FOSSA-TEST

.changelog/18329.txt

@@ -0,0 +1,4 @@
+```release-note:improvement
+cli: Adds cli support for checking TCP connection for ports. If -ports flag is not given, it will check for
+default ports of consul listed here - https://developer.hashicorp.com/consul/docs/install/ports
+```

.changelog/19499.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+acl: add policy bindtype to binding rules.
+```

.changelog/19586.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+ui: fix being able to view peered services from non-default namnespaces
+```

.changelog/19594.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+ui: move nspace and partitions requests into their selector menus
+```

.changelog/19647.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: Add `CaseInsensitive` flag to service-routers that allows paths and path prefixes to ignore URL upper and lower casing.
+```

.changelog/19663.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: Default `stats_flush_interval` to 60 seconds when using the Consul Telemetry Collector, unless custom stats sink are present or an explicit flush interval is configured.
+```

.changelog/19666.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+api: Add support for listing ACL tokens by service name when using templated policies.
+```

.changelog/19679.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+CLI: fix a panic when deleting a non existing policy by name.
+```

.changelog/19682.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+cloud: push additional server TLS metadata to HCP
+```

.changelog/19705.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Update `github.com/golang-jwt/jwt/v4` to v4.5.0 to address [PRISMA-2022-0270](https://github.com/golang-jwt/jwt/issues/258).
+```

.changelog/19721.txt

@@ -0,0 +1,6 @@
+```release-note:improvement
+metrics: modify consul.client.rpc metric to exclude internal retries for consistency with consul.client.rpc.exceeded and consul.client.rpc.failed
+```
+```release-note:improvement
+metrics: increment consul.client.rpc.failed if RPC fails because no servers are accessible
+```

.changelog/19728.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+acl: add api-gateway templated policy
+```

.changelog/19735.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+acl: add templated policy descriptions
+```

.changelog/19795.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+wan-federation: use a hash to diff config entries when replicating in the secondary DC to avoid unnecessary writes..
+```

.changelog/19821.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+cli: Adds new subcommand `peering exported-services` to list services exported to a peer . Refer to the [CLI docs](https://developer.hashicorp.com/consul/commands/peering) for more information.
+```

.changelog/19827.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+acl: Adds nomad client templated policy
+```

.changelog/19829.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+mesh: parse the proxy-defaults protocol when write the config-entry to avoid parsing it when compiling the discovery chain.
+```

.changelog/19840.txt

@@ -0,0 +1,7 @@
+```release-note:security
+Upgrade to use Go 1.20.12. This resolves CVEs
+[CVE-2023-45283](https://nvd.nist.gov/vuln/detail/CVE-2023-45283): (`path/filepath`) recognize \??\ as a Root Local Device path prefix (Windows)
+[CVE-2023-45284](https://nvd.nist.gov/vuln/detail/CVE-2023-45285): recognize device names with trailing spaces and superscripts (Windows)
+[CVE-2023-39326](https://nvd.nist.gov/vuln/detail/CVE-2023-39326): (`net/http`) limit chunked data overhead
+[CVE-2023-45285](https://nvd.nist.gov/vuln/detail/CVE-2023-45285): (`cmd/go`) go get may unexpectedly fallback to insecure git 
+```

.changelog/19860.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Solves an issue where two upstream services with the same name in different namespaces were not getting routed to correctly by API Gateways.
+```

.changelog/19866.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+xds: ensure child resources are re-sent to Envoy when the parent is updated even if the child already has pending updates.
+```

.changelog/19871.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+xds: Add configurable `xds_fetch_timeout_ms` option to proxy registrations that allows users to prevent endpoints from dropping when they have proxies with a large number of upstreams.
+```

.changelog/19879.txt

@@ -0,0 +1,3 @@
+```release-note:security
+mesh: update supported envoy version 1.28.0 in addition to 1.25.11, 1.26.6, 1.27.2, 1.28.0 to address [CVE-2023-44487](https://github.com/envoyproxy/envoy/security/advisories/GHSA-jhv4-f7mr-xx76)
+```

