backport of commit 7045225

hashicorp · Dec 3, 2024 · bd972c4 · bd972c4
1 parent 02efb33
commit bd972c4
Show file tree

Hide file tree

Showing 79 changed files with 3,802 additions and 722 deletions.
diff --git a/.changelog/21758.txt b/.changelog/21758.txt
diff --git a/.changelog/21883.txt b/.changelog/21883.txt
diff --git a/.changelog/21930.txt b/.changelog/21930.txt
@@ -0,0 +1,3 @@
+```release-note:security
+api: Enforces strict content-type header validation to protect against XSS vulnerability.
+```
diff --git a/.changelog/22001.txt b/.changelog/22001.txt
@@ -0,0 +1,3 @@
+```release-note:security
+Update `golang.org/x/crypto` to v0.31.0 to address [GO-2024-3321](https://pkg.go.dev/vuln/GO-2024-3321).
+```
diff --git a/.changelog/22011.txt b/.changelog/22011.txt
@@ -0,0 +1,4 @@
+```release-note:security
+Update `registry.access.redhat.com/ubi9-minimal` image to 9.5 to address [CVE-2024-3596](https://nvd.nist.gov/vuln/detail/CVE-2024-3596),[CVE-2024-2511](https://nvd.nist.gov/vuln/detail/CVE-2024-2511),[CVE-2024-26458](https://nvd.nist.gov/vuln/detail/CVE-2024-26458).
+```
+
diff --git a/.changelog/22021.txt b/.changelog/22021.txt
@@ -0,0 +1,3 @@
+```release-note:security
+Update `golang.org/x/net` to v0.33.0 to address [GO-2024-3333](https://pkg.go.dev/vuln/GO-2024-3333).
+```
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -10,34 +10,3 @@
 # release configuration
 /.release/                              @hashicorp/team-selfmanaged-releng @hashicorp/consul-selfmanage-maintainers
 /.github/workflows/build.yml            @hashicorp/team-selfmanaged-releng @hashicorp/consul-selfmanage-maintainers
-
-
-# Staff Engineer Review (protocol buffer definitions)
-/proto-public/   @hashicorp/consul-core-staff
-/proto/          @hashicorp/consul-core-staff
-
-# Staff Engineer Review (v1 architecture shared components)
-/agent/cache/                  @hashicorp/consul-core-staff
-/agent/consul/fsm/             @hashicorp/consul-core-staff
-/agent/consul/leader*.go       @hashicorp/consul-core-staff
-/agent/consul/server*.go       @hashicorp/consul-core-staff
-/agent/consul/state/           @hashicorp/consul-core-staff
-/agent/consul/stream/          @hashicorp/consul-core-staff
-/agent/submatview/             @hashicorp/consul-core-staff
-/agent/blockingquery/          @hashicorp/consul-core-staff
-
-# Staff Engineer Review (raft/autopilot)
-/agent/consul/autopilotevents/  @hashicorp/consul-core-staff
-/agent/consul/autopilot*.go     @hashicorp/consul-core-staff
-
-# Staff Engineer Review (v2 architecture shared components)
-/internal/controller/                   @hashicorp/consul-core-staff
-/internal/resource/                     @hashicorp/consul-core-staff
-/internal/storage/                      @hashicorp/consul-core-staff
-/agent/consul/controller/               @hashicorp/consul-core-staff
-/agent/grpc-external/services/resource/ @hashicorp/consul-core-staff
-
-# Staff Engineer Review (v1 security)
-/acl/                   @hashicorp/consul-core-staff
-/agent/xds/rbac*.go     @hashicorp/consul-core-staff
-/agent/xds/jwt*.go      @hashicorp/consul-core-staff
diff --git a/.github/workflows/nightly-test-integrations.yml b/.github/workflows/nightly-test-integrations.yml
@@ -217,7 +217,7 @@ jobs:
       # matrix.consul-version (i.e. whenever the highest common Envoy version across active
       # Consul versions changes). The minor Envoy version does not necessarily need to be
       # kept current for the purpose of these tests, but the major (1.N) version should be.
-      ENVOY_VERSION: 1.28.7
+      ENVOY_VERSION: 1.27.6
     steps:
       - name: Checkout code
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

