Hello everyone,
We just released Consul 1.6.6 and 1.7.4 which are shipping fixes for multiple CVEs:
Consul 1.6.6 and 1.7.4 are available as of now for OSS and ENT customers in the usual locations. Both releases are mostly about the fixed CVEs:
CVE-2020-13250: Consul’s DNS and HTTP API expose a caching feature susceptible to DoS.
CVE-2020-12797: Consul doesn't enforce changes to legacy ACL tokens rules due to not being propagated to secondary data centers.
CVE-2020-13170: When token replication is not enabled in a secondary datacenter, attempts to use a local token created in the primary are successful for operations targeting that secondary datacenter. Thus what was meant to be scoped to a single datacenter is valid in other datacenters.
CVE-2020-12758: Requiring service:write permissions, a service-router entry without a destination can crash Consul servers.
Please see the complete changelog for details on the releases:
https://github.com/hashicorp/consul/blob/v1.6.6/CHANGELOG.md
https://github.com/hashicorp/consul/blob/v1.7.4/CHANGELOG.md
The release binaries can be downloaded here:
https://releases.hashicorp.com/consul/1.6.6/
https://releases.hashicorp.com/consul/1.7.4/
-- The Consul Team