GH-21616]

BUG FIXES:

• jwt-provider: change dns lookup family from the default of AUTO which would prefer ipv6 to ALL if LOGICAL_DNS is used or PREFER_IPV4 if STRICT_DNS is used to gracefully handle transitions to ipv6. [GH-21703]

1.15.14 Enterprise (August 26, 2024)

This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.

Enterprise LTS: Consul Enterprise 1.15 is a Long-Term Support (LTS) release.

SECURITY:

• ui: Upgrade modules with d3-color as a dependency to address denial of service issue in d3-color < 3.1.0 [GH-21588]

IMPROVEMENTS:

• Use Envoy's default for a route's validate_clusters option, which is false. This fixes a case where non-existent clusters could cause a route to no longer route to any of its backends, including existing ones. [GH-21587]

1.17.7 Enterprise (August 26, 2024)

This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.

SECURITY:

• ui: Upgrade modules with d3-color as a dependency to address denial of service issue in d3-color < 3.1.0

IMPROVEMENTS:

• Use Envoy's default for a route's validate_clusters option, which is false. This fixes a case where non-existent clusters could cause a route to no longer route to any of its backends, including existing ones. [GH-21587]

1.18.4 Enterprise (August 26, 2024)

This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.

Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.

SECURITY:

• ui: Upgrade modules with d3-color as a dependency to address denial of service issue in d3-color < 3.1.0

IMPROVEMENTS:

• Use Envoy's default for a route's validate_clusters option, which is false. This fixes a case where non-existent clusters could cause a route to no longer route to any of its backends, including existing ones. [GH-21587]

1.19.2 (August 26, 2024)

SECURITY:

• ui: Upgrade modules with d3-color as a dependency to address denial of service issue in d3-color < 3.1.0 [GH-21588]

IMPROVEMENTS:

• Use Envoy's default for a route's validate_clusters option, which is false. This fixes a case where non-existent clusters could cause a route to no longer route to any of its backends, including existing ones. [GH-21587]

BUG FIXES:

• api-gateway: (Enterprise only) ensure clusters are properly created for JWT providers with a remote URI for the JWKS endpoint [GH-21604]

1.18.3 Enterprise (July 11, 2024)

This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.

Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.

SECURITY:

• Upgrade envoy module dependencies to version 1.27.7, 1.28.5 and 1.29.7 or higher to resolve CVE-2024-39305 [GH-21524]
• Upgrade go version to 1.22.5 to address CVE-2024-24791 [GH-21507]
• Upgrade go-retryablehttp to address CVE-2024-6104 [GH-21384]
• agent: removed reflected cross-site scripting vulnerability [GH-21342]
• ui: Pin and namespace sub-module dependencies related to the Consul UI [GH-21378]

IMPROVEMENTS:

• mesh: update supported envoy version 1.29.4
• mesh: update supported envoy version 1.29.5 in addition to 1.28.4, 1.27.6. [GH-21277]
• upgrade go version to v1.22.3. [GH-21113]
• upgrade go version to v1.22.4. [GH-21265]

BUG FIXES:

• core: Fix multiple incorrect type conversion for potential overflows [GH-21251]
• core: Fix panic runtime error on AliasCheck [GH-21339]
• dns: Fixes a spam log message "Failed to parse TTL for prepared query..." that was always being logged on each prepared query evaluation. [GH-21381]
• terminating-gateway: (Enterprise Only) Fixed issue where enterprise metadata applied to linked services was the terminating-gateways enterprise metadata and not the linked services enterprise metadata. [GH-21382]
• txn: Fix a bug where mismatched Consul server versions could result in undetected data loss for when using newer Transaction verbs. [GH-21519]
• v2dns: Fix a regression where DNS SRV questions were returning duplicate hostnames instead of encoded IPs. This affected Nomad integrations with Consul. [GH-21361]
• v2dns: Fix a regression where DNS tags using the standard lookup syntax, tag.name.service.consul, were being disregarded. [GH-21361]