diff --git a/.github/workflows/test-integrations.yml b/.github/workflows/test-integrations.yml
@@ -83,7 +83,7 @@ jobs:
       contents: read
     strategy:
       matrix:
-        nomad-version: ['v1.8.3', 'v1.7.7', 'v1.6.10']
+        nomad-version: ['v1.7.7', 'v1.6.10', 'v1.5.17']
     steps:
       - name: Checkout Nomad
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
@@ -166,7 +166,7 @@ jobs:
       contents: read
     strategy:
       matrix:
-        vault-version: ["1.17.5", "1.16.3", "1.15.6"]
+        vault-version: ["1.16.2", "1.15.6", "1.14.10"]
     env:
       VAULT_BINARY_VERSION: ${{ matrix.vault-version }}
     steps:

diff --git a/.gitignore b/.gitignore
@@ -71,6 +71,3 @@ terraform.rc
 /go.work
 /go.work.sum
 .docker
-
-# Avoid accidental commits of consul-k8s submodule used by some dev environments
-consul-k8s/
diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl
@@ -37,13 +37,8 @@ container {
 	triage {
 		suppress {
 			vulnerabilities = [
-				"CVE-2024-8096", # [email protected],
-				"CVE-2024-9143", # [email protected],
-				"CVE-2024-3596", # [email protected],
-				"CVE-2024-2236", # [email protected],
-				"CVE-2024-26458", # [email protected],
-				"CVE-2024-2511", # [email protected],
-				#the above can be resolved when they're resolved in the alpine image
+				"CVE-2024-4067", # libsolv@0:0.7.24-3.el9
+				"CVE-2019-12900" # bzip2-libs@0:1.0.8-8.el9
 			]
 			paths = [
 				"internal/tools/proto-gen-rpc-glue/e2e/consul/*",
@@ -84,6 +79,7 @@ binary {
 	triage {
 		suppress {
 			vulnerabilities = [
+				"GO-2022-0635", // github.com/aws/[email protected]
 			]
 			paths = [
 				"internal/tools/proto-gen-rpc-glue/e2e/consul/*",

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -52,11 +52,11 @@ SECURITY:
 * Explicitly set 'Content-Type' header to mitigate XSS vulnerability. [[GH-21704](https://github.com/hashicorp/consul/issues/21704)]
 * Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. [[GH-21711](https://github.com/hashicorp/consul/issues/21711)]
 * UI: Remove codemirror linting due to package dependency [[GH-21726](https://github.com/hashicorp/consul/issues/21726)]
-* Upgrade Go to use 1.22.7. This addresses CVE
-  [CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155) [[GH-21705](https://github.com/hashicorp/consul/issues/21705)]
+* Upgrade Go to use 1.22.7. This addresses CVE 
+[CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155) [[GH-21705](https://github.com/hashicorp/consul/issues/21705)]
 * Upgrade to support aws/aws-sdk-go `v1.55.5 or higher`. This resolves CVEs
-  [CVE-2020-8911](https://nvd.nist.gov/vuln/detail/cve-2020-8911) and
-  [CVE-2020-8912](https://nvd.nist.gov/vuln/detail/cve-2020-8912). [[GH-21684](https://github.com/hashicorp/consul/issues/21684)]
+[CVE-2020-8911](https://nvd.nist.gov/vuln/detail/cve-2020-8911) and 
+[CVE-2020-8912](https://nvd.nist.gov/vuln/detail/cve-2020-8912). [[GH-21684](https://github.com/hashicorp/consul/issues/21684)]
 * ui: Pin a newer resolution of Braces [[GH-21710](https://github.com/hashicorp/consul/issues/21710)]
 * ui: Pin a newer resolution of Codemirror [[GH-21715](https://github.com/hashicorp/consul/issues/21715)]
 * ui: Pin a newer resolution of Markdown-it [[GH-21717](https://github.com/hashicorp/consul/issues/21717)]
@@ -75,38 +75,6 @@ BUG FIXES:
 
 * jwt-provider: change dns lookup family from the default of AUTO which would prefer ipv6 to ALL if LOGICAL_DNS is used or PREFER_IPV4 if STRICT_DNS is used to gracefully handle transitions to ipv6. [[GH-21703](https://github.com/hashicorp/consul/issues/21703)]
 