.changelog/19881.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+xds: Make TCP external service registered with terminating gateway reachable from peered cluster
+```

.changelog/19907.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+ui: stop manually reconciling services if peering is enabled
+```

.changelog/19912.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+ui: update token list on Role details page to show only linked tokens
+```

.changelog/19940.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: Replace usage of deprecated Envoy fields `envoy.config.cluster.v3.Cluster.http2_protocol_options` and `envoy.config.bootstrap.v3.Admin.access_log_path`.
+```

.changelog/19943.txt

@@ -0,0 +1,3 @@
+```release-note:deprecation
+cli: Deprecate the `-admin-access-log-path` flag from `consul connect envoy` command in favor of: `-admin-access-log-config`.
+```

.changelog/19954.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: Remove usage of deprecated Envoy field `match_subject_alt_names` in favor of `match_typed_subject_alt_names`.
+```

.changelog/19992.txt

@@ -0,0 +1,3 @@
+```release-note:breaking-change
+config-entries: Allow disabling request and idle timeouts with negative values in service router and service resolver config entries.
+```

.changelog/20010.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: Replace usage of deprecated Envoy field `envoy.config.cluster.v3.Cluster.http_protocol_options`.
+```

.changelog/20011.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: Replace usage of deprecated Envoy field `envoy.config.router.v3.WeightedCluster.total_weight`.
+```

.changelog/20012.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: Replace usage of deprecated Envoy field `envoy.extensions.filters.http.lua.v3.Lua.inline_code`.
+```

.changelog/20013.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: Replace usage of deprecated Envoy fields `envoy.config.route.v3.HeaderMatcher.safe_regex_match` and `envoy.type.matcher.v3.RegexMatcher.google_re2`.
+```

.changelog/20014.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Upgrade OpenShift container images to use `ubi9-minimal:9.3` as the base image.
+```

.changelog/20015.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+api: add a new api(/v1/exported-services) to list all the exported service and their consumers. 
+```

.changelog/20023.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Update `golang.org/x/crypto` to v0.17.0 to address [CVE-2023-48795](https://nvd.nist.gov/vuln/detail/CVE-2023-48795).
+```

.changelog/20062.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+Upgrade to use Go 1.21.6.
+```

.changelog/20078.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: Replace usage of deprecated Envoy field `envoy.config.core.v3.HeaderValueOption.append`.
+```

.changelog/20111.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+UI: fix autofocus on search box when page refreshes on typing in it due to url change.
+```

.changelog/20112.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Update RSA key generation to use a key size of at least 2048 bits.
+```

.changelog/20168.txt

@@ -0,0 +1,7 @@
+```release-note:enhancement
+ProxyCfg: avoid setting a watch on `Internal.ServiceDump` when mesh gateway is not used.
+```
+
+```release-note:enhancement
+ProxyCfg: only return the nodes list when querying the `Internal.ServiceDump` watch from proxycfg
+```

.changelog/20220.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+cloud: unconditionally add Access-Control-Expose-Headers HTTP header
+```

.changelog/20299.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+v2: prevent use of the v2 experiments in secondary datacenters for now
+```

.changelog/20308.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+docs: add Link API documentation
+```

.changelog/20312.txt

@@ -0,0 +1,6 @@
+```release-note:feature
+cloud: Adds new API/CLI to initiate and manage linking a Consul cluster to HCP Consul Central
+```
+```release-note:breaking-change
+telemetry: Adds fix to always use the value of `telemetry.disable_hostname` when determining whether to prefix gauge-type metrics with the hostname of the Consul agent. Previously, if only the default metric sink was enabled, this configuration was ignored and always treated as `true`, even though its default value is `false`.
+```

.changelog/20331.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+cli: Adds new command `exported-services` to list all services exported and their consumers. Refer to the [CLI docs](https://developer.hashicorp.com/consul/commands/exported-services) for more information.
+```

