[consul] [SECURITY] ANN: Consul 1.6.6 and 1.7.4 Released

8 views

Skip to first unread message

Hans Hasselberg

unread,

Jun 10, 2020, 6:10:02 PM6/10/20

to consu...@googlegroups.com

Hello everyone,

We just released Consul 1.6.6 and 1.7.4 which are shipping fixes for multiple CVEs:

Consul 1.6.6 and 1.7.4 are available as of now for OSS and ENT customers in the usual locations. Both releases are mostly about the fixed CVEs:

CVE-2020-13250: Consul’s DNS and HTTP API expose a caching feature susceptible to DoS.

CVE-2020-12797: Consul doesn't enforce changes to legacy ACL tokens rules due to not being propagated to secondary data centers.

CVE-2020-13170: When token replication is not enabled in a secondary datacenter, attempts to use a local token created in the primary are successful for operations targeting that secondary datacenter. Thus what was meant to be scoped to a single datacenter is valid in other datacenters.

CVE-2020-12758: Requiring service:write permissions, a service-router entry without a destination can crash Consul servers.

Please see the complete changelog for details on the releases:

https://github.com/hashicorp/consul/blob/v1.6.6/CHANGELOG.md

https://github.com/hashicorp/consul/blob/v1.7.4/CHANGELOG.md

The release binaries can be downloaded here:

https://releases.hashicorp.com/consul/1.6.6/

https://releases.hashicorp.com/consul/1.7.4/

-- The Consul Team

Reply all

Reply to author

Forward

0 new messages