hashicorp · abhishek-hashicorp · Feb 1, 2024 · Feb 1, 2024 · Feb 2, 2024 · Feb 2, 2024
@@ -0,0 +1,3 @@
+```release-note:bug
+xds: Make TCP external service registered with terminating gateway reachable from peered cluster
+```
@@ -0,0 +1,3 @@
+```release-note:feature
+cli: Adds new command `exported-services` to list all services exported and their consumers. Refer to the [CLI docs](https://developer.hashicorp.com/consul/commands/exported-services) for more information.
+```
@@ -0,0 +1,3 @@
+```release-note:bug
+  audit-logs: **(Enterprise Only)** Fixes non ASCII characters in audit logs because of gzip.
+```
@@ -0,0 +1,3 @@
+```release-note:breaking-change
+ui: Adds a "Link to HCP Consul Central" modal with integration to side-nav and link to HCP banner. There will be an option to disable the Link to HCP banner from the UI in a follow-up release.
+```
@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fix issue where re-persisting existing proxy-defaults using `http` protocol fails with a protocol-mismatch error.
+```
@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Remove code coupling where the xDS capacity controller could negatively affect raft autopilot performance.
+```
@@ -0,0 +1,3 @@
+```release-note:feature
+agent: Introduces a new agent config default_intention_policy to decouple the default intention behavior from ACLs
+```
@@ -0,0 +1,3 @@
+```release-note:improvement
+Upgrade to use Go 1.21.7.
+```
@@ -0,0 +1,3 @@
+```release-note:security
+mesh: Update Envoy versions to 1.28.1, 1.27.3, and 1.26.7 to address [CVE-2024-23324](https://github.com/envoyproxy/envoy/security/advisories/GHSA-gq3v-vvhj-96j6), [CVE-2024-23325](https://github.com/envoyproxy/envoy/security/advisories/GHSA-5m7c-mrwr-pm26), [CVE-2024-23322](https://github.com/envoyproxy/envoy/security/advisories/GHSA-6p83-mfmh-qv38), [CVE-2024-23323](https://github.com/envoyproxy/envoy/security/advisories/GHSA-x278-4w4x-r7ch), [CVE-2024-23327](https://github.com/envoyproxy/envoy/security/advisories/GHSA-4h5x-x9vh-m29j), and [CVE-2023-44487](https://github.com/envoyproxy/envoy/security/advisories/GHSA-jhv4-f7mr-xx76)
+```
@@ -0,0 +1,7 @@
+```release-note:bug
+server: Ensure internal streams are properly terminated on snapshot restore.
+```
+
+```release-note:bug
+server: Ensure controllers are automatically restarted on internal stream errors.
+```
@@ -0,0 +1,7 @@
+```release-note:feature
+dns: adds experimental support for a refactored DNS server that is v1 and v2 Catalog compatible. 
+Use `v2dns` in the `experiments` agent config to enable. 
+It will automatically be enabled when using the `resource-apis` (Catalog v2) experiment.
+The new DNS implementation will be the default in Consul 1.19.
+See the [Consul 1.18.x Release Notes](https://developer.hashicorp.com/consul/docs/release-notes/consul/v1_18_x) for deprecated DNS features.
+```
@@ -0,0 +1,3 @@
+```release-note:improvement
+partitions: **(Enterprise only)** Allow disabling of Gossip per Partition
+```
@@ -0,0 +1,3 @@
+```release-note: improvement
+xds: Improved the performance of xDS server side load balancing. Its slightly improved in Consul CE with drastic CPU usage reductions in Consul Enterprise.
+```
@@ -0,0 +1,3 @@
+```release-note:bug
+dns: SERVFAIL when resolving not found PTR records.
+```
@@ -0,0 +1,3 @@
+```release-note:security
+Update `google.golang.org/protobuf` to v1.33.0 to address [CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786).
+```
@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: Add ability to disable Auto Host Header Rewrite on Terminating Gateway at the service level
+```
@@ -0,0 +1,14 @@
+```release-note:security
+Upgrade to use Go `1.21.8`. This resolves CVEs
+[CVE-2024-24783](https://nvd.nist.gov/vuln/detail/CVE-2024-24783) (`crypto/x509`).
