Change8

ent-changelog-1.19.4

Breaking Changes
📦 consul-connectView on GitHub →
1 breaking4 features🐛 4 fixes🔧 7 symbols

Summary

Consul 1.19.4 Enterprise release focuses heavily on security fixes, dependency updates, and introduces path normalization enforcement in Enterprise mesh proxies as a breaking change. It also adds new matching capabilities for L7 Intentions in Enterprise environments.

⚠️ Breaking Changes

  • mesh: (Enterprise Only) Envoy `HttpConnectionManager.normalize_path` is now enabled by default on inbound traffic to mesh proxies, resolving CVE-2024-10005. Users relying on unnormalized paths must adjust configurations.

Migration Steps

  1. If you are using Enterprise mesh proxies and rely on unnormalized inbound paths, review the impact of enabling Envoy `HttpConnectionManager.normalize_path` by default.
  2. If you are using Enterprise L7 Intentions, you can now use `contains` and `ignoreCase` for HTTP header matching.

✨ New Features

  • mesh: (Enterprise Only) Added `contains` and `ignoreCase` to L7 Intentions HTTP header matching criteria to support configuration resilient to variable casing and multiple values (resolves CVE-2024-10006).
  • mesh: (Enterprise Only) Added `http.incoming.requestNormalization` to Mesh configuration entry to support inbound service traffic request normalization (resolves CVE-2024-10005 and CVE-2024-10006).
  • snapshot agent: (Enterprise only) Implemented Service Principal Auth for snapshot agent on azure.
  • xds: Configured Envoy to load balance over all instances of an external service configured with hostnames when "envoy_dns_discovery_type" is set to "STRICT_DNS".

🐛 Bug Fixes

  • Removed ability to use bexpr to filter results without ACL read on endpoint.
  • Resolved issue where hcl would allow duplicates of the same key in acl policy configuration.
  • Fixed a bug in proxycfg where peered upstreams watches are canceled even when another target needs it.
  • Ensured that identical manual virtual IP updates do not bump the modify indexes in state.

🔧 Affected Symbols

meshEnvoybexpracl policy configurationproxycfgpeered upstreams watchesvirtual IP updates