Backport of add charset into release/1.21.x #22610
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Init release 1.21 * Create nightly-test-integrations-1.21.x.yml * Remove comma
* Upgrade go version * Added changelog * Update config.deepcopy.go * Update .golangci.yml * fix lint
* Upgrade crypto to 0.35.0 * Upgrade oauth and go-jose * upgrade oauth and jose * Added changelog
…API (#22220) * Add the missing Service TaggedAddresses and Check Type fields to Txn API * added changelog
…22227) * Add session health check management and tests * Refactor session health check management and update related tests * Cleanup --------- Co-authored-by: srahul3 <[email protected]>
* build(deps): bump go version to go1.24.1 * update: use 1.23.7 instead * add changelog
* Fixes a couple of example commands The `-name` option is not available `-description` is used in it's place. set-agent-token is a sub-command of the acl command. * This feature works with federated services only This command does not work with peered clusters so needs to be clarified.
…22248) * Add the missing Service TaggedAddresses and Check Type fields to Txn API * added changelog * Refactor Txn API to use AgentService and add TaggedAddresses support
* Update agent.mdx Starting from Consul v1.20.1+ent, Consul supports using Azure Blob Storage for the snapshot agent via Azure Service Principal ID and Secret authentication. I've successfully tested this configuration in my lab environment and have added the relevant parameters to this documentation for completeness. * Update website/content/commands/snapshot/agent.mdx Co-authored-by: Blake Covarrubias <[email protected]> * Update website/content/commands/snapshot/agent.mdx Co-authored-by: Blake Covarrubias <[email protected]> * Update website/content/commands/snapshot/agent.mdx Co-authored-by: Blake Covarrubias <[email protected]> * Update website/content/commands/snapshot/agent.mdx Co-authored-by: Blake Covarrubias <[email protected]> --------- Co-authored-by: Blake Covarrubias <[email protected]>
* Fix catalog service endpoint when querying for a peer service * Add changelog file * Add changes to docs. Add test * Update website/content/api-docs/catalog.mdx Co-authored-by: Jeff Boruszak <[email protected]> --------- Co-authored-by: Sreeram Narayanan <[email protected]> Co-authored-by: nitin-sachdev-29 <[email protected]> Co-authored-by: Jeff Boruszak <[email protected]>
* Update lock.mdx (Node Health Check and TTL) Consul `lock` command update that captures why consul lock can act indefinitely when node checks are in place and how users can work around it by creating/managing their own session. * Update website/content/commands/lock.mdx Co-authored-by: Jeff Boruszak <[email protected]> --------- Co-authored-by: Jeff Boruszak <[email protected]>
* Fixed following CVEs: GHSA-vvgc-356p-c3xw in golang.org/x/[email protected] GO-2025-3595 in golang.org/x/[email protected] GO-2025-3553 in github.com/golang-jwt/jwt/[email protected] GHSA-mh63-6h87-95cp in github.com/golang-jwt/jwt/[email protected] stdlib in Go [email protected] * added changelog
* Fixed following CVEs: GHSA-vvgc-356p-c3xw in golang.org/x/[email protected] GO-2025-3595 in golang.org/x/[email protected] GO-2025-3553 in github.com/golang-jwt/jwt/[email protected] GHSA-mh63-6h87-95cp in github.com/golang-jwt/jwt/[email protected] stdlib in Go [email protected] * added changelog * upgraded go to 1.23.8
feature: Adding configurable value to disable XDS Load balancing Co-authored-by: Jeff Boruszak <[email protected]> --------- Co-authored-by: Jeff Boruszak <[email protected]>
* suppressing staticcheck lint warning * upgraded hashicorp/go-discover to 1.0.0 version * generated proto files
update iframe to videoembed
…22041) * migration * nav fixes * nav * Missing top-level pages * nav/content alignment * partial path update * Partial fixes * Partial updates * partial paths * erroneous replacement fix * 3 page migration (test) * /agent migration * CA, cluster peering, & config entries * connect -> Gateways * connect * connect * nav * Dynamic app config * ecs * Tutorials -> docs * Tutorials moved * Updated nav with tutorials in docs * enterprise, install, and k8s through k8s/connect * k8s deployment * finished k8s migration * lambda, nia, nomad * nav fixes * security and discovery * service & upgrade * final page migrations * Nav update * Change navigation and page placement * Revert "Change navigation and page placement" This reverts commit 0934235. * Change navigation and page placement * Fixed broken include. * Updated sync consul service catalog with aws cloud