From 2ee9e85cc66cd8da785ea7fd3261021ed6af3849 Mon Sep 17 00:00:00 2001 From: Dan Heath <76443935+Dan-Heath@users.noreply.github.com> Date: Wed, 3 Jan 2024 17:25:37 -0500 Subject: [PATCH] docs: Update release notes with fixes (#4192) (#4211) * docs: Update release notes with fixes * docs: Add note re fix in HCP/ENT * docs: Update version numbers * Update website/content/docs/release-notes/v0_14_0.mdx --------- Co-authored-by: Robin Beck --- .../content/docs/release-notes/v0_13_0.mdx | 11 +++++++ .../content/docs/release-notes/v0_14_0.mdx | 33 +++++++++++++++++-- 2 files changed, 41 insertions(+), 3 deletions(-) diff --git a/website/content/docs/release-notes/v0_13_0.mdx b/website/content/docs/release-notes/v0_13_0.mdx index ec419eda77..6b609f6f82 100644 --- a/website/content/docs/release-notes/v0_13_0.mdx +++ b/website/content/docs/release-notes/v0_13_0.mdx @@ -35,6 +35,17 @@ Boundary Enterprise has the same feature set as HCP Boundary and seamless migrat For more information, refer to [Boundary Enterprise](/boundary/docs/enterprise). + + +The version of Go that was used in Boundary Enterprise release 0.13.0 contained CVE-2023-39326. +Refer to the [advisory](https://github.com/advisories/GHSA-9f76-wg39-x86h) for more information. +The issue was fixed in Go versions 1.21.5. Boundary was updated to use the new Go versions in Boundary Enterprise release 0.13.5. +You should [upgrade Boundary](/boundary/tutorials/self-managed-deployment/upgrade-version) to version 0.13.5 or later. + +Community users should upgrade to version 0.14.3 or later. + + + **SSH session recording HCP/ENT**: A fundamental challenge of securing access to sensitive computing resources is creating a system of record around users' access and actions over remote sessions. This release introduces session recording to help you address your compliance and threat management needs. diff --git a/website/content/docs/release-notes/v0_14_0.mdx b/website/content/docs/release-notes/v0_14_0.mdx index e05773be22..31e45c0374 100644 --- a/website/content/docs/release-notes/v0_14_0.mdx +++ b/website/content/docs/release-notes/v0_14_0.mdx @@ -187,13 +187,40 @@ description: |- (Fixed in 0.14.1) - Go CVE-2023-39325 + Go CVE-2023-39325 and Go CVE-2023-39326 - The version of Go that was used in Boundary release 0.14.0 contained a CVE. The issue was fixed in Go versions 1.21.3 and 1.20. Boundary was updated to use the new Go versions in release 0.14.1, and the issue is resolved. + The version of Go that was used in Boundary release 0.14.0 contained security vulnerabilities. The vulnerabilities were fixed in Go version 1.21.3. Boundary was updated to use the new Go version in release 0.14.1, and the issue is resolved.

Learn more:  - HTTP/2 rapid reset can cause excessive work in net/http +

+ Go CVE-2023-39325: HTTP/2 rapid reset can cause excessive work in net/http +

+ Go CVE-2023-39326: A malicious HTTP sender can use chunk extensions +

+ Upgrade to the latest version of Boundary + + + + + + 0.14.0 +

+ (Fixed in 0.14.3 and 0.13.5 HCP/ENT) + + + Go CVE-2023-39322 and Go CVE-2022-45285 + + + The version of Go that was used in Boundary release 0.14.0 contained security vulnerabilities. The vulnerabilities were fixed in Go version 1.21.5. Boundary was updated to use the new Go version in release 0.14.3, and the issue is resolved. +

+ Note that version 0.13.5 of HCP Boundary and Boundary Enterprise was also updated to use the new Go version. +

+ Learn more:  +

+ Go CVE-2023-39322: QUIC connections do not set an upper bound on the amount of data buffered +

+ Go CVE-2022-45285: Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to insecure protocol

Upgrade to the latest version of Boundary