luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity
open-consul/.changelog
History
Freddy e4e306210a
Require operator:write to get Connect CA config (#9240) 
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that operators with `operator:read` ACL permissions are able to read the Consul Connect CA configuration when explicitly configured with the `/v1/connect/ca/configuration` endpoint, including the private key. This allows the user to effectively privilege escalate by enabling the ability to mint certificates for any Consul Connect services. This would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.

--

This PR increases the permissions required to read the Connect CA's private key when it was configured via the `/connect/ca/configuration` endpoint. They are now `operator:write`.
 		2020-11-19 10:14:48 -07:00
..
7628.txt Introducing changelog-gen (#8387) 2020-08-06 23:15:29 +02:00
7899.txt Introducing changelog-gen (#8387) 2020-08-06 23:15:29 +02:00
7970.txt Introducing changelog-gen (#8387) 2020-08-06 23:15:29 +02:00
8158.txt Introducing changelog-gen (#8387) 2020-08-06 23:15:29 +02:00
8190.txt Introducing changelog-gen (#8387) 2020-08-06 23:15:29 +02:00
8194.txt Introducing changelog-gen (#8387) 2020-08-06 23:15:29 +02:00
8211.txt Introducing changelog-gen (#8387) 2020-08-06 23:15:29 +02:00
8216.txt Introducing changelog-gen (#8387) 2020-08-06 23:15:29 +02:00
8218.txt Introducing changelog-gen (#8387) 2020-08-06 23:15:29 +02:00
8221.txt fix 1.9.0-beta1 changelog formatting (#8941) 2020-10-14 09:35:59 -05:00
8222.txt Introducing changelog-gen (#8387) 2020-08-06 23:15:29 +02:00
8268.txt Introducing changelog-gen (#8387) 2020-08-06 23:15:29 +02:00
8311.txt Introducing changelog-gen (#8387) 2020-08-06 23:15:29 +02:00
8343.txt Introducing changelog-gen (#8387) 2020-08-06 23:15:29 +02:00
8371.txt Introducing changelog-gen (#8387) 2020-08-06 23:15:29 +02:00
8458.txt Add http2 and grpc support to ingress gateways (#8458) 2020-08-27 15:34:08 -06:00
8470.txt update changelog snippet 2020-08-12 11:21:54 -05:00
8522.txt add primary keys to list keyring (#8522) 2020-08-18 09:50:24 +02:00
8537.txt Retroactively add changelog for PR 8537 2020-08-27 11:53:49 -04:00
8545.txt agent: expose the list of supported envoy versions on /v1/agent/self (#8545) 2020-08-26 10:04:11 -05:00
8547.txt agent: ensure that we normalize bootstrapped config entries (#8547) 2020-08-27 11:37:25 -05:00
8552.txt Added changelog for #8552 2020-08-28 23:01:04 +02:00
8560.txt Update vault CA for latest api client 2020-09-15 13:33:55 -07:00
8569.txt xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569) 2020-08-27 12:20:58 -05:00
8575.txt Add helpers to the API client to help with getting information from `AgentMember` tags (#8575) 2020-08-27 11:00:48 -04:00
8585.txt Create 8585.txt 2020-09-14 14:16:47 -06:00
8588.txt add entry for 8588 (#8650) 2020-09-10 18:53:36 +02:00
8596.txt connect: all config entries pick up a meta field (#8596) 2020-09-02 14:10:25 -05:00
8601.txt connect: fix bug in preventing some namespaced config entry modifications (#8601) 2020-09-02 10:47:19 -05:00
8602.txt api: create fresh http client for unix sockets (#8602) 2020-09-06 12:27:39 -04:00
8603.txt Changelog entry for usage metrics 2020-09-02 10:48:11 -05:00
8606.txt Add support for -ca-path option in the connect envoy command (#8606) 2020-09-08 12:16:16 +02:00
8646.txt Create 8646.txt 2020-09-15 10:05:23 -07:00
8685.txt Update .changelog/8685.txt 2020-09-15 17:56:06 -04:00
8694.txt changelog: add entries for ui_config and service metrics config (#8919) 2020-10-09 17:31:00 -04:00
8703.txt server: create new memdb table for storing system metadata (#8703) 2020-10-06 10:08:37 -05:00
8704.txt use service datacenter for dns name (#8704) 2020-09-22 20:34:09 +02:00
8726.txt Add changelog file 2020-09-25 12:03:49 -04:00
8731.txt Consul Service meta wrongly computes and exposes non_voter meta (#8731) 2020-10-09 17:18:24 -04:00
8741.txt agent: make the json/hcl decoding of ConnectProxyConfig fully work with CamelCase and snake_case (#8741) 2020-09-24 13:58:52 -05:00
8745.txt server: make sure that the various replication loggers use consistent logging (#8745) 2020-09-24 15:49:38 -05:00
8746.txt agent: enable enable_central_service_config by default (#8746) 2020-10-01 09:19:14 -05:00
8747.txt agent: when enable_central_service_config is enabled ensure agent reload doesn't revert check state to critical (#8747) 2020-09-24 16:24:04 -05:00
8764.txt api: support GetMeta() and GetNamespace() on all config entry kinds (#8764) 2020-09-29 09:11:57 -05:00
