v6.7.14
LaunchDarklyReleaseBot
released this
26 Oct 20:06
·
20 commits
to v6
since this release
[6.7.14] - 2022-10-26
This is a security patch release.
Fixed:
- Updated Go runtime version in the Docker image to 1.19.2, to address multiple vulnerability reports in Go 1.17.x and 1.18.x. (#205)
- Updated Consul API module version as a workaround for a false-positive report of CVE-2022-40716. (#205)
- Removed a transitive dependency on AWS SDK v1, which was causing vulnerability reports for CVE-2020-8911 and CVE-2020-8912; in practice, this functionality was never being used by the Relay Proxy. (#204)
- Enforce a minimum TLS version of 1.2 when connecting to a secure Redis instance.
- In offline mode, added a check to prevent a maliciously crafted archive file from causing file data to be written outside of the directory where the archive is being expanded.
- Minor code changes to avoid using the deprecated
ioutil
package. - CI tests now include Go 1.18 and 1.19.