apitech/loki - loki - Gitea: Git with a cup of tea

Commit Graph

Author	SHA1	Message	Date
Ed Welch	824f5aa20a	chore: fix submodule for v3 (#12438 ) Signed-off-by: Edward Welch <edward.welch@grafana.com>	1 year ago
Ed Welch	4c88be0ef2	chore: update loki modules for 3.0 release (#12433 ) Signed-off-by: Edward Welch <edward.welch@grafana.com>	1 year ago
renovate[bot]	6665685888	fix(deps): update golang.org/x/exp digest to a685a6e (main) (#11155 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Michel Hollands <42814411+MichelHollands@users.noreply.github.com>	1 year ago
Paul Rogers	bd2ee0b64d	test: Update azure-storage-blob-go to include a data race fix (#12325 )	1 year ago
Paulin Todev	d54e0871d4	chore(deps): Update Prometheus in Loki and Promtail (#12245 ) This PR updates the Prometheus dependency in Loki and Promtail. The PR is required so that we can also update Grafana Agent to the latest Prometheus. Unfortunately, Promtail and Loki share the same go.mod file.	1 year ago
Michel Hollands	a6d1e7bdbb	fix: update google.golang.org/protobuf to v1.33.0 (#12269 ) Signed-off-by: Michel Hollands <michel.hollands@gmail.com>	1 year ago
Cyril Tovena	cdb934ccee	feat(blooms): Dedupe download queue items to reduce queue size (#12222 )	1 year ago
renovate[bot]	0660cfc9df	fix(deps): update github.com/axiomhq/hyperloglog digest to 24bca3a (main) (#11756 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	1 year ago
Paul Rogers	472496feb7	Parse JSON String arrays properly so string elements can be retrieved (#11921 ) What this PR does / why we need it: This PR imports the newly forked grafana/jsonparser over the buger/jsonparser module. The latter has seemingly been abandoned. PR 10690 introduces a fix to the jsonparser module, which has been incorporated into the grafana fork of the module. The PR is designed to fix accessing string array elements from within a JSON structure. For example, with the following JSON: `{"log":{"message":{"content":{"misses":["a","b","c","d"]}}}}` The Loki code, before this PR, when searching for `json misses = "log.message.content.misses[0]" ` will result in an "Unknown value type error". After this PR is merged, the result will assign `a` to the `misses` variable. Which issue(s) this PR fixes: Fixes #[9179](https://github.com/grafana/loki/issues/9179) https://github.com/grafana/loki/pull/10690 Special notes for your reviewer: Checklist - [x] Reviewed the [`CONTRIBUTING.md`](https://github.com/grafana/loki/blob/main/CONTRIBUTING.md) guide (required) - [ ] Documentation added - [x] Tests updated - [x] `CHANGELOG.md` updated - [x] If the change is worth mentioning in the release notes, add `add-to-release-notes` label - [ ] Changes that require user attention or interaction to upgrade are documented in `docs/sources/setup/upgrade/_index.md` - [ ] For Helm chart changes bump the Helm chart version in `production/helm/loki/Chart.yaml` and update `production/helm/loki/CHANGELOG.md` and `production/helm/loki/README.md`. [Example PR](`d10549e3ec`) - [ ] If the change is deprecating or removing a configuration option, update the `deprecated-config.yaml` and `deleted-config.yaml` files respectively in the `tools/deprecated-config-checker` directory. [Example PR](`0d4416a4b0`)	1 year ago
Christian Haudum	73edf7a943	(chore) Bloomshipper: Separate store and client (#11865 ) What this PR does / why we need it: This PR removes the `StoreAndClient` interface that was accepted by the `BloomShipper`. Since the `BloomStore` had to not only implement the `Store` interface, but also the `Client` interface, it caused re-implementation of the same methods in different ways. Now the shipper solely relies on the `Store` interface. See individual commit messages for more context. Tests have been rewritten from scratch and placed in their own respective test files for store and client. --------- Signed-off-by: Christian Haudum <christian.haudum@gmail.com>	1 year ago
renovate[bot]	a627fb6aa1	chore(deps): update module golang.org/x/crypto to v0.17.0 [security] (main) (#11522 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Change \| Age \| Adoption \| Passing \| Confidence \| \|---\|---\|---\|---\|---\|---\| \| golang.org/x/crypto \| `v0.14.0` -> `v0.17.0` \| [![age](https://developer.mend.io/api/mc/badges/age/go/golang.org%2fx%2fcrypto/v0.17.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![adoption](https://developer.mend.io/api/mc/badges/adoption/go/golang.org%2fx%2fcrypto/v0.17.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![passing](https://developer.mend.io/api/mc/badges/compatibility/go/golang.org%2fx%2fcrypto/v0.14.0/v0.17.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![confidence](https://developer.mend.io/api/mc/badges/confidence/go/golang.org%2fx%2fcrypto/v0.14.0/v0.17.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| ### GitHub Vulnerability Alerts #### [CVE-2023-48795](https://togithub.com/warp-tech/russh/security/advisories/GHSA-45x7-px36-x8w8) ### Summary Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it. ### Mitigations To mitigate this protocol vulnerability, OpenSSH suggested a so-called "strict kex" which alters the SSH handshake to ensure a Man-in-the-Middle attacker cannot introduce unauthenticated messages as well as convey sequence number manipulation across handshakes. Warning: To take effect, both the client and server must support this countermeasure. As a stop-gap measure, peers may also (temporarily) disable the affected algorithms and use unaffected alternatives like AES-GCM instead until patches are available. ### Details The SSH specifications of ChaCha20-Poly1305 (chacha20-poly1305@openssh.com) and Encrypt-then-MAC (-etm@openssh.com MACs) are vulnerable against an arbitrary prefix truncation attack (a.k.a. Terrapin attack). This allows for an extension negotiation downgrade by stripping the SSH_MSG_EXT_INFO sent after the first message after SSH_MSG_NEWKEYS, downgrading security, and disabling attack countermeasures in some versions of OpenSSH. When targeting Encrypt-then-MAC, this attack requires the use of a CBC cipher to be practically exploitable due to the internal workings of the cipher mode. Additionally, this novel attack technique can be used to exploit previously unexploitable implementation flaws in a Man-in-the-Middle scenario. The attack works by an attacker injecting an arbitrary number of SSH_MSG_IGNORE messages during the initial key exchange and consequently removing the same number of messages just after the initial key exchange has concluded. This is possible due to missing authentication of the excess SSH_MSG_IGNORE messages and the fact that the implicit sequence numbers used within the SSH protocol are only checked after the initial key exchange. In the case of ChaCha20-Poly1305, the attack is guaranteed to work on every connection as this cipher does not maintain an internal state other than the message's sequence number. In the case of Encrypt-Then-MAC, practical exploitation requires the use of a CBC cipher; while theoretical integrity is broken for all ciphers when using this mode, message processing will fail at the application layer for CTR and stream ciphers. For more details see [https://terrapin-attack.com](https://terrapin-attack.com). ### Impact This attack targets the specification of ChaCha20-Poly1305 (chacha20-poly1305@openssh.com) and Encrypt-then-MAC (-etm@openssh.com), which are widely adopted by well-known SSH implementations and can be considered de-facto standard. These algorithms can be practically exploited; however, in the case of Encrypt-Then-MAC, we additionally require the use of a CBC cipher. As a consequence, this attack works against all well-behaving SSH implementations supporting either of those algorithms and can be used to downgrade (but not fully strip) connection security in case SSH extension negotiation (RFC8308) is supported. The attack may also enable attackers to exploit certain implementation flaws in a man-in-the-middle (MitM) scenario. --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/grafana/loki). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy45My4xIiwidXBkYXRlZEluVmVyIjoiMzcuMTM1LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	1 year ago
Karsten Jeschkies	ee3cf4b3a0	Change ddsketch mapping to improve performance. (#11561 ) What this PR does / why we need it: We've found that the index mapping of our quantile over time approximation has a big impact on the CPU. Changing the implementation gives us around 50%. The mapping is used during the `At` calls to the iterator. ``` › benchstat logarithmic.log cubic.log sort.log pool.log goos: linux goarch: amd64 pkg: github.com/grafana/loki/pkg/logql cpu: AMD Ryzen 7 3700X 8-Core Processor │ logarithmic.log │ cubic.log │ sort.log │ pool.log │ │ sec/op │ sec/op vs base │ sec/op vs base │ sec/op vs base │ QuantileBatchRangeVectorIteratorAt/1-samples-16 819.7n ± 2% 1052.5n ± 5% +28.40% (p=0.002 n=6) 1055.0n ± 1% +28.71% (p=0.002 n=6) 303.7n ± 4% -62.96% (p=0.002 n=6) QuantileBatchRangeVectorIteratorAt/1000-samples-16 60.34µ ± 8% 49.32µ ± 13% -18.26% (p=0.002 n=6) 45.94µ ± 4% -23.86% (p=0.002 n=6) 24.97µ ± 3% -58.61% (p=0.002 n=6) QuantileBatchRangeVectorIteratorAt/100000-samples-16 3.032m ± 3% 1.319m ± 1% -56.50% (p=0.002 n=6) 1.316m ± 4% -56.58% (p=0.002 n=6) 1.278m ± 3% -57.86% (p=0.002 n=6) geomean 53.13µ 40.91µ -23.00% 39.96µ -24.79% 21.32µ -59.87% │ logarithmic.log │ cubic.log │ sort.log │ pool.log │ │ B/op │ B/op vs base │ B/op vs base │ B/op vs base │ QuantileBatchRangeVectorIteratorAt/1-samples-16 368.00 ± 0% 368.00 ± 0% ~ (p=1.000 n=6) ¹ 368.00 ± 0% ~ (p=1.000 n=6) ¹ 32.00 ± 0% -91.30% (p=0.002 n=6) QuantileBatchRangeVectorIteratorAt/1000-samples-16 4048.0 ± 0% 4048.0 ± 0% ~ (p=1.000 n=6) ¹ 3920.0 ± 0% -3.16% (p=0.002 n=6) 104.0 ± 0% -97.43% (p=0.002 n=6) QuantileBatchRangeVectorIteratorAt/100000-samples-16 6192.0 ± 0% 6192.0 ± 0% ~ (p=1.000 n=6) ¹ 5936.0 ± 0% -4.13% (p=0.002 n=6) 202.0 ± 5% -96.74% (p=0.002 n=6) geomean 2.048Ki 2.048Ki +0.00% 1.998Ki -2.45% 87.60 -95.82% ¹ all samples are equal │ logarithmic.log │ cubic.log │ sort.log │ pool.log │ │ allocs/op │ allocs/op vs base │ allocs/op vs base │ allocs/op vs base │ QuantileBatchRangeVectorIteratorAt/1-samples-16 8.000 ± 0% 8.000 ± 0% ~ (p=1.000 n=6) ¹ 8.000 ± 0% ~ (p=1.000 n=6) ¹ 2.000 ± 0% -75.00% (p=0.002 n=6) QuantileBatchRangeVectorIteratorAt/1000-samples-16 27.000 ± 0% 27.000 ± 0% ~ (p=1.000 n=6) ¹ 23.000 ± 0% -14.81% (p=0.002 n=6) 5.000 ± 0% -81.48% (p=0.002 n=6) QuantileBatchRangeVectorIteratorAt/100000-samples-16 42.000 ± 0% 42.000 ± 0% ~ (p=1.000 n=6) ¹ 34.000 ± 0% -19.05% (p=0.002 n=6) 9.000 ± 0% -78.57% (p=0.002 n=6) geomean 20.86 20.86 +0.00% 18.43 -11.65% 4.481 -78.51% ¹ all samples are equal ``` Checklist - [ ] Reviewed the [`CONTRIBUTING.md`](https://github.com/grafana/loki/blob/main/CONTRIBUTING.md) guide (required) - [ ] Documentation added - [x] Tests updated - [ ] `CHANGELOG.md` updated - [ ] If the change is worth mentioning in the release notes, add `add-to-release-notes` label - [ ] Changes that require user attention or interaction to upgrade are documented in `docs/sources/setup/upgrade/_index.md` - [ ] For Helm chart changes bump the Helm chart version in `production/helm/loki/Chart.yaml` and update `production/helm/loki/CHANGELOG.md` and `production/helm/loki/README.md`. [Example PR](`d10549e3ec`) - [ ] If the change is deprecating or removing a configuration option, update the `deprecated-config.yaml` and `deleted-config.yaml` files respectively in the `tools/deprecated-config-checker` directory. [Example PR](`0d4416a4b0`)	1 year ago
Paul Rogers	6c4699d8f7	Remove call to set default resolver (#11580 ) What this PR does / why we need it: Which issue(s) this PR fixes: Fixes #<issue number> Special notes for your reviewer: Checklist - [ ] Reviewed the [`CONTRIBUTING.md`](https://github.com/grafana/loki/blob/main/CONTRIBUTING.md) guide (required) - [ ] Documentation added - [ ] Tests updated - [ ] `CHANGELOG.md` updated - [ ] If the change is worth mentioning in the release notes, add `add-to-release-notes` label - [ ] Changes that require user attention or interaction to upgrade are documented in `docs/sources/setup/upgrade/_index.md` - [ ] For Helm chart changes bump the Helm chart version in `production/helm/loki/Chart.yaml` and update `production/helm/loki/CHANGELOG.md` and `production/helm/loki/README.md`. [Example PR](`d10549e3ec`) - [ ] If the change is deprecating or removing a configuration option, update the `deprecated-config.yaml` and `deleted-config.yaml` files respectively in the `tools/deprecated-config-checker` directory. [Example PR](`0d4416a4b0`)	1 year ago
Danny Kopping	76bf5053f2	Revendor gomemcache to import deadline fix (#11545 ) What this PR does / why we need it: See https://github.com/grafana/gomemcache/pull/16	1 year ago
Vladyslav Diachenko	9b691904ef	BloomShipper: add cache for downloaded blocks (#11394 ) adapted embeddedcache.go to store downloaded bloom blocks on local filesystem. What this PR does / why we need it: This cache will be used by bloom-gateway to not download the blocks each time. In the cache we store the objects(`cachedBlock` struct) that contain: 1. `blockDirectory`: the `path` to the directory where the block was extracted 2. `activeQueriers`: thread-safe counter of active block users. This field is important because we do not want the directory to be removed while it's in use. 3. rest fields are needed for service needs When the downloadingWorker receives this entity, it increases the counter `activeQueriers` and creates blockQuerier wrapper that has `Close` function that will decrease the counter once blockQuerier is not needed anymore. When the cache entry is being removed from the cache, the cache calls the function `removeDirectoryAsync` which asynchronously removes the block's folder. This function checks every `Xms` if there are still active block queriers and once `activeQueriers` count is `0` the folder will be removed. Also, there is a timeout in this function, and once the timeout is reached, the folder will be force removed. Special notes for your reviewer: * If the cache is disabled, then the blocks will be downloaded each time the block is requested. * If the cache is used, the folder will be deleted by embeddedCache when it reaches memory size limit or items count limit. Otherwise, the block's folder will be deleted when `Close` function is called. Checklist - [x] Reviewed the [`CONTRIBUTING.md`](https://github.com/grafana/loki/blob/main/CONTRIBUTING.md) guide (required) - [x] Documentation added - [x] Tests updated - [ ] `CHANGELOG.md` updated - [ ] If the change is worth mentioning in the release notes, add `add-to-release-notes` label - [ ] Changes that require user attention or interaction to upgrade are documented in `docs/sources/setup/upgrade/_index.md` - [ ] For Helm chart changes bump the Helm chart version in `production/helm/loki/Chart.yaml` and update `production/helm/loki/CHANGELOG.md` and `production/helm/loki/README.md`. [Example PR](`d10549e3ec`) - [ ] If the change is deprecating or removing a configuration option, update the `deprecated-config.yaml` and `deleted-config.yaml` files respectively in the `tools/deprecated-config-checker` directory. [Example PR](`0d4416a4b0`) --------- Signed-off-by: Vladyslav Diachenko <vlad.diachenko@grafana.com>	1 year ago
