|
|
|
|
@ -74,7 +74,7 @@ non-default options that potentially present additional security risks.
|
|
|
|
|
be `false` otherwise, even with ACLs configured, script checks present a |
|
|
|
|
remote code execution threat. |
|
|
|
|
[`enable_local_script_checks`](/docs/agent/options.html#_enable_local_script_checks) |
|
|
|
|
provides a secure alterative if the HTTP API must be exposed and is available |
|
|
|
|
provides a secure alternative if the HTTP API must be exposed and is available |
|
|
|
|
from 1.3.0 on. This feature was also back-ported to patch releases 0.9.4, |
|
|
|
|
1.1.1, and 1.2.4 [as described here](https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations). |
|
|
|
|
|
|
|
|
|
@ -88,7 +88,7 @@ non-default options that potentially present additional security risks.
|
|
|
|
|
* **Verify Server Hostname Used Alone.** From version 0.5.1 to 1.4.0 we documented that |
|
|
|
|
`verify_server_hostname` being `true` _implied_ `verify_outgoing` however due |
|
|
|
|
to a bug this was not the case so setting _only_ `verify_server_hostname` |
|
|
|
|
results in plaintext communciation between client and server. See |
|
|
|
|
results in plaintext communication between client and server. See |
|
|
|
|
[CVE-2018-19653](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19653) |
|
|
|
|
for more details. This is fixed in 1.4.1. |
|
|
|
|
|
|
|
|
|
|
Justin Weissig
6 years ago
committed by