Change8

ent-changelog-1.20.12

Breaking Changes
📦 consul-connectView on GitHub →
1 breaking3 features🐛 6 fixes1 deprecations🔧 5 symbols

Summary

This release focuses heavily on security fixes, addressing path traversal and DoS vulnerabilities, and introduces new enterprise utilization reporting APIs and CLI commands. It also includes substantial modernization of the Consul UI codebase.

⚠️ Breaking Changes

  • Adding a key name validation on the key/value endpoint alongside with the DisableKVKeyValidation config to disable/enable it to fix path traversal attacks. Users relying on key names that previously bypassed validation may now see failures.

Migration Steps

  1. If you rely on specific key names in the key/value endpoint that previously bypassed validation, you may need to update them or explicitly set `DisableKVKeyValidation` to false if you wish to maintain the old behavior (though this is discouraged due to security fixes).

✨ New Features

  • Added a new API endpoint (/v1/operator/utilization) to support enterprise API for Manual Snapshot Reporting.
  • Added new subcommand `consul operator utilization [-today-only] [-message] [-y]` to generate a census utilization snapshot bundle.
  • Census metrics collection is now always enabled with a configurable option to export it to Hashicorp Reporting.

🐛 Bug Fixes

  • Fixed proxied URL path validation to prevent path traversal.
  • Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacks.
  • Added a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks.
  • Fixed `consul operator utilization --help` to show only available options without extra parameters.
  • Fixed issue where namespaces were disappearing and the Welcome to Namespace screen showed up after tab switching in the UI.
  • Fixed issue where the three dots on the right hand side stopped responding after the first delete when deleting multiple tokens or policies.

🔧 Affected Symbols

/v1/operator/utilizationconsul operator utilizationDisableKVKeyValidationRoute#renderTemplatesend action instances

⚡ Deprecations

  • The UI removed usage of deprecated Ember features like computed property overrides, Route#renderTemplate, and send action instances as part of upgrading to Ember v4.