Robert Jacob	5270d10a7e	Fix minimum Go version for module (#11145 ) What this PR does / why we need it: The main module of Loki already uses features of Go 1.21 (`cmp` module, `context.WithTimeoutCause`), so it can't be built with Go versions lower than 1.21 anymore. The module file should reflect this. The `go.sum` file was updated automatically by the Go tool `go mod tidy` after updating the version. Special notes for your reviewer: Go 1.21 module files introduce a new `toolchain` attribute. I have set this to the currently available latest version. --------- Co-authored-by: Periklis Tsirakidis <periklis@redhat.com>	1 year ago
renovate[bot]	09cb9ae76f	fix(deps): update github.com/grafana/loki/pkg/push digest to `e523809` (main) (#11107 ) [![Mend Renovate logo banner](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [github.com/grafana/loki/pkg/push](https://togithub.com/grafana/loki) \| require \| digest \| `0a7737e` -> `e523809` \| --- ### Configuration 📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/grafana/loki). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMS41IiwidXBkYXRlZEluVmVyIjoiMzcuNTkuOCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2 years ago
Sandeep Sukhani	e28f7f3363	update dskit to latest version (#11287 ) What this PR does / why we need it: Update dskit to latest version	2 years ago
renovate[bot]	fb9c496b21	fix(deps): update github.com/docker/go-plugins-helpers digest to 6eecb7b (main) (#10826 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [github.com/docker/go-plugins-helpers](https://togithub.com/docker/go-plugins-helpers) \| require \| digest \| `1e6269c` -> `6eecb7b` \| --- ### Configuration 📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/grafana/loki). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4xOS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2 years ago
renovate[bot]	99b975cde5	Update github.com/influxdata/go-syslog/v3 digest to 875f5bc (main) (#10856 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [github.com/influxdata/go-syslog/v3](https://togithub.com/influxdata/go-syslog) \| require \| digest \| `a1889d9` -> `875f5bc` \| --- ### Configuration 📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/grafana/loki). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4zMS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2 years ago
renovate[bot]	a02d686dd1	Update github.com/fluent/fluent-bit-go digest to a7a013e (main) (#10827 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [github.com/fluent/fluent-bit-go](https://togithub.com/fluent/fluent-bit-go) \| require \| digest \| `ea13c02` -> `a7a013e` \| --- ### Configuration 📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/grafana/loki). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4zMS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2 years ago
renovate[bot]	e65a3cce43	Update module github.com/docker/docker to v24.0.7+incompatible [SECURITY] (main) (#11084 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [github.com/docker/docker](https://togithub.com/docker/docker) \| require \| patch \| `v24.0.4+incompatible` -> `v24.0.7+incompatible` \| ### GitHub Vulnerability Alerts #### [GHSA-jq35-85cj-fj4p](https://togithub.com/moby/moby/security/advisories/GHSA-jq35-85cj-fj4p) Intel's RAPL (Running Average Power Limit) feature, introduced by the Sandy Bridge microarchitecture, provides software insights into hardware energy consumption. To facilitate this, Intel introduced the powercap framework in Linux kernel 3.13, which reads values via relevant MSRs (model specific registers) and provides unprivileged userspace access via `sysfs`. As RAPL is an interface to access a hardware feature, it is only available when running on bare metal with the module compiled into the kernel. By 2019, it was realized that in some cases unprivileged access to RAPL readings could be exploited as a power-based side-channel against security features including AES-NI (potentially inside a SGX enclave) and KASLR (kernel address space layout randomization). Also known as the [PLATYPUS attack](https://platypusattack.com/), Intel assigned [CVE-2020-8694](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8694) and [CVE-2020-8695](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8695), and AMD assigned [CVE-2020-12912](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12912). Several mitigations were applied; Intel reduced the sampling resolution via a microcode update, and the Linux kernel [prevents access by non-root users](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=949dd0104c496fa7c14991a23c03c62e44637e71) since 5.10. However, this kernel-based mitigation does not apply to many container-based scenarios: * Unless using user namespaces, root inside a container has the same level of privilege as root outside the container, but with a slightly more narrow view of the system * `sysfs` is mounted inside containers read-only; however only read access is needed to carry out this attack on an unpatched CPU While this is not a direct vulnerability in container runtimes, defense in depth and safe defaults are valuable and preferred, especially as this poses a risk to multi-tenant container environments running directly on affected hardware. This is provided by masking `/sys/devices/virtual/powercap` in the default mount configuration, and adding an additional set of rules to deny it in the default AppArmor profile. While `sysfs` is not the only way to read from the RAPL subsystem, other ways of accessing it require additional capabilities such as `CAP_SYS_RAWIO` which is not available to containers by default, or `perf` paranoia level less than 1, which is a non-default kernel tunable. ## References * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8694 * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8695 * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12912 * https://platypusattack.com/ * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=949dd0104c496fa7c14991a23c03c62e44637e71 * https://web.eece.maine.edu/~vweaver/projects/rapl/ --- ### Release Notes <details> <summary>docker/docker (github.com/docker/docker)</summary> ### [`v24.0.7+incompatible`](https://togithub.com/docker/docker/compare/v24.0.6...v24.0.7) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.6...v24.0.7) ### [`v24.0.6+incompatible`](https://togithub.com/docker/docker/compare/v24.0.5...v24.0.6) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.5...v24.0.6) ### [`v24.0.5+incompatible`](https://togithub.com/docker/docker/compare/v24.0.4...v24.0.5) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.4...v24.0.5) </details> --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/grafana/loki). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMS41IiwidXBkYXRlZEluVmVyIjoiMzcuMzEuNSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2 years ago
renovate[bot]	22ddbb672a	Update module go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.44.0 [SECURITY] (main) (#11002 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://togithub.com/open-telemetry/opentelemetry-go-contrib) \| indirect \| minor \| `v0.42.0` -> `v0.44.0` \| ### GitHub Vulnerability Alerts #### [CVE-2023-45142](https://togithub.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh) ### Summary This handler wrapper `5f7e6ad5a4/instrumentation/net/http/otelhttp/handler.go (L63-L65)` out of the box adds labels - `http.user_agent` - `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. ### Details HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses [httpconv.ServerRequest](https://togithub.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159) that records every value for HTTP [method](`38e1b499c3/semconv/internal/v2/http.go (L204)`) and [User-Agent](`38e1b499c3/semconv/internal/v2/http.go (L223)`). ### PoC Send many requests with long randomly generated HTTP methods or/and User agents (e.g. a million) and observe how memory consumption increases during it. ### Impact In order to be affected, the program has to configure a metrics pipeline, use [otelhttp.NewHandler](`5f7e6ad5a4/instrumentation/net/http/otelhttp/handler.go (L63-L65)`) wrapper, and does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. ### Others It is similar to already reported vulnerabilities - https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh ([open-telemetry/opentelemetry-go-contrib](https://togithub.com/open-telemetry/opentelemetry-go-contrib)) - https://github.com/advisories/GHSA-cg3q-j54f-5p7p ([prometheus/client_golang](https://togithub.com/prometheus/client_golang)) ### Workaround for affected versions As a workaround to stop being affected [otelhttp.WithFilter()](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/filters) can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it. The other possibility is to disable HTTP metrics instrumentation by passing [`otelhttp.WithMeterProvider`](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp#WithMeterProvider) option with [`noop.NewMeterProvider`](https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider). ### Solution provided by upgrading In PR [https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277](https://togithub.com/open-telemetry/opentelemetry-go-contrib/pull/4277), released with package version 0.44.0, the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. ### References - [https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277](https://togithub.com/open-telemetry/opentelemetry-go-contrib/pull/4277) - https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0 --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/grafana/loki). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xOS4yIiwidXBkYXRlZEluVmVyIjoiMzcuMzEuNSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2 years ago
renovate[bot]	2327789b55	fix(deps): update github.com/grafana/gomemcache digest to 6947259 (main) (#10836 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [github.com/grafana/gomemcache](https://togithub.com/grafana/gomemcache) \| require \| digest \| `70d78ea` -> `6947259` \| --- ### Configuration 📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/grafana/loki). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4zMS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2 years ago
renovate[bot]	1fe48858ae	fix(deps): update github.com/joncrlsn/dque digest to c2ef48c (main) (#10947 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [github.com/joncrlsn/dque](https://togithub.com/joncrlsn/dque) \| require \| digest \| `956d141` -> `c2ef48c` \| --- ### Configuration 📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/grafana/loki). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xOS4yIiwidXBkYXRlZEluVmVyIjoiMzcuMzEuNSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2 years ago
renovate[bot]	c66ffd125c	fix(deps): update github.com/c2h5oh/datasize digest to 859f65c (main) (#10820 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [github.com/c2h5oh/datasize](https://togithub.com/c2h5oh/datasize) \| require \| digest \| `28bbd47` -> `859f65c` \| --- ### Configuration 📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/grafana/loki). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4zMS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2 years ago
renovate[bot]	0695424f7d	fix(deps): update module google.golang.org/grpc [security] (main) (#11031 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [google.golang.org/grpc](https://togithub.com/grpc/grpc-go) \| require \| minor \| `v1.53.0` -> `v1.56.3` \| \| [google.golang.org/grpc](https://togithub.com/grpc/grpc-go) \| require \| patch \| `v1.58.2` -> `v1.58.3` \| ### GitHub Vulnerability Alerts #### [GHSA-m425-mq94-257g](https://togithub.com/grpc/grpc-go/security/advisories/GHSA-m425-mq94-257g) ### Impact In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit. ### Patches This vulnerability was addressed by #6703 and has been included in patch releases: 1.56.3, 1.57.1, 1.58.3. It is also included in the latest release, 1.59.0. Along with applying the patch, users should also ensure they are using the `grpc.MaxConcurrentStreams` server option to apply a limit to the server's resources used for any single connection. ### Workarounds None. ### References #6703 --- ### Release Notes <details> <summary>grpc/grpc-go (google.golang.org/grpc)</summary> ### [`v1.56.3`](https://togithub.com/grpc/grpc-go/releases/tag/v1.56.3): Release 1.56.3 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.56.2...v1.56.3) ### Security - server: prohibit more than MaxConcurrentStreams handlers from running at once (CVE-2023-44487) In addition to this change, applications should ensure they do not leave running tasks behind related to the RPC before returning from method handlers, or should enforce appropriate limits on any such work. ### [`v1.56.2`](https://togithub.com/grpc/grpc-go/releases/tag/v1.56.2): Release 1.56.2 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.56.1...v1.56.2) - status: To fix a panic, `status.FromError` now returns an error with `codes.Unknown` when the error implements the `GRPCStatus()` method, and calling `GRPCStatus()` returns `nil`. ([#6374](https://togithub.com/grpc/grpc-go/issues/6374)) ### [`v1.56.1`](https://togithub.com/grpc/grpc-go/releases/tag/v1.56.1): Release 1.56.1 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.56.0...v1.56.1) - client: handle empty address lists correctly in addrConn.updateAddrs ### [`v1.56.0`](https://togithub.com/grpc/grpc-go/releases/tag/v1.56.0): Release 1.56.0 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.55.1...v1.56.0) ### New Features - client: support channel idleness using `WithIdleTimeout` dial option ([#6263](https://togithub.com/grpc/grpc-go/issues/6263)) - This feature is currently disabled by default, but will be enabled with a 30 minute default in the future. - client: when using pickfirst, keep channel state in TRANSIENT_FAILURE until it becomes READY ([gRFC A62](https://togithub.com/grpc/proposal/blob/master/A62-pick-first.md)) ([#6306](https://togithub.com/grpc/grpc-go/issues/6306)) - xds: Add support for Custom LB Policies ([gRFC A52](https://togithub.com/grpc/proposal/blob/master/A52-xds-custom-lb-policies.md)) ([#6224](https://togithub.com/grpc/grpc-go/issues/6224)) - xds: support pick_first Custom LB policy ([gRFC A62](https://togithub.com/grpc/proposal/blob/master/A62-pick-first.md)) ([#6314](https://togithub.com/grpc/grpc-go/issues/6314)) ([#6317](https://togithub.com/grpc/grpc-go/issues/6317)) - client: add support for pickfirst address shuffling ([gRFC A62](https://togithub.com/grpc/proposal/blob/master/A62-pick-first.md)) ([#6311](https://togithub.com/grpc/grpc-go/issues/6311)) - xds: Add support for String Matcher Header Matcher in RDS ([#6313](https://togithub.com/grpc/grpc-go/issues/6313)) - xds/outlierdetection: Add Channelz Logger to Outlier Detection LB ([#6145](https://togithub.com/grpc/grpc-go/issues/6145)) - Special Thanks: [@s-matyukevich](https://togithub.com/s-matyukevich) - xds: enable RLS in xDS by default ([#6343](https://togithub.com/grpc/grpc-go/issues/6343)) - orca: add support for application_utilization field and missing range checks on several metrics setters - balancer/weightedroundrobin: add new LB policy for balancing between backends based on their load reports ([gRFC A58](https://togithub.com/grpc/proposal/blob/master/A58-client-side-weighted-round-robin-lb-policy.md)) ([#6241](https://togithub.com/grpc/grpc-go/issues/6241)) - authz: add conversion of json to RBAC Audit Logging config ([#6192](https://togithub.com/grpc/grpc-go/issues/6192)) - authz: add support for stdout logger ([#6230](https://togithub.com/grpc/grpc-go/issues/6230) and [#6298](https://togithub.com/grpc/grpc-go/issues/6298)) - authz: support customizable audit functionality for authorization policy ([#6192](https://togithub.com/grpc/grpc-go/issues/6192) [#6230](https://togithub.com/grpc/grpc-go/issues/6230) [#6298](https://togithub.com/grpc/grpc-go/issues/6298) [#6158](https://togithub.com/grpc/grpc-go/issues/6158) [#6304](https://togithub.com/grpc/grpc-go/issues/6304) and [#6225](https://togithub.com/grpc/grpc-go/issues/6225)) ### Bug Fixes - orca: fix a race at startup of out-of-band metric subscriptions that would cause the report interval to request 0 ([#6245](https://togithub.com/grpc/grpc-go/issues/6245)) - xds/xdsresource: Fix Outlier Detection Config Handling and correctly set xDS Defaults ([#6361](https://togithub.com/grpc/grpc-go/issues/6361)) - xds/outlierdetection: Fix Outlier Detection Config Handling by setting defaults in ParseConfig() ([#6361](https://togithub.com/grpc/grpc-go/issues/6361)) ### API Changes - orca: allow a ServerMetricsProvider to be passed to the ORCA service and ServerOption ([#6223](https://togithub.com/grpc/grpc-go/issues/6223)) ### [`v1.55.1`](https://togithub.com/grpc/grpc-go/releases/tag/v1.55.1): Release 1.55.1 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.55.0...v1.55.1) - status: To fix a panic, `status.FromError` now returns an error with `codes.Unknown` when the error implements the `GRPCStatus()` method, and calling `GRPCStatus()` returns `nil`. ([#6374](https://togithub.com/grpc/grpc-go/issues/6374)) ### [`v1.55.0`](https://togithub.com/grpc/grpc-go/releases/tag/v1.55.0): Release 1.55.0 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.54.1...v1.55.0) ### Behavior Changes - xds: enable federation support by default ([#6151](https://togithub.com/grpc/grpc-go/issues/6151)) - status: `status.Code` and `status.FromError` handle wrapped errors ([#6031](https://togithub.com/grpc/grpc-go/issues/6031) and [#6150](https://togithub.com/grpc/grpc-go/issues/6150)) - Special Thanks: [@psyhatter](https://togithub.com/psyhatter) ### New Features - xds/xdsclient: support `ignore_resource_deletion` server feature as per gRFC [A53](https://togithub.com/grpc/proposal/blob/master/A53-xds-ignore-resource-deletion.md) ([#6035](https://togithub.com/grpc/grpc-go/issues/6035)) - security/advancedtls: add min/max TLS version selection options ([#6007](https://togithub.com/grpc/grpc-go/issues/6007)) - Special Thanks: [@joeljeske](https://togithub.com/joeljeske) ### Bug Fixes - xds: stop routing RPCs to deleted clusters ([#6125](https://togithub.com/grpc/grpc-go/issues/6125)) - client: fix race between stream creation and GOAWAY receipt, which could lead to spurious UNAVAILABLE stream errors ([#6142](https://togithub.com/grpc/grpc-go/issues/6142)) ### Performance Improvements - server: improve stream handler goroutine worker allocation when [`NumStreamWorkers`](https://pkg.go.dev/google.golang.org/grpc#NumStreamWorkers) is used ([#6004](https://togithub.com/grpc/grpc-go/issues/6004)) - Special Thanks: [@SaveTheRbtz](https://togithub.com/SaveTheRbtz) ### [`v1.54.1`](https://togithub.com/grpc/grpc-go/releases/tag/v1.54.1): Release 1.54.1 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.54.0...v1.54.1) ### Bug Fixes - credentials/alts: revert a change that causes a crash in the handshaker ### [`v1.54.0`](https://togithub.com/grpc/grpc-go/releases/tag/v1.54.0): Release 1.54.0 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.53.0...v1.54.0) ### Behavior Changes - xds: remove support for xDS v2 transport API ([#6013](https://togithub.com/grpc/grpc-go/issues/6013)) ### New Features - server: expose `SetSendCompressor` API to set send compressor name ([#5744](https://togithub.com/grpc/grpc-go/issues/5744)) - Special Thanks: [@jronak](https://togithub.com/jronak) - xdsclient: include `Node` proto only in the first discovery request message, to improve performance ([#6078](https://togithub.com/grpc/grpc-go/issues/6078)) ### Bug Fixes - metadata: fix validation logic and properly validate metadata appended via `AppendToOutgoingContext` ([#6001](https://togithub.com/grpc/grpc-go/issues/6001)) - Special Thanks: [@ktalg](https://togithub.com/ktalg) - transport: do not close connections when we encounter I/O errors until after all data is consumed ([#6110](https://togithub.com/grpc/grpc-go/issues/6110)) - ringhash: ensure addresses are consistently hashed across updates ([#6066](https://togithub.com/grpc/grpc-go/issues/6066)) - xds/clusterimpl: fix a bug causing unnecessary closing and re-opening of LRS streams ([#6112](https://togithub.com/grpc/grpc-go/issues/6112)) - xds: NACK route configuration if sum of weights of weighted clusters exceeds uint32\_max ([#6085](https://togithub.com/grpc/grpc-go/issues/6085)) ### Documentation - resolver: update `Resolver.Scheme()` docstring to mention requirement of lowercase scheme names ([#6014](https://togithub.com/grpc/grpc-go/issues/6014)) - resolver: document expected error handling of `UpdateState` errors ([#6002](https://togithub.com/grpc/grpc-go/issues/6002)) - Special Thanks: [@fho](https://togithub.com/fho) - examples: add example for ORCA load reporting ([#6114](https://togithub.com/grpc/grpc-go/issues/6114)) - examples: add an example to illustrate authorization (authz) support ([#5920](https://togithub.com/grpc/grpc-go/issues/5920)) - Special Thanks: [@KenxinKun](https://togithub.com/KenxinKun) </details> --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 Immortal: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/grafana/loki). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMS41IiwidXBkYXRlZEluVmVyIjoiMzcuMzEuNSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2 years ago
Salva Corts	52a3f16039	Flag categorize labels on streams response (#10419 ) We recently introduced support for ingesting and querying structured metadata in Loki. This adds a new dimension to Loki's labels since now we arguably have three categories of labels: _stream_, _structured metadata_, and _parsed_ labels. Depending on the origin of the labels, they should be used in LogQL expressions differently to achieve optimal performance. _stream_ labels should be added to stream matchers, _structured metadata_ labels should be used in a filter expression before any parsing expression, and _parsed_ labels should be placed after the parser expression extracting them. The Grafana UI has a hard time dealing with this same problem. Before https://github.com/grafana/grafana/pull/73955, the filtering functionality in Grafana was broken since it was not able to distinguish between _stream_ and _structured metadata_ labels. Also, as soon as a parser expression was added to the query, filters added by Grafana would be appended to the end of the query regardless of the label category. The PR above implements a workaround for this problem but needs a better API on Loki's end to mitigate all corner cases. Loki currently returns the following JSON for log queries: ```json ... { "stream": { "cluster": "us-central", "container": "query-frontend", "namespace": "loki", "level": "info", "traceID": "68810cf0c94bfcca" }, "values": [ [ "1693996529000222496", "1693996529000222496 aaaaaaaaa.....\n" ], ... }, { "stream": { "cluster": "us-central", "container": "query-frontend", "namespace": "loki", "level": "debug", "traceID": "a7116cj54c4bjz8s" }, "values": [ [ "1693996529000222497", "1693996529000222497 bbbbbbbbb.....\n" ], ... }, ... ``` As can be seen, there is no way we can distinguish the category of each label. This PR introduces a new flag `X-Loki-Response-Encoding-Flags: categorize-labels` that makes Loki return categorized labels as follows: ```json ... { "stream": { "cluster": "us-central", "container": "query-frontend", "namespace": "loki", }, "values": [ [ "1693996529000222496", "1693996529000222496 aaaaaaaaa.....\n", { "structuredMetadata": { "traceID": "68810cf0c94bfcca" }, "parsed": { "level": "info" } } ], [ "1693996529000222497", "1693996529000222497 bbbbbbbbb.....\n", { "structuredMetadata": { "traceID": "a7116cj54c4bjz8s" }, "parsed": { "level": "debug" } } ], ... }, ... ``` Note that this PR only supports log queries, not metric queries. From a UX perspective, being able to categorize labels in metric queries doesn't have any benefit yet. Having said that, supporting this for metric queries would require some minor refactoring on top of what has been implemented here. If we decide to do that, I think we should do it on a separate PR to avoid making this PR even larger. I also decided to leave out support for Tail queries to avoid making this PR even larger. Once this one gets merged, we can work to support tailing. --- Note to reviewers This PR is huge since we need to forward categorized all over the codebase (from parsing logs all the way to marshaling), fortunately, many of the changes come from updating tests and refactoring iterators. Tested out in a dev cell with query `'{stream="stdout"} \| label_format new="text"`. - Without the new flag: ``` $ http http://127.0.0.1:3100/loki/api/v1/query_range\?direction\=BACKWARD\&end\=1693996529322486000\&limit\=30\&query\=%7Bstream%3D%22stdout%22%7D+%7C+label_format+new%3D%22text%22\&start\=1693992929322486000 X-Scope-Orgid:REDACTED { "data": { "result": [ { "stream": { "new": "text", "pod": "loki-canary-986bd6f4b-xqmb7", "stream": "stdout" }, "values": [ [ "1693996529000222496", "1693996529000222496 pppppppppppp...\n" ], [ "1693996528499160852", "1693996528499160852 pppppppppppp...\n" ], ... ``` - With the new flag ``` $ http http://127.0.0.1:3100/loki/api/v1/query_range\?direction\=BACKWARD\&end\=1693996529322486000\&limit\=30\&query\=%7Bstream%3D%22stdout%22%7D+%7C+label_format+new%3D%22text%22\&start\=1693992929322486000 X-Scope-Orgid:REDACTED X-Loki-Response-Encoding-Flags:categorize-labels { "data": { "encodingFlags": [ "categorize-labels" ], "result": [ { "stream": { "pod": "loki-canary-986bd6f4b-xqmb7", "stream": "stdout" }, "values": [ [ "1693996529000222496", "1693996529000222496 pppppppppppp...\n", { "parsed": { "new": "text" } } ], [ "1693996528499160852", "1693996528499160852 pppppppppppp...\n", { "parsed": { "new": "text" } } ], ... ```	2 years ago
Sandeep Sukhani	6069df8f7d	ingestion: native otlp ingestion support (#10727 ) What this PR does / why we need it: Add support for natively supporting logs ingestion in OTLP format. `/otlp/v1/logs` is the new endpoint where users can push logs in OTLP format. It accepts logs serialized in JSON or proto format. Since OTEL format is very different than what Loki storage model, here is how data in OTEL format will be mapped to Loki data model: * Index labels: The Resource Attributes map quite well to Index labels in Loki since both usually identify the source of the logs. The problem however is that Resource attributes in OTLP can have an unbounded number of values while Loki has a default limit of having up to 30 labels. Since Index labels in Loki can largely drive the kind of querying experience the users are going to have, we have chosen select attributes which would be picked as Index Labels. The ones that are not picked up as Index labels would be stored as Structured Metadata with each log entry. * Timestamp: LogRecord.TimeUnixNano * LogLine: LogRecord.Body holds the body of the log. However, since Loki only supports Log body in string format, we will stringify non-string values using [AsString method from OTEL collector lib](`ab3d6c5b64/pdata/pcommon/value.go (L353)`). * Structured Metadata: Anything which can’t be stored in Index labels and LogLine. Here is a non-exhaustive list of what will be stored in Structured Metadata to give a sense of what it will hold: * Resource Attributes not stored as Index labels is replicated and stored with each log entry. * Everything under InstrumentationScope is replicated and stored with each log entry. * Everything under LogRecord except LogRecord.Body, LogRecord.TimeUnixNano and sometimes LogRecord.ObservedTimestamp. NOTES: * Since Loki does not support `.` or any other special characters other than `_` in label names, we replace all non-supported characters with `_`. * Since Loki only supports string in values of Index Labels and Structured Metadata, all the complex types are converted as follows: * Map would be flattened into label keys using `_` as separator, same as how we do it in [json parser in LogQL](https://grafana.com/docs/loki/latest/query/log_queries/#json). * Everything else is stringified using [AsString method from OTEL collector lib](`ab3d6c5b64/pdata/pcommon/value.go (L353)`) Special notes for your reviewer: I will open follow-up PRs for: * Documentation * Make blessed attributes list configurable per tenant. Checklist - [x] Tests updated - [x] `CHANGELOG.md` updated - [ ] If the change is worth mentioning in the release notes, add `add-to-release-notes` label	2 years ago