.changelog/20345.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+  audit-logs: **(Enterprise Only)** Fixes non ASCII characters in audit logs because of gzip.
+```

.changelog/20352.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+logging: add /api prefix to v2 resource endpoint logs
+```

.changelog/20353.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+ui: adds V2CatalogEnabled to config that is passed to the ui
+```

.changelog/20359.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+ui: Adds a redirect and warning message around unavailable UI with V2 enabled
+```

.changelog/20406.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+mesh: Fix bug where envoy extensions could not be configured with "permissive" mTLS mode. Note that envoy extensions currently do not apply to non-mTLS traffic in permissive mode.
+```

.changelog/20417.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fix regression with SAN matching on terminating gateways [GH-20360](https://github.com/hashicorp/consul/issues/20360)
+```

.changelog/20439.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+docs: Consul DNS Forwarding configuration for OpenShift update for [Resolve Consul DNS Requests in Kubernetes](https://developer.hashicorp.com/consul/docs/k8s/dns)
+```

.changelog/20481.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fix issue where re-persisting existing proxy-defaults using `http` protocol fails with a protocol-mismatch error.
+```

.changelog/20511.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Remove code coupling where the xDS capacity controller could negatively affect raft autopilot performance.
+```

.changelog/20514.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+hcp: fix error logs when failing to push metrics
+```

.changelog/20544.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+agent: Introduces a new agent config default_intention_policy to decouple the default intention behavior from ACLs
+```

.changelog/20545.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+Upgrade to use Go 1.21.7.
+```

.changelog/20589.txt

@@ -0,0 +1,3 @@
+```release-note:security
+mesh: Update Envoy versions to 1.28.1, 1.27.3, and 1.26.7 to address [CVE-2024-23324](https://github.com/envoyproxy/envoy/security/advisories/GHSA-gq3v-vvhj-96j6), [CVE-2024-23325](https://github.com/envoyproxy/envoy/security/advisories/GHSA-5m7c-mrwr-pm26), [CVE-2024-23322](https://github.com/envoyproxy/envoy/security/advisories/GHSA-6p83-mfmh-qv38), [CVE-2024-23323](https://github.com/envoyproxy/envoy/security/advisories/GHSA-x278-4w4x-r7ch), [CVE-2024-23327](https://github.com/envoyproxy/envoy/security/advisories/GHSA-4h5x-x9vh-m29j), and [CVE-2023-44487](https://github.com/envoyproxy/envoy/security/advisories/GHSA-jhv4-f7mr-xx76)
+```

.changelog/20642.txt

@@ -0,0 +1,7 @@
+```release-note:bug
+server: Ensure internal streams are properly terminated on snapshot restore.
+```
+
+```release-note:bug
+server: Ensure controllers are automatically restarted on internal stream errors.
+```

.changelog/20643.txt

@@ -0,0 +1,7 @@
+```release-note:feature
+dns: adds experimental support for a refactored DNS server that is v1 and v2 Catalog compatible. 
+Use `v2dns` in the `experiments` agent config to enable. 
+It will automatically be enabled when using the `resource-apis` (Catalog v2) experiment.
+The new DNS implementation will be the default in Consul 1.19.
+See the [Consul 1.18.x Release Notes](https://developer.hashicorp.com/consul/docs/release-notes/consul/v1_18_x) for deprecated DNS features.
+```

.changelog/20669.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+partitions: **(Enterprise only)** Allow disabling of Gossip per Partition
+```

.changelog/20672.txt

@@ -0,0 +1,3 @@
+```release-note: improvement
+xds: Improved the performance of xDS server side load balancing. Its slightly improved in Consul CE with drastic CPU usage reductions in Consul Enterprise.
+```

.changelog/20674.txt

@@ -0,0 +1,7 @@
+```release-note:breaking-change
+telemetry: State store usage metrics with a double `consul` element in the metric name have been removed. Please use the same metric without the second `consul` instead. As an example instead of `consul.consul.state.config_entries` use `consul.state.config_entries`
+```
+
+```release-note: improvement
+telemetry: Improved the performance usage metrics emission by not outputting redundant metrics.
+```