+[CVE-2023-45290](https://nvd.nist.gov/vuln/detail/CVE-2023-45290) (`net/http`).
+[CVE-2023-45289](https://nvd.nist.gov/vuln/detail/CVE-2023-45289) (`net/http`, `net/http/cookiejar`).
+[CVE-2024-24785](https://nvd.nist.gov/vuln/detail/CVE-2024-24785) (`html/template`).
+[CVE-2024-24784](https://nvd.nist.gov/vuln/detail/CVE-2024-24784) (`net/mail`).
+```
+
+```release-note:security
+Update the Consul Build Go base image to `alpine3.19`. This resolves CVEs
+[CVE-2023-52425](https://nvd.nist.gov/vuln/detail/CVE-2023-52425)
+[CVE-2023-52426⁠](https://nvd.nist.gov/vuln/detail/CVE-2023-52426)
+```
@@ -0,0 +1,3 @@
+```release-note:security
+ Bump Dockerfile base image to `alpine:3.19`. 
+ ```
@@ -0,0 +1,4 @@
+```release-note:security
+Update `vault/api` to v1.12.2 to address [CVE-2024-28180](https://nvd.nist.gov/vuln/detail/CVE-2024-28180) 
+(removes indirect dependency on impacted `go-jose.v2`)
+```
@@ -0,0 +1,3 @@
+```release-note:bug
+error running consul server in 1.18.0: failed to configure SCADA provider user's home directory path: $HOME is not defined
+```
@@ -0,0 +1,3 @@
+```release-note:enhancement
+gateways: service defaults configuration entries can now be used to set default upstream limits for mesh-gateways
+```
@@ -0,0 +1,14 @@
+```release-note:security
+Upgrade to use Go `1.21.9`. This resolves CVE
+[CVE-2023-45288](https://nvd.nist.gov/vuln/detail/CVE-2023-45288) (`http2`).
+```
+
+```release-note:security
+Upgrade to support Envoy `1.26.8, 1.27.4, and 1.28.2`. This resolves CVE
+[CVE-2024-27919](https://nvd.nist.gov/vuln/detail/CVE-2024-27919) (`http2`).
+```
+
+```release-note:security
+Upgrade to use golang.org/x/net `v0.24.0`. This resolves CVE
+[CVE-2023-45288](https://nvd.nist.gov/vuln/detail/CVE-2023-45288) (`x/net`).
+```
@@ -0,0 +1,3 @@
+```release-note:bug
+server: fix Ent snapshot restore on CE when CE downgrade is enabled
+```
@@ -0,0 +1,9 @@
+```release-note:security
+Upgrade to support Envoy `1.27.5 and 1.28.3`. This resolves CVE
+[CVE-2024-32475](https://nvd.nist.gov/vuln/detail/CVE-2024-32475) (`auto_sni`).
+```
+
+```release-note:security
+Upgrade to support k8s.io/apimachinery `v0.18.7 or higher`. This resolves CVE
+[CVE-2020-8559](https://nvd.nist.gov/vuln/detail/CVE-2020-8559).
+```
@@ -0,0 +1,5 @@
+```release-note:security
+Upgrade Go to use 1.21.10. This addresses CVEs 
+[CVE-2024-24787](https://nvd.nist.gov/vuln/detail/CVE-2024-24787) and
+[CVE-2024-24788](https://nvd.nist.gov/vuln/detail/CVE-2024-24788)
+```
@@ -0,0 +1,3 @@
+```release-note:enhancement
+upgrade go version to v1.22.3.
+```
@@ -0,0 +1,3 @@
+```release-note:bug
+core: Fix multiple incorrect type conversion for potential overflows
+```
@@ -0,0 +1,3 @@
+```release-note:enhancement
+upgrade go version to v1.22.4.
+```
@@ -0,0 +1,3 @@
+```release-note:enhancement
+mesh: update supported envoy version 1.28.4 and 1.27.6.
+```
@@ -0,0 +1,3 @@
+```release-note:improvement
+api: remove dependency on proto-public, protobuf, and grpc
+```
@@ -0,0 +1,3 @@
+```release-note:bug
+ingress-gateway: **(Enterprise Only)** Fix a bug where on update, Ingress Gateways lost all upstreams for listeners with wildcard services in a different namespace.