Christian Haudum	27411cff08	Introduce worker queue in bloom gateway (#10976 ) Instead of calling the bloom store directly on each and every request to filter chunk refs based on the given filters, we want to queue requests in per-tenant queues and process batches of requests that can be multiplexed to avoid excessive seeking in the bloom block queriers when checking chunk matches. This PR re-uses the request queue implementation used in the query scheduler. To do so, it moves the queue related code from the scheduler into a separate package `pkg/queue` and renames occurrences of "querier" to "consumer" to be more generic. The bloom gateway instantiates the request queue when starting the service. The gRPC method `FilterChunkRefs` then enqueues incoming requests to that queue. Special notes for your reviewer: For testing purposes, this PR also contains a dummy implementation of the workers. The worker implementation - which includes multiplexing of multiple tasks - is subject to a separate PR. --------- Signed-off-by: Christian Haudum <christian.haudum@gmail.com>	2 years ago
renovate[bot]	9474be0fef	Update module github.com/hashicorp/consul to v1.14.5 [SECURITY] (main) (#10830 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [github.com/hashicorp/consul](https://togithub.com/hashicorp/consul) \| replace \| minor \| `v1.5.1` -> `v1.14.5` \| --- ### Denial of Service (DoS) in HashiCorp Consul [CVE-2020-7219](https://nvd.nist.gov/vuln/detail/CVE-2020-7219) / [GHSA-23jv-v6qj-3fhh](https://togithub.com/advisories/GHSA-23jv-v6qj-3fhh) <details> <summary>More information</summary> #### Details HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3. ##### Specific Go Packages Affected github.com/hashicorp/consul/agent/consul #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2020-7219](https://nvd.nist.gov/vuln/detail/CVE-2020-7219) - [https://github.com/hashicorp/consul/issues/7159](https://togithub.com/hashicorp/consul/issues/7159) - [https://www.hashicorp.com/blog/category/consul/](https://www.hashicorp.com/blog/category/consul/) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-23jv-v6qj-3fhh) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Incorrect Authorization in HashiCorp Consul [CVE-2020-7955](https://nvd.nist.gov/vuln/detail/CVE-2020-7955) / [GHSA-r9w6-rhh9-7v53](https://togithub.com/advisories/GHSA-r9w6-rhh9-7v53) <details> <summary>More information</summary> #### Details HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2020-7955](https://nvd.nist.gov/vuln/detail/CVE-2020-7955) - [https://github.com/hashicorp/consul/issues/7160](https://togithub.com/hashicorp/consul/issues/7160) - [https://www.hashicorp.com/blog/category/consul/](https://www.hashicorp.com/blog/category/consul/) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-r9w6-rhh9-7v53) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Allocation of Resources Without Limits or Throttling in Hashicorp Consul [CVE-2020-13250](https://nvd.nist.gov/vuln/detail/CVE-2020-13250) / [GHSA-rqjq-mrgx-85hp](https://togithub.com/advisories/GHSA-rqjq-mrgx-85hp) <details> <summary>More information</summary> #### Details HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. ##### Specific Go Packages Affected github.com/hashicorp/consul/agent/config ##### Fix The vulnerability is fixed in versions 1.6.6 and 1.7.4. #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2020-13250](https://nvd.nist.gov/vuln/detail/CVE-2020-13250) - [https://github.com/hashicorp/consul/pull/8023](https://togithub.com/hashicorp/consul/pull/8023) - [`72f92ae7ca`) - [https://github.com/hashicorp/consul/blob/v1.6.6/CHANGELOG.md](https://togithub.com/hashicorp/consul/blob/v1.6.6/CHANGELOG.md) - [https://github.com/hashicorp/consul/blob/v1.7.4/CHANGELOG.md](https://togithub.com/hashicorp/consul/blob/v1.7.4/CHANGELOG.md) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-rqjq-mrgx-85hp) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### HashiCorp Consul Cross-site Scripting vulnerability [CVE-2020-25864](https://nvd.nist.gov/vuln/detail/CVE-2020-25864) / [GHSA-8xmx-h8rq-h94j](https://togithub.com/advisories/GHSA-8xmx-h8rq-h94j) <details> <summary>More information</summary> #### Details HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14. #### Severity - CVSS Score: 6.1 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2020-25864](https://nvd.nist.gov/vuln/detail/CVE-2020-25864) - [https://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368](https://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368) - [https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul) - [https://security.gentoo.org/glsa/202208-09](https://security.gentoo.org/glsa/202208-09) - [https://www.hashicorp.com/blog/category/consul](https://www.hashicorp.com/blog/category/consul) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-8xmx-h8rq-h94j) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### HashiCorp Consul Privilege Escalation Vulnerability [CVE-2021-37219](https://nvd.nist.gov/vuln/detail/CVE-2021-37219) / [GHSA-ccw8-7688-vqx4](https://togithub.com/advisories/GHSA-ccw8-7688-vqx4) <details> <summary>More information</summary> #### Details HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2. #### Severity - CVSS Score: 8.8 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2021-37219](https://nvd.nist.gov/vuln/detail/CVE-2021-37219) - [https://github.com/hashicorp/consul/pull/10925](https://togithub.com/hashicorp/consul/pull/10925) - [`3357e57dac`) - [`473edd1764`) - [`ccf8eb1947`) - [https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalation/29024](https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalation/29024) - [https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul) - [https://security.gentoo.org/glsa/202207-01](https://security.gentoo.org/glsa/202207-01) - [https://www.hashicorp.com/blog/category/consul](https://www.hashicorp.com/blog/category/consul) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-ccw8-7688-vqx4) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. [CVE-2021-38698](https://nvd.nist.gov/vuln/detail/CVE-2021-38698) / [GHSA-6hw5-6gcx-phmw](https://togithub.com/advisories/GHSA-6hw5-6gcx-phmw) <details> <summary>More information</summary> #### Details HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2. #### Severity - CVSS Score: 6.5 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2021-38698](https://nvd.nist.gov/vuln/detail/CVE-2021-38698) - [https://github.com/hashicorp/consul/pull/10824](https://togithub.com/hashicorp/consul/pull/10824) - [https://discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026](https://discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026) - [https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul) - [https://security.gentoo.org/glsa/202208-09](https://security.gentoo.org/glsa/202208-09) - [https://www.hashicorp.com/blog/category/consul](https://www.hashicorp.com/blog/category/consul) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-6hw5-6gcx-phmw) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector [CVE-2022-29153](https://nvd.nist.gov/vuln/detail/CVE-2022-29153) / [GHSA-q6h7-4qgw-2j9p](https://togithub.com/advisories/GHSA-q6h7-4qgw-2j9p) <details> <summary>More information</summary> #### Details A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that HTTP health check endpoints returning an HTTP redirect may be abused as a vector for server-side request forgery (SSRF). This vulnerability, CVE-2022-29153, was fixed in Consul 1.9.17, 1.10.10, and 1.11.5. #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2022-29153](https://nvd.nist.gov/vuln/detail/CVE-2022-29153) - [https://discuss.hashicorp.com](https://discuss.hashicorp.com) - [https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/](https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/) - [https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393](https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393) - [https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/) - [https://security.gentoo.org/glsa/202208-09](https://security.gentoo.org/glsa/202208-09) - [https://security.netapp.com/advisory/ntap-20220602-0005/](https://security.netapp.com/advisory/ntap-20220602-0005/) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-q6h7-4qgw-2j9p) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Hashicorp Consul Missing SSL Certificate Validation [CVE-2021-32574](https://nvd.nist.gov/vuln/detail/CVE-2021-32574) / [GHSA-25gf-8qrr-g78r](https://togithub.com/advisories/GHSA-25gf-8qrr-g78r) <details> <summary>More information</summary> #### Details HashiCorp Consul before 1.10.1 (and Consul Enterprise) has Missing SSL Certificate Validation. xds does not ensure that the Subject Alternative Name of an upstream is validated. #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2021-32574](https://nvd.nist.gov/vuln/detail/CVE-2021-32574) - [https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856](https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856) - [https://github.com/hashicorp/consul/releases/tag/v1.10.1](https://togithub.com/hashicorp/consul/releases/tag/v1.10.1) - [https://security.gentoo.org/glsa/202208-09](https://security.gentoo.org/glsa/202208-09) - [https://www.hashicorp.com/blog/category/consul](https://www.hashicorp.com/blog/category/consul) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-25gf-8qrr-g78r) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### HashiCorp Consul L7 deny intention results in an allow action [CVE-2021-36213](https://nvd.nist.gov/vuln/detail/CVE-2021-36213) / [GHSA-8h2g-r292-j8xh](https://togithub.com/advisories/GHSA-8h2g-r292-j8xh) <details> <summary>More information</summary> #### Details In HashiCorp Consul before 1.10.1 (and Consul Enterprise), xds can generate a situation where a single L7 deny intention (with a default deny policy) results in an allow action. #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2021-36213](https://nvd.nist.gov/vuln/detail/CVE-2021-36213) - [https://discuss.hashicorp.com/t/hcsec-2021-16-consul-s-application-aware-intentions-deny-action-fails-open-when-combined-with-default-deny-policy/26855](https://discuss.hashicorp.com/t/hcsec-2021-16-consul-s-application-aware-intentions-deny-action-fails-open-when-combined-with-default-deny-policy/26855) - [https://github.com/hashicorp/consul/](https://togithub.com/hashicorp/consul/) - [https://github.com/hashicorp/consul/releases/tag/v1.10.1](https://togithub.com/hashicorp/consul/releases/tag/v1.10.1) - [https://security.gentoo.org/glsa/202208-09](https://security.gentoo.org/glsa/202208-09) - [https://www.hashicorp.com/blog/category/consul](https://www.hashicorp.com/blog/category/consul) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-8h2g-r292-j8xh) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### HashiCorp Consul vulnerable to authorization bypass [CVE-2022-40716](https://nvd.nist.gov/vuln/detail/CVE-2022-40716) / [GHSA-m69r-9g56-7mv8](https://togithub.com/advisories/GHSA-m69r-9g56-7mv8) <details> <summary>More information</summary> #### Details HashiCorp Consul and Consul Enterprise versions prior to 1.11.9, 1.12.5, and 1.13.2 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. A specially crafted CSR sent directly to Consul’s internal server agent RPC endpoint can include multiple SAN URI values with additional service names. This issue has been fixed in versions 1.11.9, 1.12.5, and 1.13.2. There are no known workarounds. #### Severity - CVSS Score: 6.5 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2022-40716](https://nvd.nist.gov/vuln/detail/CVE-2022-40716) - [https://github.com/hashicorp/consul/pull/14579](https://togithub.com/hashicorp/consul/pull/14579) - [`8f6fb4f6fe`) - [https://discuss.hashicorp.com](https://discuss.hashicorp.com) - [https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypass-with-malicious-certificate-signing-request/44628](https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypass-with-malicious-certificate-signing-request/44628) - [https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-m69r-9g56-7mv8) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Hashicorp Consul vulnerable to denial of service [CVE-2023-1297](https://nvd.nist.gov/vuln/detail/CVE-2023-1297) / [GHSA-c57c-7hrj-6q6v](https://togithub.com/advisories/GHSA-c57c-7hrj-6q6v) <details> <summary>More information</summary> #### Details Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial of service. This vulnerability was resolved in Consul 1.14.5, and 1.15.3 #### Severity - CVSS Score: 4.9 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2023-1297](https://nvd.nist.gov/vuln/detail/CVE-2023-1297) - [https://discuss.hashicorp.com/t/hcsec-2023-15-consul-cluster-peering-can-result-in-denial-of-service/54515](https://discuss.hashicorp.com/t/hcsec-2023-15-consul-cluster-peering-can-result-in-denial-of-service/54515) - [https://github.com/hashicorp/consul](https://togithub.com/hashicorp/consul) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-c57c-7hrj-6q6v) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>hashicorp/consul (github.com/hashicorp/consul)</summary> ### [`v1.14.5`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.5) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.14.4...v1.14.5) #### 1.14.5 (March 7, 2023) SECURITY: - Upgrade to use Go 1.20.1. This resolves vulnerabilities [CVE-2022-41724](https://go.dev/issue/58001) in `crypto/tls` and [CVE-2022-41723](https://go.dev/issue/57855) in `net/http`. \[[GH-16263](https://togithub.com/hashicorp/consul/issues/16263)] IMPROVEMENTS: - container: Upgrade container image to use to Alpine 3.17. \[[GH-16358](https://togithub.com/hashicorp/consul/issues/16358)] - mesh: Add ServiceResolver RequestTimeout