.changelog/20679.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+dns: SERVFAIL when resolving not found PTR records.
+```

.changelog/20715.txt

@@ -0,0 +1,6 @@
+```release-note:feature
+dns: queries now default to a refactored DNS server that is v1 and v2 Catalog compatible. 
+Use `v1dns` in the `experiments` agent config to disable. 
+The legacy server will be removed in a future release of Consul.
+See the [Consul 1.19.x Release Notes](https://developer.hashicorp.com/consul/docs/release-notes/consul/v1_19_x) for removed DNS features.
+```

.changelog/20801.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Update `google.golang.org/protobuf` to v1.33.0 to address [CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786).
+```

.changelog/20802.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: Add ability to disable Auto Host Header Rewrite on Terminating Gateway at the service level
+```

.changelog/20812.txt

@@ -0,0 +1,14 @@
+```release-note:security
+Upgrade to use Go `1.21.8`. This resolves CVEs
+[CVE-2024-24783](https://nvd.nist.gov/vuln/detail/CVE-2024-24783) (`crypto/x509`).
+[CVE-2023-45290](https://nvd.nist.gov/vuln/detail/CVE-2023-45290) (`net/http`).
+[CVE-2023-45289](https://nvd.nist.gov/vuln/detail/CVE-2023-45289) (`net/http`, `net/http/cookiejar`).
+[CVE-2024-24785](https://nvd.nist.gov/vuln/detail/CVE-2024-24785) (`html/template`).
+[CVE-2024-24784](https://nvd.nist.gov/vuln/detail/CVE-2024-24784) (`net/mail`).
+```
+
+```release-note:security
+Update the Consul Build Go base image to `alpine3.19`. This resolves CVEs
+[CVE-2023-52425](https://nvd.nist.gov/vuln/detail/CVE-2023-52425)
+[CVE-2023-52426⁠](https://nvd.nist.gov/vuln/detail/CVE-2023-52426)
+```

.changelog/20824.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+snapshot: Add `consul snapshot decode` CLI command to output a JSON object stream of all the snapshots data.
+```

.changelog/20866.txt

@@ -0,0 +1,7 @@
+```release-note:improvement
+api: Randomize the returned server list for the WatchServers gRPC endpoint.
+```
+
+```release-note:bug
+connect: Fix potential goroutine leak in xDS stream handling.
+```

.changelog/20867.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fix xDS deadlock that could result in proxies being unable to start.
+```

.changelog/20868.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fix issue where Consul-dataplane xDS sessions would not utilize the streaming backend for wan-federated queries.
+```

.changelog/20873.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+gateways: api-gateway can leverage listener TLS certificates available on the gateway's local filesystem by specifying the public certificate and private key path in the new file-system-certificate configuration entry
+```

.changelog/20876.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+streaming: Handle ACL errors consistently when blocking query timeout is reached.
+```

.changelog/20897.txt

@@ -0,0 +1,3 @@
+```release-note:security
+ Bump Dockerfile base image to `alpine:3.19`. 
+ ```

.changelog/20899.txt

@@ -0,0 +1,4 @@
+```release-note:improvement
+dns: DNS-over-grpc when using `consul-dataplane` now accepts partition, namespace, token as metadata to default those query parameters.
+`consul-dataplane` v1.5+ will send this information automatically.
+```

.changelog/20910.txt

@@ -0,0 +1,4 @@
+```release-note:security
+Update `vault/api` to v1.12.2 to address [CVE-2024-28180](https://nvd.nist.gov/vuln/detail/CVE-2024-28180) 
+(removes indirect dependency on impacted `go-jose.v2`)
+```

.changelog/20926.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+error running consul server in 1.18.0: failed to configure SCADA provider user's home directory path: $HOME is not defined
+```

.changelog/20945.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+gateways: service defaults configuration entries can now be used to set default upstream limits for mesh-gateways
+```