Skip to content

v1.2.6

Choose a tag to compare

View all tags
@lgfa29 lgfa29 released this 10 Feb 20:21
· 5562 commits to main since this release
v1.2.6
95514d5

1.2.6 (February 9, 2022)

BACKWARDS INCOMPATIBILITIES:

  • ACL authentication is now required for the Nomad API job parse endpoint to address a potential security vulnerability

SECURITY:

  • Add ACL requirement and HCL validation to the job parse API endpoint to prevent excessive CPU usage. CVE-2022-24685 [GH-12038]
  • Fix race condition in use of go-getter that could cause a client agent to download the wrong artifact into the wrong destination. CVE-2022-24686 [GH-12036]
  • Prevent panic in spread iterator during allocation stop. CVE-2022-24684 [GH-12039]
  • Resolve symlinks to prevent unauthorized access to files outside the allocation directory. CVE-2022-24683 [GH-12037]
Assets 2
Loading