for route timeouts to make request timeouts configurable \[[GH-16495](https://togithub.com/hashicorp/consul/issues/16495)] BUG FIXES: - mesh: Fix resolution of service resolvers with subsets for external upstreams \[[GH-16499](https://togithub.com/hashicorp/consul/issues/16499)] - peering: Fix bug where services were incorrectly imported as connect-enabled. \[[GH-16339](https://togithub.com/hashicorp/consul/issues/16339)] - peering: Fix issue where mesh gateways would use the wrong address when contacting a remote peer with the same datacenter name. \[[GH-16257](https://togithub.com/hashicorp/consul/issues/16257)] - peering: Fix issue where secondary wan-federated datacenters could not be used as peering acceptors. \[[GH-16230](https://togithub.com/hashicorp/consul/issues/16230)] - proxycfg: fix a bug where terminating gateways were not cleaning up deleted service resolvers for their referenced services \[[GH-16498](https://togithub.com/hashicorp/consul/issues/16498)] ### [`v1.14.4`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.4) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.14.3...v1.14.4) #### 1.14.4 (January 26, 2023) BREAKING CHANGES: - connect: Fix configuration merging for transparent proxy upstreams. Proxy-defaults and service-defaults config entries were not correctly merged for implicit upstreams in transparent proxy mode and would result in some configuration not being applied. To avoid issues when upgrading, ensure that any proxy-defaults or service-defaults have correct configuration for upstreams, since all fields will now be properly used to configure proxies. \[[GH-16000](https://togithub.com/hashicorp/consul/issues/16000)] - peering: Newly created peering connections must use only lowercase characters in the `name` field. Existing peerings with uppercase characters will not be modified, but they may encounter issues in various circumstances. To maintain forward compatibility and avoid issues, it is recommended to destroy and re-create any invalid peering connections so that they do not have a name containing uppercase characters. \[[GH-15697](https://togithub.com/hashicorp/consul/issues/15697)] FEATURES: - connect: add flags `envoy-ready-bind-port` and `envoy-ready-bind-address` to the `consul connect envoy` command that allows configuration of readiness probe on proxy for any service kind. \[[GH-16015](https://togithub.com/hashicorp/consul/issues/16015)] - deps: update to latest go-discover to provide ECS auto-discover capabilities. \[[GH-13782](https://togithub.com/hashicorp/consul/issues/13782)] IMPROVEMENTS: - acl: relax permissions on the `WatchServers`, `WatchRoots` and `GetSupportedDataplaneFeatures` gRPC endpoints to accept any valid ACL token \[[GH-15346](https://togithub.com/hashicorp/consul/issues/15346)] - connect: Add support for ConsulResolver to specifies a filter expression \[[GH-15659](https://togithub.com/hashicorp/consul/issues/15659)] - grpc: Use new balancer implementation to reduce periodic WARN logs when shuffling servers. \[[GH-15701](https://togithub.com/hashicorp/consul/issues/15701)] - partition: (Consul Enterprise only) when loading service from on-disk config file or sending API request to agent endpoint, if the partition is unspecified, consul will default the partition in the request to agent's partition \[[GH-16024](https://togithub.com/hashicorp/consul/issues/16024)] BUG FIXES: - agent: Fix assignment of error when auto-reloading cert and key file changes. \[[GH-15769](https://togithub.com/hashicorp/consul/issues/15769)] - agent: Fix issue where the agent cache would incorrectly mark protobuf objects as updated. \[[GH-15866](https://togithub.com/hashicorp/consul/issues/15866)] - cli: Fix issue where `consul connect envoy` was unable to configure TLS over unix-sockets to gRPC. \[[GH-15913](https://togithub.com/hashicorp/consul/issues/15913)] - connect: (Consul Enterprise only) Fix issue where upstream configuration from proxy-defaults and service-defaults was not properly merged. This could occur when a mixture of empty-strings and "default" were used for the namespace or partition fields. - connect: Fix issue where service-resolver protocol checks incorrectly errored for failover peer targets. \[[GH-15833](https://togithub.com/hashicorp/consul/issues/15833)] - connect: Fix issue where watches on upstream failover peer targets did not always query the correct data. \[[GH-15865](https://togithub.com/hashicorp/consul/issues/15865)] - xds: fix bug where sessions for locally-managed services could fail with "this server has too many xDS streams open" \[[GH-15789](https://togithub.com/hashicorp/consul/issues/15789)] ### [`v1.14.3`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.3) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.14.2...v1.14.3) #### 1.14.3 (December 13, 2022) SECURITY: - Upgrade to use Go 1.19.4. This resolves a vulnerability where restricted files can be read on Windows. [CVE-2022-41720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41720) \[[GH-15705](https://togithub.com/hashicorp/consul/issues/15705)] - Upgrades `golang.org/x/net` to prevent a denial of service by excessive memory usage caused by HTTP2 requests. [CVE-2022-41717](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41717) \[[GH-15737](https://togithub.com/hashicorp/consul/issues/15737)] FEATURES: - ui: Add field for fallback server addresses to peer token generation form \[[GH-15555](https://togithub.com/hashicorp/consul/issues/15555)] IMPROVEMENTS: - connect: ensure all vault connect CA tests use limited privilege tokens \[[GH-15669](https://togithub.com/hashicorp/consul/issues/15669)] BUG FIXES: - agent: (Enterprise Only) Ensure configIntentionsConvertToList does not compare empty strings with populated strings when filtering intentions created prior to AdminPartitions. - connect: Fix issue where DialedDirectly configuration was not used by Consul Dataplane. \[[GH-15760](https://togithub.com/hashicorp/consul/issues/15760)] - connect: Fix peering failovers ignoring local mesh gateway configuration. \[[GH-15690](https://togithub.com/hashicorp/consul/issues/15690)] - connect: Fixed issue where using Vault 1.11+ as CA provider in a secondary datacenter would eventually break Intermediate CAs \[[GH-15661](https://togithub.com/hashicorp/consul/issues/15661)] ### [`v1.14.2`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.2) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.14.1...v1.14.2) #### 1.14.2 (November 30, 2022) FEATURES: - connect: Add local_idle_timeout_ms to allow configuring the Envoy route idle timeout on local_app connect: Add IdleTimeout to service-router to allow configuring the Envoy route idle timeout \[[GH-14340](https://togithub.com/hashicorp/consul/issues/14340)] - snapshot: (Enterprise Only) Add support for the snapshot agent to use an IAM role for authentication/authorization when managing snapshots in S3. IMPROVEMENTS: - dns: Add support for cluster peering `.service` and `.node` DNS queries. \[[GH-15596](https://togithub.com/hashicorp/consul/issues/15596)] BUG FIXES: - acl: avoid debug log spam in secondary datacenter servers due to management token not being initialized. \[[GH-15610](https://togithub.com/hashicorp/consul/issues/15610)] - agent: Fixed issue where blocking queries with short waits could timeout on the client \[[GH-15541](https://togithub.com/hashicorp/consul/issues/15541)] - ca: Fixed issue where using Vault as Connect CA with Vault-managed policies would error on start-up if the intermediate PKI mount existed but was empty \[[GH-15525](https://togithub.com/hashicorp/consul/issues/15525)] - cli: (Enterprise Only) Fix issue where `consul partition update` subcommand was not registered and therefore not available through the cli. - connect: Fixed issue where using Vault 1.11+ as CA provider would eventually break Intermediate CAs \[[GH-15217](https://togithub.com/hashicorp/consul/issues/15217)] \[[GH-15253](https://togithub.com/hashicorp/consul/issues/15253)] - namespace: (Enterprise Only) Fix a bug that caused blocking queries during namespace replication to timeout - peering: better represent non-passing states during peer check flattening \[[GH-15615](https://togithub.com/hashicorp/consul/issues/15615)] - peering: fix the limit of replication gRPC message; set to 8MB \[[GH-15503](https://togithub.com/hashicorp/consul/issues/15503)] ### [`v1.14.1`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.1) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.14.0...v1.14.1) #### 1.14.1 (November 21, 2022) BUG FIXES: - cli: Fix issue where `consul connect envoy` incorrectly uses the HTTPS API configuration for xDS connections. \[[GH-15466](https://togithub.com/hashicorp/consul/issues/15466)] - sdk: Fix SDK testutil backwards compatibility by only configuring grpc_tls port for new Consul versions. \[[GH-15423](https://togithub.com/hashicorp/consul/issues/15423)] ### [`v1.14.0`](https://togithub.com/hashicorp/consul/releases/tag/v1.14.0) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.9...v1.14.0) #### 1.14.0 (November 15, 2022) BREAKING CHANGES: - config: Add new `ports.grpc_tls` configuration option. Introduce a new port to better separate TLS config from the existing `ports.grpc` config. The new `ports.grpc_tls` only supports TLS encrypted communication. The existing `ports.grpc` now only supports plain-text communication. \[[GH-15339](https://togithub.com/hashicorp/consul/issues/15339)] - config: update 1.14 config defaults: Enable `peering` and `connect` by default. \[[GH-15302](https://togithub.com/hashicorp/consul/issues/15302)] - config: update 1.14 config defaults: Set gRPC TLS port default value to 8503 \[[GH-15302](https://togithub.com/hashicorp/consul/issues/15302)] - connect: Removes support for Envoy 1.20 \[[GH-15093](https://togithub.com/hashicorp/consul/issues/15093)] - peering: Rename `PeerName` to `Peer` on prepared queries and exported services. \[[GH-14854](https://togithub.com/hashicorp/consul/issues/14854)] - xds: Convert service mesh failover to use Envoy's aggregate clusters. This changes the names of some [Envoy dynamic HTTP metrics](https://www.envoyproxy.io/docs/envoy/latest/configuration/upstream/cluster_manager/cluster_stats#dynamic-http-statistics). \[[GH-14178](https://togithub.com/hashicorp/consul/issues/14178)] SECURITY: - Ensure that data imported from peers is filtered by ACLs at the UI Nodes/Services endpoints [CVE-2022-3920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3920) \[[GH-15356](https://togithub.com/hashicorp/consul/issues/15356)] FEATURES: - DNS-proxy support via gRPC request. \[[GH-14811](https://togithub.com/hashicorp/consul/issues/14811)] - cli: Add -node-name flag to redirect-traffic command to support running in environments without client agents. \[[GH-14933](https://togithub.com/hashicorp/consul/issues/14933)] - cli: Add `-consul-dns-port` flag to the `consul connect redirect-traffic` command to allow forwarding DNS traffic to a specific Consul DNS port. \[[GH-15050](https://togithub.com/hashicorp/consul/issues/15050)] - connect: Add Envoy connection balancing configuration fields. \[[GH-14616](https://togithub.com/hashicorp/consul/issues/14616)] - grpc: Added metrics for external gRPC server. Added `server_type=internal\|external` label to gRPC metrics. \[[GH-14922](https://togithub.com/hashicorp/consul/issues/14922)] - http: Add new `get-or-empty` operation to the txn api. Refer to the [API docs](https://www.consul.io/api-docs/txn#kv-operations) for more information. \[[GH-14474](https://togithub.com/hashicorp/consul/issues/14474)] - peering: Add mesh gateway local mode support for cluster peering. \[[GH-14817](https://togithub.com/hashicorp/consul/issues/14817)] - peering: Add support for stale queries for trust bundle lookups \[[GH-14724](https://togithub.com/hashicorp/consul/issues/14724)] - peering: Add support to failover to services running on cluster peers. \[[GH-14396](https://togithub.com/hashicorp/consul/issues/14396)] - peering: Add support to redirect to services running on cluster peers with service resolvers. \[[GH-14445](https://togithub.com/hashicorp/consul/issues/14445)] - peering: Ensure un-exported services get deleted even if the un-export happens while cluster peering replication is down. \[[GH-14797](https://togithub.com/hashicorp/consul/issues/14797)] - peering: add support for routine peering control-plane traffic through mesh gateways \[[GH-14981](https://togithub.com/hashicorp/consul/issues/14981)] - sdk: Configure `iptables` to forward DNS traffic to a specific DNS port. \[[GH-15050](https://togithub.com/hashicorp/consul/issues/15050)] - telemetry: emit memberlist size metrics and broadcast queue depth metric. \[[GH-14873](https://togithub.com/hashicorp/consul/issues/14873)] - ui: Added support for central config merging \[[GH-14604](https://togithub.com/hashicorp/consul/issues/14604)] - ui: Create peerings detail page \[[GH-14947](https://togithub.com/hashicorp/consul/issues/14947)] - ui: Detect a TokenSecretID cookie and passthrough to localStorage \[[GH-14495](https://togithub.com/hashicorp/consul/issues/14495)] - ui: Display notice banner on nodes index page if synthetic nodes are being filtered. \[[GH-14971](https://togithub.com/hashicorp/consul/issues/14971)] - ui: Filter agentless (synthetic) nodes from the nodes list page. \[[GH-14970](https://togithub.com/hashicorp/consul/issues/14970)] - ui: Filter out node health checks on agentless service instances \[[GH-14986](https://togithub.com/hashicorp/consul/issues/14986)] - ui: Remove node meta on service instances when using agentless and consolidate external-source labels on service instances page if they all match. \[[GH-14921](https://togithub.com/hashicorp/consul/issues/14921)] - ui: Removed reference to node name on service instance page when using agentless \[[GH-14903](https://togithub.com/hashicorp/consul/issues/14903)] - ui: Use withCredentials for all HTTP API requests \[[GH-14343](https://togithub.com/hashicorp/consul/issues/14343)] - xds: servers will limit the number of concurrent xDS streams they can handle to balance the load across all servers \[[GH-14397](https://togithub.com/hashicorp/consul/issues/14397)] IMPROVEMENTS: - peering: Add peering datacenter and partition to initial handshake. \[[GH-14889](https://togithub.com/hashicorp/consul/issues/14889)] - xds: Added a rate limiter to the delivery of proxy config updates, to prevent updates to "global" resources such as wildcard intentions from overwhelming servers (see: `xds.update_max_per_second` config field) \[[GH-14960](https://togithub.com/hashicorp/consul/issues/14960)] - xds: Removed a bottleneck in Envoy config generation, enabling a higher number of dataplanes per server \[[GH-14934](https://togithub.com/hashicorp/consul/issues/14934)] - agent/hcp: add initial HashiCorp Cloud Platform integration \[[GH-14723](https://togithub.com/hashicorp/consul/issues/14723)] - agent: Added configuration option cloud.scada_address. \[[GH-14936](https://togithub.com/hashicorp/consul/issues/14936)] - api: Add filtering support to Catalog's List Services (v1/catalog/services) \[[GH-11742](https://togithub.com/hashicorp/consul/issues/11742)] - api: Increase max number of operations inside a transaction for requests to /v1/txn (128) \[[GH-14599](https://togithub.com/hashicorp/consul/issues/14599)] - auto-config: Relax the validation on auto-config JWT authorization to allow non-whitespace, non-quote characters in node names. \[[GH-15370](https://togithub.com/hashicorp/consul/issues/15370)] - config-entry: Validate that service-resolver `Failover`s and `Redirect`s only specify `Partition` and `Namespace` on Consul Enterprise. This prevents scenarios where OSS Consul would save service-resolvers that require Consul Enterprise. \[[GH-14162](https://togithub.com/hashicorp/consul/issues/14162)] - connect: Add Envoy 1.24.0 to support matrix \[[GH-15093](https://togithub.com/hashicorp/consul/issues/15093)] - connect: Bump Envoy 1.20 to 1.20.7, 1.21 to 1.21.5 and 1.22 to 1.22.5 \[[GH-14831](https://togithub.com/hashicorp/consul/issues/14831)] - connect: service-router destinations have gained a `RetryOn` field for specifying the conditions when Envoy should retry requests beyond specific status codes and generic connection failure which already exists. \[[GH-12890](https://togithub.com/hashicorp/consul/issues/12890)] - dns/peering: (Enterprise Only) Support addresses in the formats `<servicename>.virtual.