1.18.2 (May 14, 2024)

Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.

SECURITY:

• Bump Dockerfile base image to alpine:3.19. [GH-20897]
• Update vault/api to v1.12.2 to address CVE-2024-28180 (removes indirect dependency on impacted go-jose.v2) [GH-20910]
• Upgrade Go to use 1.21.10. This addresses CVEs CVE-2024-24787 and CVE-2024-24788 [GH-21074]
• Upgrade to support Envoy 1.26.8, 1.27.4, 1.27.5, 1.28.2 and 1.28.3. This resolves CVEs CVE-2024-27919 (http2). [GH-20956] and CVE-2024-32475 (auto_sni). [GH-21030]
• Upgrade to support k8s.io/apimachinery v0.18.7 or higher. This resolves CVE CVE-2020-8559. [GH-21034]
• Upgrade to use Go 1.21.9. This resolves CVE CVE-2023-45288 (http2). [GH-20956]
• Upgrade to use golang.org/x/net v0.24.0. This resolves CVE CVE-2023-45288 (x/net). [GH-20956]

IMPROVEMENTS:

• gateways: service defaults configuration entries can now be used to set default upstream limits for mesh-gateways [GH-20945]
• connect: Add ability to disable Auto Host Header Rewrite on Terminating Gateway at the service level [GH-20802]

BUG FIXES:

• dns: fix a bug with sameness group queries in DNS where responses did not respect DefaultForFailover. DNS requests against sameness groups without this field set will now error as intended.
• error running consul server in 1.18.0: failed to configure SCADA provider user's home directory path: $HOME is not defined [GH-20926]
• server: fix Ent snapshot restore on CE when CE downgrade is enabled [GH-20977]
• xds: Make TCP external service registered with terminating gateway reachable from peered cluster [GH-19881]