-## 1.19.3 Enterprise (October 29, 2024)
-BREAKING CHANGES:
-
-* mesh: **(Enterprise Only)** Enable Envoy `HttpConnectionManager.normalize_path` by default on inbound traffic to mesh proxies. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005).
-
-SECURITY:
-
-* Explicitly set 'Content-Type' header to mitigate XSS vulnerability. [[GH-21704](https://github.com/hashicorp/consul/issues/21704)]
-* Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. [[GH-21711](https://github.com/hashicorp/consul/issues/21711)]
-* UI: Remove codemirror linting due to package dependency [[GH-21726](https://github.com/hashicorp/consul/issues/21726)]
-* Upgrade Go to use 1.22.7. This addresses CVE 
-[CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155) [[GH-21705](https://github.com/hashicorp/consul/issues/21705)]
-* Upgrade to support aws/aws-sdk-go `v1.55.5 or higher`. This resolves CVEs
-[CVE-2020-8911](https://nvd.nist.gov/vuln/detail/cve-2020-8911) and 
-[CVE-2020-8912](https://nvd.nist.gov/vuln/detail/cve-2020-8912). [[GH-21684](https://github.com/hashicorp/consul/issues/21684)]
-* mesh: **(Enterprise Only)** Add `contains` and `ignoreCase` to L7 Intentions HTTP header matching criteria to support configuration resilient to variable casing and multiple values. This resolves [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).
-* mesh: **(Enterprise Only)** Add `http.incoming.requestNormalization` to Mesh configuration entry to support inbound service traffic request normalization. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005) and [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).
-* ui: Pin a newer resolution of Braces [[GH-21710](https://github.com/hashicorp/consul/issues/21710)]
-* ui: Pin a newer resolution of Codemirror [[GH-21715](https://github.com/hashicorp/consul/issues/21715)]
-* ui: Pin a newer resolution of Markdown-it [[GH-21717](https://github.com/hashicorp/consul/issues/21717)]
-* ui: Pin a newer resolution of ansi-html [[GH-21735](https://github.com/hashicorp/consul/issues/21735)]
-
-IMPROVEMENTS:
-
-* security: upgrade ubi base image to 9.4 [[GH-21750](https://github.com/hashicorp/consul/issues/21750)]
-* api: remove dependency on proto-public, protobuf, and grpc [[GH-21780](https://github.com/hashicorp/consul/issues/21780)]
-* xds: configures Envoy to load balance over all instances of an external service configured with hostnames when "envoy_dns_discovery_type" is set to "STRICT_DNS" [[GH-21655](https://github.com/hashicorp/consul/issues/21655)]
-
-BUG FIXES:
-
-* jwt-provider: change dns lookup family from the default of AUTO which would prefer ipv6 to ALL if LOGICAL_DNS is used or PREFER_IPV4 if STRICT_DNS is used to gracefully handle transitions to ipv6. [[GH-21703](https://github.com/hashicorp/consul/issues/21703)]
-
 ## 1.19.2 (August 26, 2024)
 
 SECURITY:
@@ -121,39 +89,6 @@ BUG FIXES:
 
 * api-gateway: **(Enterprise only)** ensure clusters are properly created for JWT providers with a remote URI for the JWKS endpoint [[GH-21604](https://github.com/hashicorp/consul/issues/21604)]
 
-## 1.18.5 Enterprise (October 29, 2024)
-
-Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.
-BREAKING CHANGES:
-
-* mesh: **(Enterprise Only)** Enable Envoy `HttpConnectionManager.normalize_path` by default on inbound traffic to mesh proxies. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005).
-
-SECURITY:
-
-* Explicitly set 'Content-Type' header to mitigate XSS vulnerability. [[GH-21704](https://github.com/hashicorp/consul/issues/21704)]
-* Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. [[GH-21711](https://github.com/hashicorp/consul/issues/21711)]
-* Upgrade Go to use 1.22.7. This addresses CVE 
-[CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155) [[GH-21705](https://github.com/hashicorp/consul/issues/21705)]
-* Upgrade to support aws/aws-sdk-go `v1.55.5 or higher`. This resolves CVEs
-[CVE-2020-8911](https://nvd.nist.gov/vuln/detail/cve-2020-8911) and 
-[CVE-2020-8912](https://nvd.nist.gov/vuln/detail/cve-2020-8912). [[GH-21684](https://github.com/hashicorp/consul/issues/21684)]
-* mesh: **(Enterprise Only)** Add `contains` and `ignoreCase` to L7 Intentions HTTP header matching criteria to support configuration resilient to variable casing and multiple values. This resolves [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).
-* mesh: **(Enterprise Only)** Add `http.incoming.requestNormalization` to Mesh configuration entry to support inbound service traffic request normalization. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005) and [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).
-* ui: Pin a newer resolution of Braces [[GH-21710](https://github.com/hashicorp/consul/issues/21710)]
-* ui: Pin a newer resolution of Codemirror [[GH-21715](https://github.com/hashicorp/consul/issues/21715)]
-* ui: Pin a newer resolution of Markdown-it [[GH-21717](https://github.com/hashicorp/consul/issues/21717)]
-* ui: Pin a newer resolution of ansi-html [[GH-21735](https://github.com/hashicorp/consul/issues/21735)]
-
-IMPROVEMENTS:
-
-* security: upgrade ubi base image to 9.4 [[GH-21750](https://github.com/hashicorp/consul/issues/21750)]
-* api: remove dependency on proto-public, protobuf, and grpc [[GH-21780](https://github.com/hashicorp/consul/issues/21780)]
-* xds: configures Envoy to load balance over all instances of an external service configured with hostnames when "envoy_dns_discovery_type" is set to "STRICT_DNS" [[GH-21655](https://github.com/hashicorp/consul/issues/21655)]
-
-BUG FIXES:
-
-* jwt-provider: change dns lookup family from the default of AUTO which would prefer ipv6 to ALL if LOGICAL_DNS is used or PREFER_IPV4 if STRICT_DNS is used to gracefully handle transitions to ipv6. [[GH-21703](https://github.com/hashicorp/consul/issues/21703)]
-
 ## 1.18.4 Enterprise (August 26, 2024)
 
 Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.
@@ -174,35 +109,6 @@ IMPROVEMENTS:
 
 * Use Envoy's default for a route's validate_clusters option, which is false. This fixes a case where non-existent clusters could cause a route to no longer route to any of its backends, including existing ones. [[GH-21587](https://github.com/hashicorp/consul/issues/21587)]
 
-## 1.15.15 Enterprise (October 29, 2024)
-
-Enterprise LTS: Consul Enterprise 1.15 is a Long-Term Support (LTS) release.
-BREAKING CHANGES:
-
-* mesh: **(Enterprise Only)** Enable Envoy `HttpConnectionManager.normalize_path` by default on inbound traffic to mesh proxies. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005).
-
-SECURITY:
-
-* Explicitly set 'Content-Type' header to mitigate XSS vulnerability. [[GH-21704](https://github.com/hashicorp/consul/issues/21704)]
-* Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. [[GH-21711](https://github.com/hashicorp/consul/issues/21711)]
-* UI: Remove codemirror linting due to package dependency [[GH-21726](https://github.com/hashicorp/consul/issues/21726)]
-* Upgrade Go to use 1.22.7. This addresses CVE 
-[CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155) [[GH-21705](https://github.com/hashicorp/consul/issues/21705)]
-* Upgrade to support aws/aws-sdk-go `v1.55.5 or higher`. This resolves CVEs
-[CVE-2020-8911](https://nvd.nist.gov/vuln/detail/cve-2020-8911) and 
-[CVE-2020-8912](https://nvd.nist.gov/vuln/detail/cve-2020-8912). [[GH-21684](https://github.com/hashicorp/consul/issues/21684)]
-* mesh: **(Enterprise Only)** Add `contains` and `ignoreCase` to L7 Intentions HTTP header matching criteria to support configuration resilient to variable casing and multiple values. This resolves [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).
-* mesh: **(Enterprise Only)** Add `http.incoming.requestNormalization` to Mesh configuration entry to support inbound service traffic request normalization. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005) and [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).
-* ui: Pin a newer resolution of Braces [[GH-21710](https://github.com/hashicorp/consul/issues/21710)]
-* ui: Pin a newer resolution of Codemirror [[GH-21715](https://github.com/hashicorp/consul/issues/21715)]
-* ui: Pin a newer resolution of Markdown-it [[GH-21717](https://github.com/hashicorp/consul/issues/21717)]
-* ui: Pin a newer resolution of ansi-html [[GH-21735](https://github.com/hashicorp/consul/issues/21735)]
-
-IMPROVEMENTS:
-
-* security: upgrade ubi base image to 9.4 [[GH-21750](https://github.com/hashicorp/consul/issues/21750)]
-* xds: configures Envoy to load balance over all instances of an external service configured with hostnames when "envoy_dns_discovery_type" is set to "STRICT_DNS" [[GH-21655](https://github.com/hashicorp/consul/issues/21655)]
-
 ## 1.15.14 Enterprise (August 26, 2024)
 
 Enterprise LTS: Consul Enterprise 1.15 is a Long-Term Support (LTS) release.