<namespace>.ns.<partition>.ap.<peername>.peer.consul` and `<servicename>.virtual.<partition>.ap.<peername>.peer.consul`. This longer form address that allows specifying `.peer` would need to be used for tproxy DNS requests made within non-default partitions for imported services. - dns: (Enterprise Only) All enterprise locality labels are now optional in DNS lookups. For example, service lookups support the following format: `[<tag>.]<service>.service[.<namespace>.ns][.<partition>.ap][.<datacenter>.dc]<domain>`. \[[GH-14679](https://togithub.com/hashicorp/consul/issues/14679)] - integ test: fix flakiness due to test condition from retry app endoint \[[GH-15233](https://togithub.com/hashicorp/consul/issues/15233)] - metrics: Service RPC calls less than 1ms are now emitted as a decimal number. \[[GH-12905](https://togithub.com/hashicorp/consul/issues/12905)] - peering: adds an internally managed server certificate for automatic TLS between servers in peer clusters. \[[GH-14556](https://togithub.com/hashicorp/consul/issues/14556)] - peering: require TLS for peering connections using server cert signed by Connect CA \[[GH-14796](https://togithub.com/hashicorp/consul/issues/14796)] - peering: return information about the health of the peering when the leader is queried to read a peering. \[[GH-14747](https://togithub.com/hashicorp/consul/issues/14747)] - raft: Allow nonVoter to initiate an election to avoid having an election infinite loop when a Voter is converted to NonVoter \[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)] - raft: Cap maximum grpc wait time when heartbeating to heartbeatTimeout/2 \[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)] - raft: Fix a race condition where the snapshot file is closed without being opened \[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)] - telemetry: Added a `consul.xds.server.streamStart` metric to measure time taken to first generate xDS resources for an xDS stream. \[[GH-14957](https://togithub.com/hashicorp/consul/issues/14957)] - ui: Improve guidance around topology visualisation \[[GH-14527](https://togithub.com/hashicorp/consul/issues/14527)] - xds: Set `max_ejection_percent` on Envoy's outlier detection to 100% for peered services. \[[GH-14373](https://togithub.com/hashicorp/consul/issues/14373)] BUG FIXES: - checks: Do not set interval as timeout value \[[GH-14619](https://togithub.com/hashicorp/consul/issues/14619)] - checks: If set, use proxy address for automatically added sidecar check instead of service address. \[[GH-14433](https://togithub.com/hashicorp/consul/issues/14433)] - cli: Fix Consul kv CLI 'GET' flags 'keys' and 'recurse' to be set together \[[GH-13493](https://togithub.com/hashicorp/consul/issues/13493)] - connect: Fix issue where mesh-gateway settings were not properly inherited from configuration entries. \[[GH-15186](https://togithub.com/hashicorp/consul/issues/15186)] - connect: fixed bug where endpoint updates for new xDS clusters could block for 15s before being sent to Envoy. \[[GH-15083](https://togithub.com/hashicorp/consul/issues/15083)] - connect: strip port from DNS SANs for ingress gateway leaf certificate to avoid an invalid hostname error when using the Vault provider. \[[GH-15320](https://togithub.com/hashicorp/consul/issues/15320)] - debug: fixed bug that caused consul debug CLI to error on ACL-disabled clusters \[[GH-15155](https://togithub.com/hashicorp/consul/issues/15155)] - deps: update go-memdb, fixing goroutine leak \[[GH-15010](https://togithub.com/hashicorp/consul/issues/15010)] \[[GH-15068](https://togithub.com/hashicorp/consul/issues/15068)] - grpc: Merge proxy-defaults and service-defaults in GetEnvoyBootstrapParams response. \[[GH-14869](https://togithub.com/hashicorp/consul/issues/14869)] - metrics: Add duplicate metrics that have only a single "consul\_" prefix for all existing metrics with double ("consul_consul\_") prefix, with the intent to standardize on single prefixes. \[[GH-14475](https://togithub.com/hashicorp/consul/issues/14475)] - namespace: (Enterprise Only) Fixed a bug where a client may incorrectly log that namespaces were not enabled in the local datacenter - peering: Fix a bug that resulted in /v1/agent/metrics returning an error. \[[GH-15178](https://togithub.com/hashicorp/consul/issues/15178)] - peering: fix nil pointer in calling handleUpdateService \[[GH-15160](https://togithub.com/hashicorp/consul/issues/15160)] - peering: fix the error of wan address isn't taken by the peering token. \[[GH-15065](https://togithub.com/hashicorp/consul/issues/15065)] - peering: when wan address is set, peering stream should use the wan address. \[[GH-15108](https://togithub.com/hashicorp/consul/issues/15108)] - proxycfg(mesh-gateway): Fix issue where deregistered services are not removed from mesh-gateway clusters. \[[GH-15272](https://togithub.com/hashicorp/consul/issues/15272)] - server: fix goroutine/memory leaks in the xDS subsystem (these were present regardless of whether or not xDS was in-use) \[[GH-14916](https://togithub.com/hashicorp/consul/issues/14916)] - server: fixes the error trying to source proxy configuration for http checks, in case of proxies using consul-dataplane. \[[GH-14924](https://togithub.com/hashicorp/consul/issues/14924)] - xds: Central service configuration (proxy-defaults and service-defaults) is now correctly applied to Consul Dataplane proxies \[[GH-14962](https://togithub.com/hashicorp/consul/issues/14962)] NOTES: - deps: Upgrade to use Go 1.19.2 \[[GH-15090](https://togithub.com/hashicorp/consul/issues/15090)] ### [`v1.13.9`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.9) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.8...v1.13.9) #### 1.13.9 (June 26, 2023) BREAKING CHANGES: - connect: Disable peering by default in connect proxies for Consul 1.13. This change was made to prevent inefficient polling queries from having a negative impact on server performance. Peering in Consul 1.13 is an experimental feature and is not recommended for use in production environments. If you still wish to use the experimental peering feature, ensure [`peering.enabled = true`](https://developer.hashicorp.com/consul/docs/v1.13.x/agent/config/config-files#peering_enabled) is set on all clients and servers. \[[GH-17731](https://togithub.com/hashicorp/consul/issues/17731)] SECURITY: - Update to UBI base image to 9.2. \[[GH-17513](https://togithub.com/hashicorp/consul/issues/17513)] FEATURES: - server: (Enterprise Only) allow automatic license utilization reporting. \[[GH-5102](https://togithub.com/hashicorp/consul/issues/5102)] IMPROVEMENTS: - debug: change default setting of consul debug command. now default duration is 5ms and default log level is 'TRACE' \[[GH-17596](https://togithub.com/hashicorp/consul/issues/17596)] - systemd: set service type to notify. \[[GH-16845](https://togithub.com/hashicorp/consul/issues/16845)] BUG FIXES: - cache: fix a few minor goroutine leaks in leaf certs and the agent cache \[[GH-17636](https://togithub.com/hashicorp/consul/issues/17636)] - namespaces: (Enterprise only) fixes a bug where namespaces are stuck in a deferred deletion state indefinitely under some conditions. Also fixes the Consul query metadata present in the HTTP headers of the namespace read and list endpoints. - namespaces: adjusts the return type from HTTP list API to return the `api` module representation of a namespace. This fixes an error with the `consul namespace list` command when a namespace has a deferred deletion timestamp. - peering: Fix a bug that caused server agents to continue cleaning up peering resources even after loss of leadership. \[[GH-17483](https://togithub.com/hashicorp/consul/issues/17483)] ### [`v1.13.8`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.8) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.7...v1.13.8) #### 1.13.8 (May 16, 2023) SECURITY: - Upgrade to use Go 1.20.1. This resolves vulnerabilities [CVE-2022-41724](https://go.dev/issue/58001) in `crypto/tls` and [CVE-2022-41723](https://go.dev/issue/57855) in `net/http`. \[[GH-16263](https://togithub.com/hashicorp/consul/issues/16263)] - Upgrade to use Go 1.20.4. This resolves vulnerabilities [CVE-2023-24537](https://togithub.com/advisories/GHSA-9f7g-gqwh-jpf5)(`go/scanner`), [CVE-2023-24538](https://togithub.com/advisories/GHSA-v4m2-x4rp-hv22)(`html/template`), [CVE-2023-24534](https://togithub.com/advisories/GHSA-8v5j-pwr7-w5f8)(`net/textproto`) and [CVE-2023-24536](https://togithub.com/advisories/GHSA-9f7g-gqwh-jpf5)(`mime/multipart`). Also, `golang.org/x/net` has been updated to v0.7.0 to resolve CVEs [CVE-2022-41721](https://togithub.com/advisories/GHSA-fxg5-wq6x-vr4w), [CVE-2022-27664](https://togithub.com/advisories/GHSA-69cg-p879-7622) and [CVE-2022-41723](https://togithub.com/advisories/GHSA-vvpx-j8f3-3w6h.) \[[GH-17240](https://togithub.com/hashicorp/consul/issues/17240)] IMPROVEMENTS: - api: updated the go module directive to 1.18. \[[GH-15297](https://togithub.com/hashicorp/consul/issues/15297)] - connect: update supported envoy versions to 1.20.7, 1.21.6, 1.22.11, 1.23.8 \[[GH-16891](https://togithub.com/hashicorp/consul/issues/16891)] - sdk: updated the go module directive to 1.18. \[[GH-15297](https://togithub.com/hashicorp/consul/issues/15297)] BUG FIXES: - Fix an bug where decoding some Config structs with unset pointer fields could fail with `reflect: call of reflect.Value.Type on zero Value`. \[[GH-17048](https://togithub.com/hashicorp/consul/issues/17048)] - audit-logging: (Enterprise only) Fix a bug where `/agent/monitor` and `/agent/metrics` endpoints return a `Streaming not supported` error when audit logs are enabled. This also fixes the delay receiving logs when running `consul monitor` against an agent with audit logs enabled. \[[GH-16700](https://togithub.com/hashicorp/consul/issues/16700)] - ca: Fixes a bug where updating Vault CA Provider config would cause TLS issues in the service mesh \[[GH-16592](https://togithub.com/hashicorp/consul/issues/16592)] - connect: Fix multiple inefficient behaviors when querying service health. \[[GH-17241](https://togithub.com/hashicorp/consul/issues/17241)] - grpc: ensure grpc resolver correctly uses lan/wan addresses on servers \[[GH-17270](https://togithub.com/hashicorp/consul/issues/17270)] - peering: Fixes a bug that can lead to peering service deletes impacting the state of local services \[[GH-16570](https://togithub.com/hashicorp/consul/issues/16570)] - xds: Fix possible panic that can when generating clusters before the root certificates have been fetched. \[[GH-17185](https://togithub.com/hashicorp/consul/issues/17185)] ### [`v1.13.7`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.7) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.6...v1.13.7) #### 1.13.7 (March 7, 2023) SECURITY: - Upgrade to use Go 1.19.6. This resolves vulnerabilities [CVE-2022-41724](https://go.dev/issue/58001) in `crypto/tls` and [CVE-2022-41723](https://go.dev/issue/57855) in `net/http`. \[[GH-16299](https://togithub.com/hashicorp/consul/issues/16299)] IMPROVEMENTS: - xds: Removed a bottleneck in Envoy config generation. \[[GH-16269](https://togithub.com/hashicorp/consul/issues/16269)] - container: Upgrade container image to use to Alpine 3.17. \[[GH-16358](https://togithub.com/hashicorp/consul/issues/16358)] - mesh: Add ServiceResolver RequestTimeout for route timeouts to make request timeouts configurable \[[GH-16495](https://togithub.com/hashicorp/consul/issues/16495)] BUG FIXES: - mesh: Fix resolution of service resolvers with subsets for external upstreams \[[GH-16499](https://togithub.com/hashicorp/consul/issues/16499)] - proxycfg: fix a bug where terminating gateways were not cleaning up deleted service resolvers for their referenced services \[[GH-16498](https://togithub.com/hashicorp/consul/issues/16498)] ### [`v1.13.6`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.6) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.5...v1.13.6) #### 1.13.6 (January 26, 2023) FEATURES: - connect: add flags `envoy-ready-bind-port` and `envoy-ready-bind-address` to the `consul connect envoy` command that allows configuration of readiness probe on proxy for any service kind. \[[GH-16015](https://togithub.com/hashicorp/consul/issues/16015)] - deps: update to latest go-discover to provide ECS auto-discover capabilities. \[[GH-13782](https://togithub.com/hashicorp/consul/issues/13782)] IMPROVEMENTS: - grpc: Use new balancer implementation to reduce periodic WARN logs when shuffling servers. \[[GH-15701](https://togithub.com/hashicorp/consul/issues/15701)] - partition: (Consul Enterprise only) when loading service from on-disk config file or sending API request to agent endpoint, if the partition is unspecified, consul will default the partition in the request to agent's partition \[[GH-16024](https://togithub.com/hashicorp/consul/issues/16024)] BUG FIXES: - agent: Fix assignment of error when auto-reloading cert and key file changes. \[[GH-15769](https://togithub.com/hashicorp/consul/issues/15769)] ### [`v1.13.5`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.5) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.4...v1.13.5) #### 1.13.5 (December 13, 2022) SECURITY: - Upgrade to use Go 1.18.9. This resolves a vulnerability where restricted files can be read on Windows. [CVE-2022-41720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41720) \[[GH-15706](https://togithub.com/hashicorp/consul/issues/15706)] - Upgrades `golang.org/x/net` to prevent a denial of service by excessive memory usage caused by HTTP2 requests. [CVE-2022-41717](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41717) \[[GH-15743](https://togithub.com/hashicorp/consul/issues/15743)] IMPROVEMENTS: - connect: ensure all vault connect CA tests use limited privilege tokens \[[GH-15669](https://togithub.com/hashicorp/consul/issues/15669)] BUG FIXES: - agent: (Enterprise Only) Ensure configIntentionsConvertToList does not compare empty strings with populated strings when filtering intentions created prior to AdminPartitions. - cli: (Enterprise Only) Fix issue where `consul partition update` subcommand was not registered and therefore not available through the cli. - connect: Fixed issue where using Vault 1.11+ as CA provider in a secondary datacenter would eventually break Intermediate CAs \[[GH-15661](https://togithub.com/hashicorp/consul/issues/15661)] ### [`v1.13.4`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.4) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.3...v1.13.4) #### 1.13.4 (November 30, 2022) IMPROVEMENTS: - auto-config: Relax the validation on auto-config JWT authorization to allow non-whitespace, non-quote characters in node names. \[[GH-15370](https://togithub.com/hashicorp/consul/issues/15370)] - raft: Allow nonVoter to initiate an election to avoid having an election infinite loop when a Voter is converted to NonVoter \[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)] - raft: Cap maximum grpc wait time when heartbeating to heartbeatTimeout/2 \[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)] - raft: Fix a race condition where the snapshot file is closed without being opened \[[GH-14897](https://togithub.com/hashicorp/consul/issues/14897)] BUG FIXES: - agent: Fixed issue where blocking queries with short waits could timeout on the client \[[GH-15541](https://togithub.com/hashicorp/consul/issues/15541)] - ca: Fixed issue where using Vault as Connect CA with Vault-managed policies would error on start-up if the intermediate PKI mount existed but was empty \[[GH-15525](https://togithub.com/hashicorp/consul/issues/15525)] - connect: Fixed issue where using Vault 1.11+ as CA provider would eventually break Intermediate CAs \[[GH-15217](https://togithub.com/hashicorp/consul/issues/15217)] \[[GH-15253](https://togithub.com/hashicorp/consul/issues/15253)] - connect: fixed bug where endpoint updates for new xDS clusters could block for 15s before being sent to Envoy. \[[GH-15083](https://togithub.com/hashicorp/consul/issues/15083)] - connect: strip port from DNS SANs for ingress gateway leaf certificate to avoid an invalid hostname error when using the Vault provider. \[[GH-15320](https://togithub.com/hashicorp/consul/issues/15320)] - debug: fixed bug that caused consul debug CLI to error on ACL-disabled clusters \[[GH-15155](https://togithub.com/hashicorp/consul/issues/15155)] - deps: update go-memdb, fixing goroutine leak \[[GH-15010](https://togithub.com/hashicorp/consul/issues/15010)] \[[GH-15068](https://togithub.com/hashicorp/consul/issues/15068)] - namespace: (Enterprise Only) Fix a bug that caused blocking queries during namespace replication to timeout - namespace: (Enterprise Only) Fixed a bug where a client may incorrectly log that namespaces were not enabled in the local datacenter - peering: better represent non-passing states during peer check flattening \[[GH-15615](https://togithub.com/hashicorp/consul/issues/15615)] - peering: fix the error of wan address isn't taken by the peering token. \[[GH-15065](https://togithub.com/hashicorp/consul/issues/15065)] - peering: when wan address is set, peering stream should use the wan address. \[[GH-15108](https://togithub.com/hashicorp/consul/issues/15108)] ### [`v1.13.3`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.3) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.2...v1.13.3) #### 1.13.3 (October 19, 2022) FEATURES: - agent: Added a new config option `rpc_client_timeout` to tune timeouts for client RPC requests \[[GH-14965](https://togithub.com/hashicorp/consul/issues/14965)] - config-entry(ingress-gateway): Added support for `max_connections` for upstream clusters \[[GH-14749](https://togithub.com/hashicorp/consul/issues/14749)] IMPROVEMENTS: - connect/ca: Log a warning message instead of erroring when attempting to update the intermediate pki mount when using the Vault provider. \[[GH-15035](https://togithub.com/hashicorp/consul/issues/15035)] - connect: Added gateway options to Envoy proxy config for enabling tcp keepalives on terminating gateway upstreams and mesh gateways in remote datacenters. \[[GH-14800](https://togithub.com/hashicorp/consul/issues/14800)] - connect: Bump Envoy 1.20 to 1.20.7, 1.21 to 1.21.5 and 1.22 to 1.22.5 \[[GH-14828](https://togithub.com/hashicorp/consul/issues/14828)] - licensing: (Enterprise Only) Consul Enterprise production licenses do not degrade or terminate Consul upon expiration. They will only fail when trying to upgrade to a newer version of Consul. Evaluation licenses still terminate. \[[GH-1990](https://togithub.com/hashicorp/consul/issues/1990)] BUG FIXES: - agent: avoid leaking the alias check runner goroutine when the check is de-registered \[[GH-14935](https://togithub.com/hashicorp/consul/issues/14935)] - ca: fix a masked bug in leaf cert generation that would not be notified of root cert rotation after the first one \[[GH-15005](https://togithub.com/hashicorp/consul/issues/15005)] - cache: prevent goroutine leak in agent cache \[[GH-14908](https://togithub.com/hashicorp/consul/issues/14908)] - checks: Fixed a bug that prevented registration of UDP health checks from agent configuration files, such as service definition files with embedded health check definitions. \[[GH-14885](https://togithub.com/hashicorp/consul/issues/14885)] - connect: Fixed a bug where transparent proxy does not correctly spawn listeners for upstreams to service-resolvers. \[[GH-14751](https://togithub.com/hashicorp/consul/issues/14751)] - snapshot-agent: (Enterprise only) Fix a bug when a session is not found in Consul, which leads the agent to panic. ### [`v1.13.2`](https://togithub.com/hashicorp/consul/releases/tag/v1.13.2) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.13.1...v1.13.2) #### 1.13.2 (September 20, 2022) SECURITY: - auto-config: Added input validation for auto-config JWT authorization checks. Prior to this change, it was possible for malicious actors to construct requests which incorrectly pass custom JWT claim validation for the `AutoConfig.InitialConfiguration` endpoint. Now, only a subset of characters are allowed for the input before evaluating the bexpr. \[[GH-14577](https://togithub.com/hashicorp/consul/issues/14577)] - connect: Added URI length checks to ConnectCA CSR requests. Prior to this change, it was possible for a malicious actor to designate multiple SAN URI values in a call to the `ConnectCA.Sign` endpoint. The endpoint now only allows for exactly one SAN URI to be specified. \[[GH-14579](https://togithub.com/hashicorp/consul/issues/14579)] FEATURES: - cli: Adds new subcommands for `peering` workflows. Refer to the [CLI docs](https://www.consul.io/commands/peering) for more information. \[[GH-14423](https://togithub.com/hashicorp/consul/issues/14423)] - connect: Server address changes are streamed to peers \[[GH-14285](https://togithub.com/hashicorp/consul/issues/14285)] - service-defaults: Added support for `local_request_timeout_ms` and `local_connect_timeout_ms` in servicedefaults config entry \[[GH-14395](https://togithub.com/hashicorp/consul/issues/14395)] IMPROVEMENTS: - connect: Bump latest Envoy to 1.23.1 in test matrix \[[GH-14573](https://togithub.com/hashicorp/consul/issues/14573)] - connect: expose new tracing configuration on envoy \[[GH-13998](https://togithub.com/hashicorp/consul/issues/13998)] - envoy: adds additional Envoy outlier ejection parameters to passive health check configurations. \[[GH-14238](https://togithub.com/hashicorp/consul/issues/14238)] - metrics: add labels of segment, partition, network area, network (lan or wan) to serf and memberlist metrics \[[GH-14161](https://togithub.com/hashicorp/consul/issues/14161)] - peering: Validate peering tokens for server name conflicts \[[GH-14563](https://togithub.com/hashicorp/consul/issues/14563)] - snapshot agent: (Enterprise only) Add support for path-based addressing when using s3 backend. - ui: Reuse connections for requests to /v1/internal/ui/metrics-proxy/ \[[GH-14521](https://togithub.com/hashicorp/consul/issues/14521)] BUG FIXES: - agent: Fixes an issue where an agent that fails to start due to bad addresses won't clean up any existing liste </details> --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/grafana/loki). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4xOS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2 years ago
Karsten Jeschkies	9fcc42dc48	Support protobuf `QueryRequest` in querier. (#10858 ) What this PR does / why we need it: This is one step to support pure protobuf encoding without `httpgrpc`. It is only on the scheduler and is fully backwards compatible. Which issue(s) this PR fixes: This is a sub change of https://github.com/grafana/loki/pull/10688 Checklist - [ ] Reviewed the [`CONTRIBUTING.md`](https://github.com/grafana/loki/blob/main/CONTRIBUTING.md) guide (required) - [ ] Documentation added - [x] Tests updated - [ ] `CHANGELOG.md` updated - [ ] If the change is worth mentioning in the release notes, add `add-to-release-notes` label - [ ] Changes that require user attention or interaction to upgrade are documented in `docs/sources/setup/upgrade/_index.md` - [ ] For Helm chart changes bump the Helm chart version in `production/helm/loki/Chart.yaml` and update `production/helm/loki/CHANGELOG.md` and `production/helm/loki/README.md`. [Example PR](`d10549e3ec`) --------- Signed-off-by: Kaviraj <kavirajkanagaraj@gmail.com> Co-authored-by: Kaviraj <kavirajkanagaraj@gmail.com> Co-authored-by: Danny Kopping <dannykopping@gmail.com>	2 years ago
Karsten Jeschkies	b01e830cde	Update dskit to 7b512eb. (#10927 ) What this PR does / why we need it: This is a small update to dskit that includes https://github.com/grafana/dskit/pull/406 which will allow us to intercept gRPC request in call clients. Checklist - [ ] Reviewed the [`CONTRIBUTING.md`](https://github.com/grafana/loki/blob/main/CONTRIBUTING.md) guide (required) - [ ] Documentation added - [ ] Tests updated - [ ] `CHANGELOG.md` updated - [ ] If the change is worth mentioning in the release notes, add `add-to-release-notes` label - [ ] Changes that require user attention or interaction to upgrade are documented in `docs/sources/setup/upgrade/_index.md` - [ ] For Helm chart changes bump the Helm chart version in `production/helm/loki/Chart.yaml` and update `production/helm/loki/CHANGELOG.md` and `production/helm/loki/README.md`. [Example PR](`d10549e3ec`) --------- Co-authored-by: Michel Hollands <42814411+MichelHollands@users.noreply.github.com>	2 years ago
renovate[bot]	d27c4d297d	fix(deps): update github.com/grafana/loki/pkg/push digest to `cfc4f0e` (main) (#10946 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [github.com/grafana/loki/pkg/push](https://togithub.com/grafana/loki) \| require \| digest \| `695c5b0` -> `cfc4f0e` \| --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration 📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/grafana/loki). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xOS4yIiwidXBkYXRlZEluVmVyIjoiMzcuMTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2 years ago
