Releases: hashicorp/consul
Releases · hashicorp/consul
v1.22.0-rc1
1.22.0-rc1 (September 30, 2025)
SECURITY:
- connect: Upgrade Consul's bundled Envoy version to 1.35.3 and remove support for 1.31.10. This update also includes a fix to prevent Envoy (v1.35+) startup failures by only configuring the TLS transport socket when the CA bundle is present. [GH-22824]
FEATURES:
- Added support to register a service in consul with multiple ports [GH-22769]
- agent: Added IsDualStack utility function to detect if the agent is configured for both IPv4 and IPv6 (dual-stack mode) based on its bind address retrieved from "agent/self" API. [GH-22741]
- install: Updated license information displayed during post-install
- ipv6: addtition of ip6tables changes for ipv6 and dual stack support [GH-22787]
- oidc: add client authentication using JWT assertion and PKCE. default PKCE is enabled. [GH-22732]
IMPROVEMENTS:
- api: Added a new API (/v1/operator/utilization) to support enterprise API for Manual Snapshot Reporting [GH-22837]
- cmd: Added new subcommand
consul operator utilization [-today-only] [-message] [-y]to generate a bundle with census utilization snapshot. Main flow is implemented in consul-enterprise
http: Added a new API Handler for/v1/operator/utilization. Core functionality to be implemented in consul-enterprise
agent: Always enabled census metrics collection with configurable option to export it to Hashicorp Reporting [GH-22843] - cli:
snapshot agentnow supports authenticating to Azure Blob Storage using Azure Managed Service Identities (MSI). [GH-11171] - command: connect envoy bootstrap defaults to 127.0.0.1 in IPv4-only environment and to ::1 in IPv6/DualStack environment. [GH-22763]
- connect: default upstream.local_bind_address to ::1 for IPv6 agent bind address [GH-22773]
- proxy: default proxy.local_service_address to ::1 for IPv6 agent bind address [GH-22772]
- ui: Improved accessibility features in the Consul UI to enhance usability for users with disabilities [GH-22770]
- ui: Replace yarn with pnpm for package management [GH-22790]
- ui: auth method config values were overflowing. This PR fixes the issue and adds word break for table elements with large content. [GH-22813]
BUG FIXES:
- ui: Allow FQDN to be displayed in the Consul web interface. [GH-22779]
- ui: fixes the issue where namespaces where disappearing and Welcome to Namespace screen showed up after tab switching [GH-22789]
- ui: fixes the issue where when doing deletes of multiple tokens or policies, the three dots on the right hand side stops responding after the first delete. [GH-22752]
v1.21.5
1.21.5 (September 21, 2025)
SECURITY:
- Migrate transitive dependency from archived
mitchellh/mapstructuretogo-viper/mapstructureto v2 to address CVE-2025-52893. [GH-22581] - agent: Add the KV Validations to block path traversal allowing access to unauthorized endpoints. [GH-22682]
- agent: Fix a security vulnerability to filter out anonymous tokens along with empty tokens when setting the Results-Filtered-By-ACLs header [GH-22534]
- agent: Fix a security vulnerability where the attacker could read agent’s TLS certificate and private key by using the group ID that the Consul agent runs as. [GH-22626]
- api: add charset in all applicable content-types. [GH-22598]
- connect: Upgrade envoy version to 1.34.7 [GH-22735]
- security: Fix GHSA-65rg-554r-9j5x (CVE-2024-48908) by upgrading lycheeverse/lychee-action. [GH-22667]
- security: Fix a security vulnerability where the attacker could bypass authentication by passing url params as there was no validation on them. [GH-22612]
- security: perform constant time compare for sensitive values. [GH-22537]
- security: upgrade go version to 1.25.0 [GH-22652]
- security:: (Enterprise only) fix nil pointer dereference.
- security:: (Enterprise only) fix potential race condition in partition CRUD.
- security:: (Enterprise only) perform constant time compare for sensitive values.