map page. * Update to match page use of cloud map - AWS separates the two words. * Updated register services into a namespace docs page. * Updated explore the consul ui page. * Refactor HAProxy tutorial into usage doc * re-org * architecture and fundamentals * duplicate page deleted * Apply suggestions from code review Co-authored-by: Jeff Boruszak <[email protected]> * Moved consul-aws cli reference to its own page. * partial fix * Fix links and next steps * install and dev mode pages * CodeBlocks * env var page * title changes * Aligning with tracker * nav fixes * tracking alignment * Nav fixes * content checker fixed * Partial path fixes * more partial fixes * remove v2 reference * nav/title adjustments * first 64 find and replaces * /connect and /consul-vs-other * through /nia * finish docs paths * tutorial link paths * Redirects * Redirect updates * another tutorials redirect fix * link path updates * security architecture * Raft backend architecture * Deploy Consul overview * Fixes to redirect tests * Redirects * More redirect fixes * Updated link path replacements * README draft * README * More readme * Readme * Deploy server overview * Deploy client agents and dataplanes * cloud auto join page move * Manage Consul * Clean up * Consul template structure and first content * page name and filepath changes * Index updates * typo * VMs index page * Consul template documentation * disaster recovery and openshift guides (#11) * docs: disaster recovery * docs: openshift * adding OpenShift Local to CRC naming convention * Openshift page restructure * add redundancy-zones link * update openshift guide versions Co-authored-by: Jeff Boruszak <[email protected]> Co-authored-by: boruszak <[email protected]> Co-authored-by: Jeff Boruszak <[email protected]> * /connect * /connect/vm * /connect/k8s * /fundamentals/cli * /fundamentals/cli and /register/service/nomad * /fundamentals/api * /fundamentals/editions (and remove env-var) * /fundamentals/tf and finish /fundamentals/editions * /fundamentals/identity * Fixes for working preview * Fundamentals updates * Agent page updates * Agent reference restructure * Redirects update * CT config * References with links and defaults * Some workflow fixes * Fix some links and images * Gossip and TLS with vault first changes * Gossip and TLS with vault first changes * Replace consul.io for URL deprecation * Bug Bash fixes * More bug bash fixes * nav fix * Final bug bash fixes * Vault TLS consul-template * Name the tool Consul Template * Move auto_config in config reference * Fix links * Updates to architecture * Architecture and use case updates * QoL improvements * Apply suggestions from code review Co-authored-by: Jeff Boruszak <[email protected]> * Glossary improvements * Updates * README updates * Finetuning * final readme updates * Link path changes to fix 500 errors * linkcheck fixes round 2 * round 3 500 error fixes * Errors fixes round 4 * CE-827: adding k8s and openshift tshoot info * Revert "CE-827: adding k8s and openshift tshoot info" This reverts commit a02f21d. * Redhat category rename * Readme updates * CE-846 content and screenshots * Ref/agent remove index; add auto-config file * Fix broken links due to configuration-file dir * CE-851 content and images * Fix content-check errors * lock update + move autopilot * v1.21 updates & release notes * IA/Content strategy readme finalizations * Inline image fix * real img fix * More README + consul.d in agent fundamentals * reviewed dataplane architecture content * review rest of completed drafts in arch * persona/directory index * reviewed fundamentals * Readme toc and final updates * re-order some sections * Final toc for readme * move inline examples to Example section where it made sense. * Ce-835: DNS views (#16) * CE-835 DNS forwarding in OpenShift * CE-835 DNS views in OpenShift * Apply suggestions from code review Co-authored-by: Jeff Boruszak <[email protected]> --------- Co-authored-by: Jeff Boruszak <[email protected]> * CE-827: Troubleshoot OpenShift (#17) * CE-827: adding k8s and openshift tshoot info * CE-827: adding openshift import-image info * CE-827: import-image timeout * Apply suggestions from code review Co-authored-by: Jeff Boruszak <[email protected]> --------- Co-authored-by: Jeff Boruszak <[email protected]> * CE-833: OpenShift page updates (#18) * CE-833: updater versions * Apply suggestions from code review Co-authored-by: Jeff Boruszak <[email protected]> --------- Co-authored-by: Jeff Boruszak <[email protected]> * CE-825: Consul on OpenShift Index Page (#19) * CE-825: Consul on OpenShift Index Page * Apply suggestions from code review Co-authored-by: Jeff Boruszak <[email protected]> --------- Co-authored-by: Jeff Boruszak <[email protected]> * telemetry * configuration file index * ESM and release notes updates * Apply suggestions from code review Co-authored-by: Tu Nguyen <[email protected]> * Apply suggestions from code review Co-authored-by: Tu Nguyen <[email protected]> * fixes for content check * partial fix * Merge resolution changes * Agent: Fix remaining links to reference/agent# * Copy edits * Update HAProxy load balance guide * review manage/dns * multi-tenant/sameness-group/vm * multi-tenant/samenessgroup/k8s * secure * deploy * CE-834: Upgrade OpenShift (#25) * upgrade openshift deployment * openshift: improve upgrade article * openshift: add redhat word to openshift term * Apply suggestions from code review Co-authored-by: Jeff Boruszak <[email protected]> * revision after code review --------- Co-authored-by: Jeff Boruszak <[email protected]> * Cleanup, especially Agent references * content fixes * Error fix --------- Co-authored-by: Daniele Carcasole <[email protected]> Co-authored-by: danielehc <[email protected]> Co-authored-by: Anthony <[email protected]> Co-authored-by: Krastin Krastev <[email protected]> Co-authored-by: danielehc <[email protected]> Co-authored-by: Aimee Ukasick <[email protected]> Co-authored-by: Tu Nguyen <[email protected]> Co-authored-by: Tu Nguyen <[email protected]>
Missing <CodeBlockConfig> added
* table to partial conversion plus updates * k8s version update
* fix: updated grpc config for partition endpoint * minor cleanup
* Fix IPv6 address handling in LAN <-> WAN join flooder
When `advertise_addr` is an IPv6 address, Consul WAN federation breaks
and we get a constant stream of warnings:
```
[WARN] agent.server.memberlist.wan: memberlist: Failed to resolve
i-02a3c94b46768b01f.aws-eu-west-1/2a05:d018:18a3:f202:64d9:1621:ab22:df45:8302:
lookup 2a05:d018:18a3:f202:64d9:1621:ab22:df45:8302: no such host
```
The LAN <-> WAN join flooder creates IPv6 addresses without square
brackets with `fmt.Sprintf("%s:%d", addr, s.WanJoinPort)`, which
confuses `net.SplitHostPort` in `memberlist.resolveAddr`.
Fixes #22225
* add changelog
Updated the list with newer patch versions for supported Envoy releases while removing outdated entries. This ensures compatibility and aligns with the latest supported versions documented by Consul's Envoy proxy guidelines.
…R requests (#22376) * Added default namespace and partition check before signing CA certificate in Consul CE
* add: testcase for IPv6 scenarios in peering establish api
* CE-754 page creation * CE-754 - Add navigation * Apply suggestions from code review Co-authored-by: Jeff Boruszak <[email protected]> --------- Co-authored-by: Jeff Boruszak <[email protected]>
* sec: perform constant time compare for sensitive values * add changelog
hc-github-team-consul-core
force-pushed
the
backport/sanikachavan5/SECVULN-8628-add-charset-wherever-applicable/frequently-hopeful-yak
branch
from
784d096 to
623202b
Compare
github-team-consul-core-pr-approver
previously approved these changes
Aug 25, 2025
Collaborator
github-team-consul-core-pr-approver
left a comment
github-team-consul-core-pr-approver
left a comment
There was a problem hiding this comment.
Auto approved Consul Bot automated PR
github-actions
bot
added
type/docs
|
Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement Learn more about why HashiCorp requires a CLA and what the CLA includes 28 out of 29 committers have signed the CLA.
Have you signed the CLA already but the status is still pending? Recheck it. |
sanikachavan5
deleted the
backport/sanikachavan5/SECVULN-8628-add-charset-wherever-applicable/frequently-hopeful-yak
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This PR is auto-generated from #22598 to be assessed for backporting due to the inclusion of the label backport/1.21.
🚨
The person who merged in the original PR is:
@sanikachavan5
This person should resolve the merge-conflict(s) by either:
The below text is copied from the body of the original PR.
Description
Add explicit charset encoding to prevent attacker from interpreting the output in a different encoding than intended.
Testing & Reproduction steps
Links
PR Checklist
PCI review checklist
I have documented a clear reason for, and description of, the change I am making.
If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
If applicable, I've documented the impact of any changes to security controls.
Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.
Overview of commits
138c727
08434a4
468776d
7cb5805