renovate[bot]	abc4ee29c0	chore(deps): update module go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.44.0 [security] (main) (#10917 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://togithub.com/open-telemetry/opentelemetry-go-contrib) \| indirect \| minor \| `v0.42.0` -> `v0.44.0` \| ### GitHub Vulnerability Alerts #### [CVE-2023-45142](https://togithub.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh) ### Summary OpenTelemetry-Go Contrib has a [handler wrapper `otelhttp`](`5f7e6ad5a4/instrumentation/net/http/otelhttp/handler.go (L63-L65)`) that adds the following labels by deafult that have unbound cardinality: - `http.user_agent` - `http.method` This leads to the server's potential memory exhaustion when many malicious requests are sent to it. ### Details HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses [httpconv.ServerRequest](https://togithub.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159) that records every value for HTTP [method](`38e1b499c3/semconv/internal/v2/http.go (L204)`) and [User-Agent](`38e1b499c3/semconv/internal/v2/http.go (L223)`). [This pull request](https://togithub.com/open-telemetry/opentelemetry-go-contrib/pull/4277) released with version 0.44.0 dixes this vulnerability The values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. ### Impact In order to be affected program has to use [otelhttp.NewHandler](`5f7e6ad5a4/instrumentation/net/http/otelhttp/handler.go (L63-L65)`) wrapper and does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. ### Others This vulnerability is similar but different from these known vulnerabilities: - https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh ([open-telemetry/opentelemetry-go-contrib](https://togithub.com/open-telemetry/opentelemetry-go-contrib)) - https://github.com/advisories/GHSA-cg3q-j54f-5p7p ([prometheus/client_golang](https://togithub.com/prometheus/client_golang)) ### Workaround for affected versions As a workaround, [otelhttp.WithFilter()](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/filters) can be used instead, but it requires manual careful configuration to not log certain requests entirely. --- ### Memory exhaustion in github.com/open-telemetry/opentelemetry-go-contrib [CVE-2023-45142](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) / [GHSA-rcjv-mgp8-qvmr](https://togithub.com/advisories/GHSA-rcjv-mgp8-qvmr) / [GO-2023-2113](https://pkg.go.dev/vuln/GO-2023-2113) <details> <summary>More information</summary> #### Details Memory exhaustion in github.com/open-telemetry/opentelemetry-go-contrib #### Severity Unknown #### References - [https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr](https://togithub.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr) - [https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277](https://togithub.com/open-telemetry/opentelemetry-go-contrib/pull/4277) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2023-2113) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)). </details> --- ### OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics [CVE-2023-45142](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) / [GHSA-rcjv-mgp8-qvmr](https://togithub.com/advisories/GHSA-rcjv-mgp8-qvmr) <details> <summary>More information</summary> #### Details ##### Summary OpenTelemetry-Go Contrib has a [handler wrapper `otelhttp`](`5f7e6ad5a4/instrumentation/net/http/otelhttp/handler.go (L63-L65)`) that adds the following labels by deafult that have unbound cardinality: - `http.user_agent` - `http.method` This leads to the server's potential memory exhaustion when many malicious requests are sent to it. ##### Details HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses [httpconv.ServerRequest](https://togithub.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159) that records every value for HTTP [method](`38e1b499c3/semconv/internal/v2/http.go (L204)`) and [User-Agent](`38e1b499c3/semconv/internal/v2/http.go (L223)`). [This pull request](https://togithub.com/open-telemetry/opentelemetry-go-contrib/pull/4277) released with version 0.44.0 dixes this vulnerability The values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. ##### Impact In order to be affected program has to use [otelhttp.NewHandler](`5f7e6ad5a4/instrumentation/net/http/otelhttp/handler.go (L63-L65)`) wrapper and does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. ##### Others This vulnerability is similar but different from these known vulnerabilities: - https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh ([open-telemetry/opentelemetry-go-contrib](https://togithub.com/open-telemetry/opentelemetry-go-contrib)) - https://github.com/advisories/GHSA-cg3q-j54f-5p7p ([prometheus/client_golang](https://togithub.com/prometheus/client_golang)) ##### Workaround for affected versions As a workaround, [otelhttp.WithFilter()](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/filters) can be used instead, but it requires manual careful configuration to not log certain requests entirely. #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh](https://togithub.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh) - [https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr](https://togithub.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr) - [https://nvd.nist.gov/vuln/detail/CVE-2023-45142](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) - [https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277](https://togithub.com/open-telemetry/opentelemetry-go-contrib/pull/4277) - [https://github.com/advisories/GHSA-cg3q-j54f-5p7p](https://togithub.com/advisories/GHSA-cg3q-j54f-5p7p) - [https://github.com/open-telemetry/opentelemetry-go-contrib](https://togithub.com/open-telemetry/opentelemetry-go-contrib) - [`5f7e6ad5a4/instrumentation/net/http/otelhttp/handler.go (L63-L65)`) - [https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0](https://togithub.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0) - [`38e1b499c3/semconv/internal/v2/http.go (L223)`) - [https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159](https://togithub.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-rcjv-mgp8-qvmr) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/grafana/loki). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xOS4yIiwidXBkYXRlZEluVmVyIjoiMzcuMTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2 years ago
renovate[bot]	02d9418270	fix(deps): update github.com/grafana/loki/pkg/push digest to `583aa28` (main) (#10842 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [github.com/grafana/loki/pkg/push](https://togithub.com/grafana/loki) \| require \| digest \| `571f88b` -> `583aa28` \| --- ### Configuration 📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/grafana/loki). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy44LjEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2 years ago
renovate[bot]	3dc9ebc4a3	chore(deps): update github.com/grafana/regexp digest to 6b5c0a4 (main) (#10819 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [github.com/grafana/regexp](https://togithub.com/grafana/regexp) \| replace \| digest \| `b4c2bcb` -> `6b5c0a4` \| --- ### Configuration 📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/grafana/loki). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4xOS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2 years ago
Owen Diehl	f861068df4	moves boomfilters lib into loki (#10898 ) In an effort to speed up development, this moves a subset of [my fork](https://github.com/owen-d/BoomFilters) of the https://github.com/tylertreat/BoomFilters library into loki itself. I've done my best to preserve original license headers/etc.	2 years ago
Ashwanth	b2bfe53e35	upgrade golang.org/x/net@v0.17.0 (#10872 ) What this PR does / why we need it: CVE-2023-39325 is fixed with golang.org/x/net@v0.17.0 ``` ❯ trivy i grafana/loki:main-98551ce-amd64 ──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────┤ │ golang.org/x/net │ CVE-2023-39325 │ MEDIUM │ fixed │ v0.13.0 │ 0.17.0 │ rapid stream resets can cause excessive work │ │ │ │ │ │ │ │ (CVE-2023-44487) │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39325 │ └──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────┘ ``` Which issue(s) this PR fixes: Fixes #<issue number> Special notes for your reviewer: Checklist - [ ] Reviewed the [`CONTRIBUTING.md`](https://github.com/grafana/loki/blob/main/CONTRIBUTING.md) guide (required) - [ ] Documentation added - [ ] Tests updated - [ ] `CHANGELOG.md` updated - [ ] If the change is worth mentioning in the release notes, add `add-to-release-notes` label - [ ] Changes that require user attention or interaction to upgrade are documented in `docs/sources/setup/upgrade/_index.md` - [ ] For Helm chart changes bump the Helm chart version in `production/helm/loki/Chart.yaml` and update `production/helm/loki/CHANGELOG.md` and `production/helm/loki/README.md`. [Example PR](`d10549e3ec`)	2 years ago
Ashwanth	98551ceb9a	use go 1.21.3 and go-grpc v1.56.3 (#10869 ) What this PR does / why we need it: Fixes CVE-2023-39325 / CVE-2023-44487 https://github.com/grpc/grpc-go/releases/tag/v1.56.3 Which issue(s) this PR fixes: Fixes #<issue number> Special notes for your reviewer: Checklist - [ ] Reviewed the [`CONTRIBUTING.md`](https://github.com/grafana/loki/blob/main/CONTRIBUTING.md) guide (required) - [ ] Documentation added - [ ] Tests updated - [ ] `CHANGELOG.md` updated - [ ] If the change is worth mentioning in the release notes, add `add-to-release-notes` label - [ ] Changes that require user attention or interaction to upgrade are documented in `docs/sources/setup/upgrade/_index.md` - [ ] For Helm chart changes bump the Helm chart version in `production/helm/loki/Chart.yaml` and update `production/helm/loki/CHANGELOG.md` and `production/helm/loki/README.md`. [Example PR](`d10549e3ec`)	2 years ago
Arve Knudsen	489ca25bab	Upgrade to Prometheus@4b9c19fe5510 (#10843 ) What this PR does / why we need it: Upgrade to Prometheus@4b9c19fe5510. Since also golang.org/x/exp gets upgraded, calls to e.g. `slices.SortFunc` need updating (due to changed comparison function signature). I'm not aware of any functional changes from Prometheus (or otherwise), but please review carefully. Special notes for your reviewer: The Mimir team needs for Loki to be compatible with the latest Prometheus, so we can vendor mimir-prometheus@main into GEM. Checklist - [x] Reviewed the [`CONTRIBUTING.md`](https://github.com/grafana/loki/blob/main/CONTRIBUTING.md) guide (required) - [na] Documentation added - [x] Tests updated - [na] `CHANGELOG.md` updated - [ ] If the change is worth mentioning in the release notes, add `add-to-release-notes` label - [na] Changes that require user attention or interaction to upgrade are documented in `docs/sources/setup/upgrade/_index.md` - [na] For Helm chart changes bump the Helm chart version in `production/helm/loki/Chart.yaml` and update `production/helm/loki/CHANGELOG.md` and `production/helm/loki/README.md`. [Example PR](`d10549e3ec`) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>	2 years ago
Shantanu Alshi	183d6f2c39	Upgrade prometheus to 0.47.1 and dskit (#10814 )	2 years ago
Vladyslav Diachenko	b31ed050ae	Bloom Client (#10697 ) Implemented BloomClient that allows : 1. fetch all meta.json files that satisfy the search criteria 2. upload meta.json 3. delete meta.json 4. fetch bloom blocks in bulk 5. upload bloom blocks in bulk 6. delete bloom blocks in bulk Bloom shipper was extracted to a separate PR https://github.com/grafana/loki/pull/10806 --------- Signed-off-by: Vladyslav Diachenko <vlad.diachenko@grafana.com>	2 years ago
Owen Diehl	c405db4317	Format + Library for building bloom filter "blocks" from chunks (#10780 ) This PR introduces both a binary format for bloom filter "blocks" and a library for building/querying them. Each "block" consists of two files: 1) `Index`. This is a list of individually compressed pages of stream+chunk information sorted in ascending fingerprint order. Each series lists both the chunks indexed in the bloom filters as well as the relevant offsets for said series in the bloom file. 2) `Blooms`. This is a list of individually compressed pages of bloom filters for each series, again sorted in ascending fingerprint order. There is still more work to do, but I'm opening this PR as an initial pass.	2 years ago
Paschalis Tsilias	07cbef9226	Update Prometheus dependency to v2.46.0 (#10777 ) This PR updates the Prometheus dependency to v2.46.0. We need this to update the Agent to use Prometheus' Native Histograms after some bug fixes in the latest version. I bumped the version in go.mod, ran `go mod tidy && go mod vendor` and fixed compilation issues. Special notes for your reviewer: The only changes needed to have `make all` successfully compile was to use the new `wlog.NewSize` to use wlog.CompressionNone (instead of false), and wlog.CompressionSnappy (the default, instead of true), as well as add a new argument to the textparse.New constructor to work as it did without scraping native histograms via protobuf. I don't think there are any other user-facing changes or changes related to Loki. --------- Signed-off-by: Paschalis Tsilias <paschalis.tsilias@grafana.com>	2 years ago
Roel Arents	5fb1cdb5dd	azure: add connection-string (#10187 ) What this PR does / why we need it: Adds a connection-string option to the azure blob storage config. So the [Azurite](https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azurite) emulator can be used in local test environments (my use case). But also to support the use of a SAS token. See the (future) addition of this option to the Thanos object storage client: https://github.com/thanos-io/objstore/pull/51 Which issue(s) this PR fixes: n/a Special notes for your reviewer: https://github.com/thanos-io/objstore/pull/51 isn't merged yet. But I'm already creating this PR to see what others think. Checklist - [x] Reviewed the [`CONTRIBUTING.md`](https://github.com/grafana/loki/blob/main/CONTRIBUTING.md) guide (required) - [x] Documentation added - [x] Tests updated - [x] `CHANGELOG.md` updated - [ ] If the change is worth mentioning in the release notes, add `add-to-release-notes` label - [ ] Changes that require user attention or interaction to upgrade are documented in `docs/sources/setup/upgrade/_index.md` - [x] For Helm chart changes bump the Helm chart version in `production/helm/loki/Chart.yaml` and update `production/helm/loki/CHANGELOG.md` and `production/helm/loki/README.md`. [Example PR](`d10549e3ec`)	2 years ago
Karsten Jeschkies	b9c9394dc1	Define sketches for quantiles. (#10659 )	2 years ago
Owen Diehl	02ae366451	tool for building bloom filters from log contents (#10594 ) This adds a tool which builds scalable bloom filters from the contents of logs themselves & records metrics. --------- Signed-off-by: Owen Diehl <ow.diehl@gmail.com>	2 years ago
Shantanu Alshi	97d52d948d	Upgrade thanos objstore (#10451 )	2 years ago
Nick Pillitteri	a41aee83a4	Update to latest dskit version for SpanLogger changes (#10423 ) What this PR does / why we need it: In particular, dskit has changed the SpanLogger struct such that all fields are unexported. This updates Loki to work with the new version while preserving the existing Loki behavior. Which issue(s) this PR fixes: N/A Special notes for your reviewer: Required for Mimir vendor update job in `backend-enterprise` because Reasons. Checklist - [ ] Reviewed the [`CONTRIBUTING.md`](https://github.com/grafana/loki/blob/main/CONTRIBUTING.md) guide (required) - [ ] Documentation added - [ ] Tests updated - [ ] `CHANGELOG.md` updated - [ ] If the change is worth mentioning in the release notes, add `add-to-release-notes` label - [ ] Changes that require user attention or interaction to upgrade are documented in `docs/sources/setup/upgrade/_index.md` - [ ] For Helm chart changes bump the Helm chart version in `production/helm/loki/Chart.yaml` and update `production/helm/loki/CHANGELOG.md` and `production/helm/loki/README.md`. [Example PR](`d10549e3ec`) --------- Signed-off-by: Nick Pillitteri <nick.pillitteri@grafana.com>	2 years ago

... 2 3 4 5 6 ...

500 Commits (be24862f53fb44616662c924b7ef6d237297606c)