8771.txt Add changelog entry 2020-10-20 16:42:06 -04:00
8774.txt Merge pull request #9027 from hashicorp/release/1.8.5 2020-10-26 10:59:48 -04:00
8781.txt Add per-agent reconnect timeouts (#8781) 2020-10-08 15:02:19 -04:00
8784.txt Add changelog note 2020-10-09 08:01:55 -07:00
8786.txt server: ensure that we also shutdown network segment serf instances on server shutdown (#8786) 2020-09-30 16:23:43 -05:00
8787.txt Enhance the output of consul snapshot inspect (#8787) 2020-10-09 14:57:29 -05:00
8788.txt changelog: add entries for UI topology viz (#8918) 2020-10-09 17:29:14 -04:00
8822.txt changelog: update raft to v1.2.0 (#8901) 2020-10-09 11:28:13 -04:00
8834.txt connect: intentions are now managed as a new config entry kind "service-intentions" (#8834) 2020-10-06 13:24:05 -05:00
8839.txt add missing changelog entry for #8839 2020-10-07 10:22:40 -05:00
8846.txt changelog: add entries for UI topology viz (#8918) 2020-10-09 17:29:14 -04:00
8855.txt command: remove conditional envoy bootstrap generation for versions <=1.10.0 since those are not supported (#8855) 2020-10-07 10:53:23 -05:00
8858.txt changelog: add entries for UI topology viz (#8918) 2020-10-09 17:29:14 -04:00
8875.txt agent: allow the /v1/connect/intentions/match endpoint to use the agent cache (#8875) 2020-10-08 14:51:53 -05:00
8877.txt add changelog entries for 8877 2020-10-09 12:38:57 -07:00
8924.txt Fix: service LocallyRegisteredAsSidecar property is not persisted 2020-10-13 19:38:58 +02:00
9002.txt changelog: add entries for 1.9.0-beta2 (#9129) 2020-11-06 17:18:47 -05:00
9006.txt cli: Add JSON and Pretty Print formatting for `consul snapshot inspect` (#9006) 2020-10-29 11:31:14 -05:00
9007.txt server: break up Intention.Apply monolithic method (#9007) 2020-11-13 09:15:39 -06:00
9008.txt changelog: add entries for 1.9.0-beta2 (#9129) 2020-11-06 17:18:47 -05:00
9024.txt Merge pull request #9027 from hashicorp/release/1.8.5 2020-10-26 10:59:48 -04:00
9059.txt changelog: add entries for 1.9.0-beta2 (#9129) 2020-11-06 17:18:47 -05:00
9081.txt changelog: add entries for 1.9.0-beta2 (#9129) 2020-11-06 17:18:47 -05:00
9088.txt changelog: add entries for 1.9.0-beta2 (#9129) 2020-11-06 17:18:47 -05:00
9098.txt Fix some minor wording issues 2020-11-11 11:33:38 -06:00
9099.txt changelog: add entries for 1.9.0-beta2 (#9129) 2020-11-06 17:18:47 -05:00
9101.txt agent: return the default ACL policy to callers as a header (#9101) 2020-11-12 10:38:32 -06:00
9103.txt Fixup the autopilot changelog (#9145) 2020-11-09 17:29:06 -05:00
9113.txt connect: switch the default gateway port from 443 to 8443 (#9116) 2020-11-06 20:47:29 -05:00
9119.txt Merge pull request #9155 from hashicorp/release/1.9.0-beta3 2020-11-13 16:45:50 -05:00
9141.txt ui: Changelog changes (#9209) 2020-11-17 10:35:56 -05:00
9142.txt Add changelog entry for autopilot state CLI (#9161) 2020-11-11 14:55:12 -05:00
9151.txt server: remove config entry CAS in legacy intention API bridge code (#9151) 2020-11-13 14:42:21 -06:00
9156.txt Add a paramter in state store methods to indicate whether a resource insertion is from a snapshot restoration (#9156) 2020-11-11 11:21:42 -05:00
9181.txt Trim to one deprecation entry 2020-11-13 14:31:14 -08:00
9186.txt server: skip deleted and deleting namespaces when migrating intentions to config entries (#9186) 2020-11-13 13:56:41 -06:00
9191.txt Refactor to call non-voting servers read replicas (#9191) 2020-11-17 10:53:57 -05:00
9198.txt changelog component should mention agent not just server 2020-11-16 15:54:24 -08:00
9204.txt Prevent panic if autopilot health is requested prior to leader establishment finishing. (#9204) 2020-11-16 17:08:17 -05:00
9207.txt Add DC and NS support for Envoy metrics (#9207) 2020-11-16 16:37:19 -07:00
9240.txt Require operator:write to get Connect CA config (#9240) 2020-11-19 10:14:48 -07:00
_619.txt Create _619.txt 2020-10-09 10:51:37 -04:00
_666.txt Add a paramter in state store methods to indicate whether a resource insertion is from a snapshot restoration (#9156) 2020-11-11 11:21:42 -05:00
_683.txt Add changelog entry for namespace licensing fix (#9203) 2020-11-16 15:45:55 -05:00
_8621.txt Adds changelog entry for snapshot agent improvement (#8622) 2020-09-04 14:07:57 -06:00
_8825.txt Add streaming changelog file 2020-10-13 18:16:33 -04:00
_8984.txt changelog: update to hashicorp/sentinel@v0.16.0 in Enterprise (#8984) 2020-10-26 12:32:44 -04:00
changelog.tmpl add template generation for entries tagged deprecation 2020-10-09 12:40:41 -07:00
note.tmpl changelog: fixup note.tmpl syntax 2020-10-09 22:44:51 -04:00