fix(db): update host_plugin_set to set project_id value (#2407)

.release/ci.hcl

@@ -13,7 +13,7 @@ project "boundary" {
 
     release_branches = [
       "main",
-      "release/0.10.2",
+      "release/0.10.x",
     ]
   }
 }

CHANGELOG.md

@@ -2,8 +2,23 @@
 
 Canonical reference for changes, improvements, and bugfixes for Boundary.
 
+## 0.10.3 (2022/08/30)
+
+### Bug Fixes
+
+* db: Fix an issue with migrations failing due to not updating the project_id value for the host plugin set
+  ([Issue](https://github.com/hashicorp/boundary/issues/2349#issuecomment-1229953874)),
+  ([PR](https://github.com/hashicorp/boundary/pull/2407)).
+
 ## 0.10.2 (2022/08/23)
 
+### Security
+
+* Fix security vulnerability CVE-2022-36130, Boundary up to 0.10.1 did not properly perform  
+  authorization checks to ensure the resources were associated with the correct scopes,  
+  allowing potential privilege escalation for authorized users of another scope.
+  [[HCSEC-2022-17](https://discuss.hashicorp.com/t/hcsec-2022017-boundary-allowed-access-to-host-sets-and-credential-sources-for-authorized-users-of-another-scope/43493)]
+
 ## 0.10.1 (2022/08/11)
 
 ### Bug Fixes

internal/db/schema/migrations/oss/postgres/46/02_hosts.up.sql

@@ -88,7 +88,7 @@ begin;
      set (project_id) =
          (select project_id
             from host_set
-           where host_set.public_id = host_plugin_set.catalog_id
+           where host_set.public_id = host_plugin_set.public_id
          )
   ;
 

version/version_base.go

@@ -8,7 +8,7 @@ var (
 	// Whether cgo is enabled or not; set at build time
 	CgoEnabled bool
 
-	Version = "0.10.2"
+	Version = "0.10.3"
 
 	// VersionPrerelease is also set at compile time, similarly to Version.
 	VersionPrerelease = ""