diff --git a/Dockerfile b/Dockerfile
@@ -16,7 +16,7 @@
 # Official docker image that includes binaries from releases.hashicorp.com. This
 # downloads the release from releases.hashicorp.com and therefore requires that
 # the release is published before building the Docker image.
-FROM docker.mirror.hashicorp.services/alpine:3.20 as official
+FROM docker.mirror.hashicorp.services/alpine:3.21 as official
 
 # This is the release of Consul to pull in.
 ARG VERSION
@@ -29,6 +29,13 @@ LABEL org.opencontainers.image.authors="Consul Team <[email protected]>" \
       org.opencontainers.image.vendor="HashiCorp" \
       org.opencontainers.image.title="consul" \
       org.opencontainers.image.description="Consul is a datacenter runtime that provides service discovery, configuration, and orchestration." \
+      name="Consul" \
+      maintainer="Consul Team <[email protected]>" \
+      vendor="HashiCorp" \
+      release=${PRODUCT_REVISION} \
+      revision=${PRODUCT_REVISION} \
+      summary="Consul is a datacenter runtime that provides service discovery, configuration, and orchestration." \
+      description="Consul is a datacenter runtime that provides service discovery, configuration, and orchestration." \
       version=${VERSION}
 
 # This is the location of the releases.
@@ -112,7 +119,7 @@ CMD ["agent", "-dev", "-client", "0.0.0.0"]
 
 # Production docker image that uses CI built binaries.
 # Remember, this image cannot be built locally.
-FROM docker.mirror.hashicorp.services/alpine:3.20 as default
+FROM docker.mirror.hashicorp.services/alpine:3.21 as default
 
 ARG PRODUCT_VERSION
 ARG BIN_NAME
@@ -137,6 +144,13 @@ LABEL org.opencontainers.image.authors="Consul Team <[email protected]>" \
       org.opencontainers.image.title="consul" \
       org.opencontainers.image.description="Consul is a datacenter runtime that provides service discovery, configuration, and orchestration." \
       org.opencontainers.image.licenses="BSL-1.1" \
+      name="Consul" \
+      maintainer="Consul Team <[email protected]>" \
+      vendor="HashiCorp" \
+      release=${PRODUCT_REVISION} \
+      revision=${PRODUCT_REVISION} \
+      summary="Consul is a datacenter runtime that provides service discovery, configuration, and orchestration." \
+      description="Consul is a datacenter runtime that provides service discovery, configuration, and orchestration." \
       version=${PRODUCT_VERSION}
 
 COPY LICENSE /usr/share/doc/$PRODUCT_NAME/LICENSE.txt
@@ -203,7 +217,7 @@ CMD ["agent", "-dev", "-client", "0.0.0.0"]
 
 # Red Hat UBI-based image
 # This target is used to build a Consul image for use on OpenShift.
-FROM registry.access.redhat.com/ubi9-minimal:9.4 as ubi
+FROM registry.access.redhat.com/ubi9-minimal:9.5 as ubi
 
 ARG PRODUCT_VERSION
 ARG PRODUCT_REVISION
@@ -227,6 +241,13 @@ LABEL org.opencontainers.image.authors="Consul Team <[email protected]>" \
       org.opencontainers.image.title="consul" \
       org.opencontainers.image.description="Consul is a datacenter runtime that provides service discovery, configuration, and orchestration." \
       org.opencontainers.image.licenses="BSL-1.1" \
+      name="Consul" \
+      maintainer="Consul Team <[email protected]>" \
+      vendor="HashiCorp" \
+      release=${PRODUCT_REVISION} \
+      revision=${PRODUCT_REVISION} \
+      summary="Consul is a datacenter runtime that provides service discovery, configuration, and orchestration." \
+      description="Consul is a datacenter runtime that provides service discovery, configuration, and orchestration." \
       version=${PRODUCT_VERSION}
 
 COPY LICENSE /usr/share/doc/$PRODUCT_NAME/LICENSE.txt

diff --git a/agent/agent.go b/agent/agent.go
@@ -1434,9 +1434,6 @@ func newConsulConfig(runtimeCfg *config.RuntimeConfig, logger hclog.Logger) (*co
 	cfg.GRPCTLSPort = runtimeCfg.GRPCTLSPort
 
 	cfg.Segment = runtimeCfg.SegmentName
-
-	cfg.RaftConfig.PreVoteDisabled = runtimeCfg.RaftPreVoteDisabled
-
 	if len(runtimeCfg.Segments) > 0 {
 		segments, err := segmentConfig(runtimeCfg)
 		if err != nil {