+```
@@ -156,13 +156,16 @@ When you're ready to submit a pull request:
 5. If there's any reason Consul users might need to know about this change,
    [add a changelog entry](../docs/contributing/add-a-changelog-entry.md).
 6. Add labels to your pull request. A table of commonly use labels is below. 
-   If you have any questions about which to apply, feel free to call it out in the PR or comments.
-   | Label | When to Use |
-   | --- | --- |
-   | `pr/no-changelog` | This PR does not have an intended changelog entry |
+   If you have any questions about which to apply, feel free to call it out in the PR or comments. Other labels may automatically be added by GitHub Actions CI.
+
+   | Label                | When to Use |
+   |----------------------| --- |
+   | `pr/no-changelog`    | This PR does not have an intended changelog entry |
+   | `pr/no-backport`     | This PR does not have an intended backport target |
    | `pr/no-metrics-test` | This PR does not require any testing for metrics |
-   | `backport/1.12.x` | Backport the changes in this PR to the targeted release branch. Consult the [Consul Release Notes](https://www.consul.io/docs/release-notes) page to view active releases. Website documentation merged to the latest release branch is deployed immediately |
-   Other labels may automatically be added by the Github Action CI.
+   | `backport/1.12.x`    | Backport the changes in this PR to the targeted release branch. Consult the [Consul Release Notes](https://www.consul.io/docs/release-notes) page and [`versions.hcl`](/.release/versions.hcl) to view active releases. Website documentation merged to the latest release branch is deployed immediately. See [backport policy](#backport-policy) for more information. |
+   | `backport/all`       | If contributing a bug fix or other change applicable to all branches, use `backport/all` to target all active branches automatically. See [backport policy](#backport-policy) for more information. |
+
 7. After you submit, the Consul maintainers team needs time to carefully review your
    contribution and ensure it is production-ready, considering factors such as: security,
    backwards-compatibility, potential regressions, etc.
@@ -174,6 +177,10 @@ When you're ready to submit a pull request:
    Assuming the tests pass, the PR will be merged automatically. 
    If the tests fail, it is you responsibility to resolve the issues with backports and request another reviewer.
 
+### Backport Policy
+
+Consul is maintained as a Community Edition (CE) and an Enterprise product. Bug fixes and patches may be backported to the current major release in CE. In Enterprise, bug fixes and patches may be backported to all maintained releases: the N-2 releases and the 2 latest Long-Term Support (LTS) releases. For more information, refer to Consul’s [LTS documentation](https://developer.hashicorp.com/consul/docs/enterprise/long-term-support).
+
 #### Checklists
 
 Some common changes that many PRs require are documented through checklists as

@@ -2,65 +2,107 @@
 # SPDX-License-Identifier: BUSL-1.1
 
 pr/dependencies:
-    - vendor/**/*
-    - go.*
+  - changed-files:
+    - any-glob-to-any-file:
+      - vendor/**/*
+      - go.*
 theme/acls:
-    - acl/**/*
+  - changed-files:
+    - any-glob-to-any-file:
+      - acl/**/*
 theme/agent-cache:
-    - agent/cache/**/*
+  - changed-files:
+    - any-glob-to-any-file:
+      - agent/cache/**/*
 theme/api:
-    - api/**/*
+  - changed-files:
+    - any-glob-to-any-file:
+      - api/**/*
 theme/catalog:
-    - agent/catalog/**/*
+  - changed-files:
+    - any-glob-to-any-file:
+      - agent/catalog/**/*
 theme/certificates:
-    - tlsutil/**/*
+  - changed-files:
+    - any-glob-to-any-file:
+      - tlsutil/**/*
 theme/cli:
-    - command/**/*
+  - changed-files:
+    - any-glob-to-any-file:
+      - command/**/*
