The Wire ยท Showcase
HASHICORP PATCHES MARKDOWN DOS, SHIPS API GATEWAY AUTH CONTROLS
By RepoJournal ยท Filed ยท About HashiCorp
Consul-K8s locked down a remote denial-of-service vulnerability in Markdown while simultaneously shipping external authorization support to the API Gateway.
The security fix [1] upgraded Markdown from 3.3.7 to 3.8.1 to patch CVE-2025-69534, an uncaught AssertionError that crashes processors parsing malformed HTML input from untrusted sources. MkDocs rode along from 1.4.3 to 1.6.1 because older versions pinned incompatible Markdown versions. This is a ship-now patch for anything running the vendored gateway-api 0.7.1 docs toolchain. On the feature side, Consul-K8s merged external authorization (`ext_authz`) support for the API Gateway [2], adding a new `RouteAuthFilter` CRD that lets operators override gateway-wide auth policies on a per-route basis. A companion PR [3] enables the `RouteExtProc` CRD for Consul Enterprise, expanding the authorization chain to multi-port configurations. Homebrew tap saw five routine version bumps across the estate: Boundary Enterprise 1.0.1, Consul Terraform Sync 0.9.1, Dataplane 2.0.2, envconsul 0.14.0, and Consul ESM 0.11.0 [4][5][6][7][8]. In the Packer universe, the team dropped an unmaintained cryptography dependency by upgrading go-github from v33 to v75 [9], eliminating GO-2026-5932 in `golang.org/x/crypto/openpgp` which has no patch available and was only pulled in transitively. Packer-plugin-amazon released 1.8.2 to stabilize crypto version conflicts [10], though a follow-up PR nudged x/crypto to 0.54.0 [11] after discovering compatibility issues with the initial downgrade.
Action items
- โ Apply Markdown security patch to Consul-K8s gateway-api 0.7.1 docs pipeline immediately hashicorp/consul-k8s [immediate]
- โ Upgrade go-github to v75 in Packer to eliminate openpgp security debt hashicorp/packer [plan]
- โ Review ext_authz API Gateway feature for your Consul Enterprise deployments hashicorp/consul-k8s [monitor]
- โ Stage Packer-plugin-amazon 1.8.2 for next build pipeline sync hashicorp/packer-plugin-amazon [plan]
References
- [1] security: upgrade Python deps in gateway-api 0.7.1 module (4 advisories) (#5473) hashicorp/consul-k8s
- [2] ext_authz support for api-gateway (#5444) hashicorp/consul-k8s
- [3] Enabling routeextproc crd and addition of it to httproutes โ hashicorp/consul-k8s
- [4] Bump boundary-enterprise to 1.0.1+ent hashicorp/homebrew-tap
- [5] Bump consul-terraform-sync to 0.9.1 hashicorp/homebrew-tap
- [6] Bump consul-dataplane to 2.0.2 hashicorp/homebrew-tap
- [7] Bump envconsul to 0.14.0 hashicorp/homebrew-tap
- [8] Bump consul-esm to 0.11.0 hashicorp/homebrew-tap
- [9] security: drop x/crypto/openpgp by upgrading go-github v33 -> v75 (#13676) hashicorp/packer
- [10] release: update version to 1.8.2 and remove prerelease tag (#690) hashicorp/packer-plugin-amazon
- [11] ADDED THE 0.54.0 crypto version (#692) hashicorp/packer-plugin-amazon