FEATURES:
- config: Add new parameter
max_request_headers_kbto configure maximum header size for requests from downstream to upstream [GH-22604] - config: Handle a new parameter
max_request_headers_kbto configure maximum header size for requests from downstream to upstream in API Gateway config and proxy-defaults [GH-22679] - config: Handle a new parameter
max_request_headers_kbto configure maximum header size for requests from downstream to upstream in Mesh Gateway via service-defaults and proxy-defaults [GH-22722] - config: Handle a new parameter
max_request_headers_kbto configure maximum header size for requests from downstream to upstream in Terminating Gateway service-defaults and proxy-defaults [GH-22680]
IMPROVEMENTS:
- cli: add troubleshoot ports in debug command. A ports.json file is created, which lists the open or closed ports on the host where the command is executed. [GH-22624]
BUG FIXES:
- agent: Don't show admin partition during errors [GH-11154]
v1.21.4
1.21.4 (August 13, 2025)
SECURITY:
- security: Update Go to 1.23.12 to address CVE-2025-47906 [GH-22547]
IMPROVEMENTS:
- ui: Replaced internal code editor with HDS (HashiCorp Design System) code editor and code block components for improved accessibility and maintainability across the Consul UI. [GH-22513]
BUG FIXES:
- cli: capture pprof when ACL is enabled and a token with operator:read is used, even if enable_debug config is not explicitly set. [GH-22552]
v1.21.3
1.21.3 (July 18, 2025)
IMPROVEMENTS:
- ui: Improved display and handling of IPv6 addresses for better readability and usability in the Consul web interface. [GH-22468]
BUG FIXES:
v1.21.2
1.21.2 (June 17, 2025)
SECURITY:
- security: Upgrade UBI base image version to address CVE
CVE-2025-4802
CVE-2024-40896
CVE-2024-12243
CVE-2025-24528
CVE-2025-3277
CVE-2024-12133
CVE-2024-57970
CVE-2025-31115 [GH-22409] - cli: update tls ca and cert create to reduce excessive file perms for generated public files [GH-22286]
- connect: Added non default namespace and partition checks to ConnectCA CSR requests. [GH-22376]
- security: Upgrade Go to 1.23.10. [GH-22412]
IMPROVEMENTS:
- config: Warn about invalid characters in
datacenterresulting in non-generation of X.509 certificates when using external CA for agent TLS communication. [GH-22382] - connect: Use net.JoinHostPort for host:port formatting to handle IPv6. [GH-22359]
BUG FIXES:
- http: return a clear error when both Service.Service and Service.ID are missing during catalog registration [GH-22381]
- license: (Enterprise only) Fixed issue where usage metrics are not written to the snapshot to export the license data. [GH-10668]
- wan-federation: Fixed an issue where advertised IPv6 addresses were causing WAN federation to fail. [GH-22226]
v1.21.1
1.21.1 (May 21, 2025)
FEATURES:
- xds: Extend LUA Script support for API Gateway [GH-22321]
- xds: Added a configurable option to disable XDS session load balancing, intended for scenarios where an external load balancer is used in front of Consul servers, making internal load balancing unnecessary.
IMPROVEMENTS:
- http: Add peer query param on catalog service API [GH-22189]
1.21.0 (Enterprise)
1.21.0 Enterprise (May 06, 2025)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.
FEATURES:
- config: add UseSNI flag in remote JSONWebKeySet
agent: send TLS SNI in remote JSONWebKeySet [GH-22177] - v2: remove HCP Link integration [GH-21883]
IMPROVEMENTS:
- raft: add a configuration
raft_prevote_disabledto allow disabling raft prevote [GH-21758] - raft: update raft library to 1.7.0 which include pre-vote extension [GH-21758]
- SubMatView: Log level change from ERROR to INFO for subject materialized view as subscription creation is retryable on ACL change. [GH-22141]
- ui: Adds a copyable token accessor/secret on the settings page when signed in [GH-22105]
- xDS: Log level change from ERROR to INFO for xDS delta discovery request. Stream can be cancelled on server shutdown and other scenarios. It is retryable and error is a superfluous log. [GH-22141]
v1.20.7 (Enterprise)
1.20.7 Enterprise (May 21, 2025)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.
FEATURES:
- xds: Added a configurable option to disable XDS session load balancing, intended for scenarios where an external load balancer is used in front of Consul servers, making internal load balancing unnecessary.
- xds: Extend LUA Script support for API Gateway
IMPROVEMENTS:
- http: Add peer query param on catalog service API [GH-22189]
v1.21.0
1.21.0 (May 06, 2025)
FEATURES:
- Simplified external service discovery (Agentless/Gossipless)
- Google Cloud Storage support for K8s snapshots
- OpenShift 4.17 support
- Pod Security Admissions compatibility
- Refreshed documentation structure
- Support for TLS SNI in remote JSONWebKeySet [GH-22177]
🔗 Link to full release details
IMPROVEMENTS:
- raft: add a configuration
raft_prevote_disabledto allow disabling raft prevote [GH-21758] - raft: update raft library to 1.7.0 which include pre-vote extension [GH-21758]
- SubMatView: Log level change from ERROR to INFO for subject materialized view as subscription creation is retryable on ACL change. [GH-22141]
- ui: Adds a copyable token accessor/secret on the settings page when signed in [GH-22105]
- xDS: Log level change from ERROR to INFO for xDS delta discovery request. Stream can be cancelled on server shutdown and other scenarios. It is retryable and error is a superfluous log. [GH-22141]
v1.19.9 (Enterprise)
1.19.9 Enterprise (May 21, 2025)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.
IMPROVEMENTS:
- http: Add peer query param on catalog service API [GH-22189]