 theme/config:
-    - agent/config/**/*
+  - changed-files:
+    - any-glob-to-any-file:
+      - agent/config/**/*
 theme/connect:
-    - connect/**/*
-    - agent/connect/**/*
+  - changed-files:
+    - any-glob-to-any-file:
+      - connect/**/*
+      - agent/connect/**/*
 # theme/consul-nomad:
 theme/consul-terraform-sync:
-    - website/content/docs/nia/**/*
-    - website/content/docs/integrate/nia*
+  - changed-files:
+    - any-glob-to-any-file:
+      - website/content/docs/nia/**/*
+      - website/content/docs/integrate/nia*
 # theme/consul-vault:
 theme/contributing:
-    - .github/**/*
+  - changed-files:
+    - any-glob-to-any-file:
+      - .github/**/*
 theme/dns:
-    - dns/**/*
+  - changed-files:
+    - any-glob-to-any-file:
+      - dns/**/*
 theme/envoy/xds:
-    - agent/xds/**/*
+  - changed-files:
+    - any-glob-to-any-file:
+      - agent/xds/**/*
 # theme/federation-usability:
 theme/health-checks:
-    - agent/health*
-    - api/health*
+  - changed-files:
+    - any-glob-to-any-file:
+      - agent/health*
+      - api/health*
 # theme/ingress-gw:
 # theme/internal-cleanup:
 theme/internals:
-    - lib/**/*
-    - types/**/*
+  - changed-files:
+    - any-glob-to-any-file:
+      - lib/**/*
+      - types/**/*
 # theme/kubernetes:
 # theme/mesh-gw:
 # theme/operator-usability:
 # theme/performance:
 # theme/service-metadata:
 # theme/streaming:
 theme/telemetry:
-    - logging/**/*
+  - changed-files:
+    - any-glob-to-any-file:
+      - logging/**/*
 # theme/terminating-gw:
 theme/testing:
-    - ./*test*/**/*
+  - changed-files:
+    - any-glob-to-any-file:
+      - ./*test*/**/*
 theme/tls:
-    - tlsutil/**/*
+  - changed-files:
+    - any-glob-to-any-file:
+      - tlsutil/**/*
 theme/ui:
-    - ui/**/*
+  - changed-files:
+    - any-glob-to-any-file:
+      - ui/**/*
 # theme/windows:
 # thinking:
 # type/bug:
 type/ci:
-    - .github/workflows/*
+  - changed-files:
+    - any-glob-to-any-file:
+      - .github/workflows/*
 # type/crash:
 type/docs:
-    - website/**/*
+  - changed-files:
+    - any-glob-to-any-file:
+      - website/**/*
@@ -102,7 +102,8 @@ function verify_rpm {
     ${docker_image} \
     /scripts/verify_rpm.sh \
     "/workdir/${artifact_path}" \
-    "${expect_version}"
+    "${expect_version}" \
+    "${docker_image}"
 }
 
 # Arguments:

@@ -10,6 +10,10 @@ set -euo pipefail
 # report why it failed. This is meant to be run as part of the build workflow to verify the built
 # .rpm meets some basic criteria for validity.
 
+# Notably, CentOS 7 is EOL, so we need to point to the vault for updates. It's not clear what alternative
+# we may use in the future that supports linux/386 as the platform was dropped in CentOS 8+9. The docker_image
+# is passed in as the third argument so that the script can determine if it needs to point to the vault for updates.
+
 # set this so we can locate and execute the verify_bin.sh script for verifying version output
 SCRIPT_DIR="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
 
@@ -20,6 +24,7 @@ function usage {
 function main {
   local rpm_path="${1:-}"
   local expect_version="${2:-}"
+  local docker_image="${3:-}"
   local got_version
 
   if [[ -z "${rpm_path}" ]]; then
@@ -34,6 +39,12 @@ function main {
     exit 1
   fi
 
+  if [[ -z "${docker_image}" ]]; then
+    echo "ERROR: docker image argument is required"
+    usage
+    exit 1
+  fi
+
   # expand globs for path names, if this fails, the script will exit
   rpm_path=$(echo ${rpm_path})
 
@@ -43,6 +54,12 @@ function main {
     exit 1
   fi
 
+  # CentOS 7 is EOL, so we need to point to the vault for updates
+  if [[ "$docker_image" == *centos:7 ]]; then
+    sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
+    sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
+  fi
+
   yum -y clean all
   yum -y update
   yum -y install which openssl